Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hvix64.exe

Overview

General Information

Sample name:hvix64.exe
Analysis ID:1579279
MD5:60c37e8f119030afec51722aa561f768
SHA1:5559158217b6df32004c8eee33c1ab21dbfde7b1
SHA256:d29b670dbbf40bf66b5c01d20c291f39fdb503fe35fb71f0ab0565dd8797943a
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

ValleyRAT
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Multi AV Scanner detection for submitted file
Yara detected ValleyRAT
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Deletes itself after installation
Found evasive API chain checking for user administrative privileges
Modifies the context of a thread in another process (thread injection)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to create new users
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Tries to disable installed Antivirus / HIPS / PFW
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • hvix64.exe (PID: 7392 cmdline: "C:\Users\user\Desktop\hvix64.exe" MD5: 60C37E8F119030AFEC51722AA561F768)
    • svchost.exe (PID: 1044 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 7544 cmdline: C:\Windows\system32\svchost.exe -k netsvcs MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • dllhost.exe (PID: 7584 cmdline: C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
      • ParphaCrashReport64.exe (PID: 7632 cmdline: "C:\Program Files\Windows Mail\ParphaCrashReport64.exe" MD5: 8B5D51DF7BBD67AEB51E9B9DEE6BC84A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: svchost.exe PID: 1044JoeSecurity_ValleyRATYara detected ValleyRATJoe Security

    Sigma Signatures

    Sigma detected: Uncommon Svchost Parent Process
    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\hvix64.exe", ParentImage: C:\Users\user\Desktop\hvix64.exe, ParentProcessId: 7392, ParentProcessName: hvix64.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, ProcessId: 1044, ProcessName: svchost.exe
    Sigma detected: Windows Processes Suspicious Parent Directory
    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\hvix64.exe", ParentImage: C:\Users\user\Desktop\hvix64.exe, ParentProcessId: 7392, ParentProcessName: hvix64.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, ProcessId: 1044, ProcessName: svchost.exe

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: hvix64.exeVirustotal: Detection: 15%Perma Link
    Source: hvix64.exeReversingLabs: Detection: 13%
    Source: C:\Windows\System32\svchost.exeDirectory created: C:\Program Files\Windows Mail\ParphaCrashReport64.exeJump to behavior
    Source: C:\Windows\System32\svchost.exeDirectory created: C:\Program Files\Windows Mail\arphaDump64.dllJump to behavior
    Source: hvix64.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: D:\Build\PX\A\PoisonX\nvsphelperplugin64\x64\Release\arphaDump64.pdb source: hvix64.exe, hvix64.exe, 00000000.00000002.1743844700.0000022FCCF00000.00000004.00001000.00020000.00000000.sdmp, hvix64.exe, 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp
    Source: Binary string: D:\jenkins\workspace\ci.arphasdk.build\qtc_out\Release_X64\arphaCrashReport64.exe.pdb source: hvix64.exe, hvix64.exe, 00000000.00000002.1743844700.0000022FCCF00000.00000004.00001000.00020000.00000000.sdmp, hvix64.exe, 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe, 00000005.00000002.1770781974.00007FF664553000.00000002.00000001.01000000.00000008.sdmp, ParphaCrashReport64.exe, 00000005.00000000.1763337817.00007FF664552000.00000002.00000001.01000000.00000008.sdmp, ParphaCrashReport64.exe.2.dr
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180026810 NetUserEnum,lstrlenW,NetApiBufferFree,malloc,VirtualFree,VirtualFree,free,VirtualFree,VirtualFree,3_2_0000000180026810
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180026810 NetUserEnum,lstrlenW,NetApiBufferFree,malloc,VirtualFree,VirtualFree,free,VirtualFree,VirtualFree,4_2_0000000180026810
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,3_2_000000018001E210
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,3_2_000000018001C850
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,3_2_000000018001CCF0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,3_2_000000018001DDD0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,4_2_000000018001E210
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,4_2_000000018001C850
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,4_2_000000018001CCF0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,4_2_000000018001DDD0
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_00007FF664548F78 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,5_2_00007FF664548F78
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180029300 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,3_2_0000000180029300
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.193.8
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.193.8
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.193.8
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.193.8
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.193.8
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.193.8
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.193.8
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.193.8
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.193.8
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.193.8
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.193.8
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.193.8
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.193.8
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.193.8
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.193.8
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.193.8
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.193.8
    Source: unknownTCP traffic detected without corresponding DNS query: 18.166.193.8
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180032C50 VirtualAlloc,CreateEventW,WSARecv,WSAGetLastError,WaitForMultipleObjects,WSAGetOverlappedResult,WSAGetLastError,CloseHandle,VirtualFree,3_2_0000000180032C50
    Source: hvix64.exe, 00000000.00000002.1743844700.0000022FCCF00000.00000004.00001000.00020000.00000000.sdmp, hvix64.exe, 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
    Source: hvix64.exe, 00000000.00000002.1743844700.0000022FCCF00000.00000004.00001000.00020000.00000000.sdmp, hvix64.exe, 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
    Source: hvix64.exe, 00000000.00000002.1743844700.0000022FCCF00000.00000004.00001000.00020000.00000000.sdmp, hvix64.exe, 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
    Source: hvix64.exe, 00000000.00000002.1743844700.0000022FCCF00000.00000004.00001000.00020000.00000000.sdmp, hvix64.exe, 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
    Source: hvix64.exe, 00000000.00000002.1743844700.0000022FCCF00000.00000004.00001000.00020000.00000000.sdmp, hvix64.exe, 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
    Source: hvix64.exe, 00000000.00000002.1743844700.0000022FCCF00000.00000004.00001000.00020000.00000000.sdmp, hvix64.exe, 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
    Source: hvix64.exe, 00000000.00000002.1743844700.0000022FCCF00000.00000004.00001000.00020000.00000000.sdmp, hvix64.exe, 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
    Source: ParphaCrashReport64.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
    Source: hvix64.exe, 00000000.00000002.1743844700.0000022FCCF00000.00000004.00001000.00020000.00000000.sdmp, hvix64.exe, 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://ejemplo.com
    Source: hvix64.exe, 00000000.00000002.1743844700.0000022FCCF00000.00000004.00001000.00020000.00000000.sdmp, hvix64.exe, 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://ocsp.digicert.com0
    Source: hvix64.exe, 00000000.00000002.1743844700.0000022FCCF00000.00000004.00001000.00020000.00000000.sdmp, hvix64.exe, 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://ocsp.digicert.com0A
    Source: hvix64.exe, 00000000.00000002.1743844700.0000022FCCF00000.00000004.00001000.00020000.00000000.sdmp, hvix64.exe, 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://ocsp.digicert.com0C
    Source: hvix64.exe, 00000000.00000002.1743844700.0000022FCCF00000.00000004.00001000.00020000.00000000.sdmp, hvix64.exe, 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://ocsp.digicert.com0X
    Source: hvix64.exe, 00000000.00000002.1743844700.0000022FCCF00000.00000004.00001000.00020000.00000000.sdmp, hvix64.exe, 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://www.digicert.com/CPS0
    Source: hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore/category/extensions
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=af&category=theme81https://myactivity.google.com/myactivity/?u
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=afCtrl$1
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en-GB&category=theme81https://myactivity.google.com/myactivity
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en-GBCtrl$1
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=es&category=theme81https://myactivity.google.com/myactivity/?u
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=es-419&category=theme81https://myactivity.google.com/myactivit
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=es-419Ctrl$1
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=esCtrl$1
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=et&category=theme81https://myactivity.google.com/myactivity/?u
    Source: hvix64.exeString found in binary or memory: https://chrome.google.com/webstore?hl=etCtrl$1
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=fi&category=theme81https://myactivity.google.com/myactivity/?u
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=fiCtrl$1
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=fil&category=theme81https://myactivity.google.com/myactivity/?
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=filCtrl$1
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=fr&category=theme81https://myactivity.google.com/myactivity/?u
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=frCtrl$1
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivity
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-TWCtrl$1
    Source: hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
    Source: hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
    Source: hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
    Source: hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
    Source: hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
    Source: hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
    Source: hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://ejemplo.com.Se
    Source: hvix64.exeString found in binary or memory: https://myactivity.google.com/
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.com
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comContrase
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comGestoorde
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comMga
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comMots
    Source: hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comSaved
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comSe
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comSelle
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comT
    Source: hvix64.exeString found in binary or memory: https://policies.google.com/
    Source: hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.google.com/chrome/a/?p=browser_profile_details
    Source: hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.google.com/chrome/a/answer/9122284
    Source: hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6098869
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6098869?hl=es
    Source: hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.google.com/chrome/answer/96817
    Source: hvix64.exeString found in binary or memory: https://support.google.com/chromebook?p=app_intent
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&AideG
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlA&biHaldab
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlA&yudaAdministrado
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlAy&udaGestionado
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlBestuur
    Source: hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlO&hjeOrganisaatiosi
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlT&ulongPinapamahalaan
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002F1B0 OpenClipboard,Sleep,GetLastError,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,3_2_000000018002F1B0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002F1B0 OpenClipboard,Sleep,GetLastError,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,3_2_000000018002F1B0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180026200 VirtualFree,VirtualFree,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,3_2_0000000180026200
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800197D0 EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,lstrlenW,memcmp,lstrlenW,lstrlenW,lstrlenW,memcpy,OpenClipboard,CloseClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,3_2_00000001800197D0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800199F0 lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,WideCharToMultiByte,WideCharToMultiByte,lstrlenA,memcpy,OpenClipboard,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrlenA,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,3_2_00000001800199F0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018002F1B0 OpenClipboard,Sleep,GetLastError,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,4_2_000000018002F1B0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180026200 VirtualFree,VirtualFree,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,4_2_0000000180026200
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800197D0 EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,lstrlenW,memcmp,lstrlenW,lstrlenW,lstrlenW,memcpy,OpenClipboard,CloseClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,4_2_00000001800197D0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800199F0 lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,WideCharToMultiByte,WideCharToMultiByte,lstrlenA,memcpy,OpenClipboard,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrlenA,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,4_2_00000001800199F0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001AC60 DefWindowProcW,SendMessageW,OpenClipboard,GetClipboardData,GlobalLock,lstrlenW,lstrlenW,lstrlenW,GlobalUnlock,CloseClipboard,VirtualFree,VirtualFree,CloseClipboard,SendMessageW,PostQuitMessage,3_2_000000018001AC60
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001A410 GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,3_2_000000018001A410
    Source: hvix64.exe, 00000000.00000002.1744359668.0000022FCD02D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevicesmemstr_d29e0acd-f
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_0000000180005824 realloc,NtQuerySystemInformation,0_2_0000000180005824
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_00000001800080F2 VirtualAllocEx,WriteProcessMemory,memset,memcpy,NtAlpcConnectPort,0_2_00000001800080F2
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180011AE0 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,3_2_0000000180011AE0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180011C70 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,3_2_0000000180011C70
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180012830 NtQuerySystemInformation,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,VirtualProtect,VirtualProtect,3_2_0000000180012830
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180012830 NtQuerySystemInformation,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,VirtualProtect,VirtualProtect,4_2_0000000180012830
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180011AE0 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,4_2_0000000180011AE0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180011C70 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,4_2_0000000180011C70
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800205A0: CreateFileW,memset,lstrlenA,DeviceIoControl,CloseHandle,3_2_00000001800205A0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180030180 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,Sleep,3_2_0000000180030180
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800201A0 GetCurrentProcess,OpenProcessToken,GetLastError,DuplicateTokenEx,SetTokenInformation,CreateEnvironmentBlock,CreateProcessAsUserW,CreateProcessAsUserW,3_2_00000001800201A0
    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftMailUpdateTaskJump to behavior
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_00000001800080F20_2_00000001800080F2
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_0000000180009BC00_2_0000000180009BC0
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_00000001800054D50_2_00000001800054D5
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_00000001800015B00_2_00000001800015B0
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_00000001800010100_2_0000000180001010
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_00000001800038330_2_0000000180003833
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_00000001800280380_2_0000000180028038
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_00000001800148480_2_0000000180014848
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_000000018000284D0_2_000000018000284D
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_000000018002C0800_2_000000018002C080
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_00000001800038800_2_0000000180003880
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_00000001800180EE0_2_00000001800180EE
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_000000018000290C0_2_000000018000290C
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_00000001800041530_2_0000000180004153
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_00000001800021700_2_0000000180002170
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_000000018000B1AC0_2_000000018000B1AC
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_00000001800069E00_2_00000001800069E0
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_00000001800151E80_2_00000001800151E8
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_0000000180002A060_2_0000000180002A06
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_0000000180001A100_2_0000000180001A10
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_0000000180002A190_2_0000000180002A19
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_00000001800032200_2_0000000180003220
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_000000018000225E0_2_000000018000225E
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_000000018001AA6C0_2_000000018001AA6C
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_000000018000B2800_2_000000018000B280
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_0000000180006AB00_2_0000000180006AB0
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_000000018000C2D00_2_000000018000C2D0
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_0000000180003AE00_2_0000000180003AE0
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_00000001800032200_2_0000000180003220
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_000000018000435B0_2_000000018000435B
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_000000018000C3700_2_000000018000C370
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_0000000180023B980_2_0000000180023B98
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_00000001800033B80_2_00000001800033B8
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_000000018001FC0C0_2_000000018001FC0C
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_00000001800284640_2_0000000180028464
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_00000001800034640_2_0000000180003464
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_000000018000947B0_2_000000018000947B
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_0000000180002C8A0_2_0000000180002C8A
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_0000000180004CB00_2_0000000180004CB0
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_00000001800044C10_2_00000001800044C1
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_0000000180003CF20_2_0000000180003CF2
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_00000001800025260_2_0000000180002526
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_00000001800035300_2_0000000180003530
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_00000001800075500_2_0000000180007550
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_0000000180001D600_2_0000000180001D60
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_0000000180016D880_2_0000000180016D88
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_00000001800045A90_2_00000001800045A9
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_0000000180003DBC0_2_0000000180003DBC
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_000000018000360B0_2_000000018000360B
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_000000018000B6200_2_000000018000B620
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_0000000180002E240_2_0000000180002E24
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_0000000180005E580_2_0000000180005E58
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_00000001800026660_2_0000000180002666
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_0000000180029E8C0_2_0000000180029E8C
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_000000018000469C0_2_000000018000469C
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_0000000180024EB00_2_0000000180024EB0
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_000000018000BEB00_2_000000018000BEB0
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_000000018000B6C00_2_000000018000B6C0
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_0000000180008EC00_2_0000000180008EC0
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_000000018001FED80_2_000000018001FED8
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_00000001800096E00_2_00000001800096E0
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_000000018000DEE80_2_000000018000DEE8
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_000000018000C6F00_2_000000018000C6F0
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_00000001800037170_2_0000000180003717
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_0000000180010F180_2_0000000180010F18
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_0000000180021F440_2_0000000180021F44
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_0000000180006F700_2_0000000180006F70
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_00000001800027770_2_0000000180002777
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800010102_2_0000000180001010
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180001A102_2_0000000180001A10
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180001D602_2_0000000180001D60
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800038332_2_0000000180003833
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800280382_2_0000000180028038
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800148482_2_0000000180014848
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000284D2_2_000000018000284D
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018002C0802_2_000000018002C080
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800038802_2_0000000180003880
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800180EE2_2_00000001800180EE
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800080F22_2_00000001800080F2
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000290C2_2_000000018000290C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800041532_2_0000000180004153
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800021702_2_0000000180002170
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000B1AC2_2_000000018000B1AC
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800069E02_2_00000001800069E0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800151E82_2_00000001800151E8
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180002A062_2_0000000180002A06
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180002A192_2_0000000180002A19
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800032202_2_0000000180003220
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000225E2_2_000000018000225E
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018001AA6C2_2_000000018001AA6C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000B2802_2_000000018000B280
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180006AB02_2_0000000180006AB0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000C2D02_2_000000018000C2D0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180003AE02_2_0000000180003AE0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800032202_2_0000000180003220
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000435B2_2_000000018000435B
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000C3702_2_000000018000C370
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180023B982_2_0000000180023B98
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800033B82_2_00000001800033B8
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180009BC02_2_0000000180009BC0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018001FC0C2_2_000000018001FC0C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800284642_2_0000000180028464
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800034642_2_0000000180003464
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000947B2_2_000000018000947B
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180002C8A2_2_0000000180002C8A
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180004CB02_2_0000000180004CB0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800044C12_2_00000001800044C1
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800054D52_2_00000001800054D5
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180003CF22_2_0000000180003CF2
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800025262_2_0000000180002526
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800035302_2_0000000180003530
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800075502_2_0000000180007550
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180016D882_2_0000000180016D88
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800045A92_2_00000001800045A9
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800015B02_2_00000001800015B0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180003DBC2_2_0000000180003DBC
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000360B2_2_000000018000360B
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000B6202_2_000000018000B620
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180002E242_2_0000000180002E24
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180005E582_2_0000000180005E58
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800026662_2_0000000180002666
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180029E8C2_2_0000000180029E8C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000469C2_2_000000018000469C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180024EB02_2_0000000180024EB0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000BEB02_2_000000018000BEB0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000B6C02_2_000000018000B6C0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180008EC02_2_0000000180008EC0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018001FED82_2_000000018001FED8
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800096E02_2_00000001800096E0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000DEE82_2_000000018000DEE8
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000C6F02_2_000000018000C6F0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800037172_2_0000000180003717
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180010F182_2_0000000180010F18
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180021F442_2_0000000180021F44
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180006F702_2_0000000180006F70
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800027772_2_0000000180002777
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF374F22_2_000001845BF374F2
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF474EE2_2_000001845BF474EE
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF5B4802_2_000001845BF5B480
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF32C802_2_000001845BF32C80
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF43C482_2_000001845BF43C48
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF31C4D2_2_000001845BF31C4D
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF574382_2_000001845BF57438
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF32C332_2_000001845BF32C33
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF304102_2_000001845BF30410
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF31B772_2_000001845BF31B77
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF363702_2_000001845BF36370
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF513442_2_000001845BF51344
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF32B172_2_000001845BF32B17
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF403182_2_000001845BF40318
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3D2E82_2_000001845BF3D2E8
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3BAF02_2_000001845BF3BAF0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF4F2D82_2_000001845BF4F2D8
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF38AE02_2_000001845BF38AE0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF382C02_2_000001845BF382C0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3AAC02_2_000001845BF3AAC0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF542B02_2_000001845BF542B0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3B2B02_2_000001845BF3B2B0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF33A9C2_2_000001845BF33A9C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF5928C2_2_000001845BF5928C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF31A662_2_000001845BF31A66
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF352582_2_000001845BF35258
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF322242_2_000001845BF32224
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3AA202_2_000001845BF3AA20
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF32A0B2_2_000001845BF32A0B
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF331BC2_2_000001845BF331BC
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF339A92_2_000001845BF339A9
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF309B02_2_000001845BF309B0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF461882_2_000001845BF46188
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF311602_2_000001845BF31160
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF369502_2_000001845BF36950
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF319262_2_000001845BF31926
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF329302_2_000001845BF32930
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF330F22_2_000001845BF330F2
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF348D52_2_000001845BF348D5
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF338C12_2_000001845BF338C1
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF340B02_2_000001845BF340B0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3208A2_2_000001845BF3208A
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3887B2_2_000001845BF3887B
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF328642_2_000001845BF32864
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF578642_2_000001845BF57864
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF4F00C2_2_000001845BF4F00C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF327B82_2_000001845BF327B8
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF38FC02_2_000001845BF38FC0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF52F982_2_000001845BF52F98
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3B7702_2_000001845BF3B770
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3375B2_2_000001845BF3375B
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF326202_2_000001845BF32620
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF32EE02_2_000001845BF32EE0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3B6D02_2_000001845BF3B6D0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF35EB02_2_000001845BF35EB0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3A6802_2_000001845BF3A680
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF49E6C2_2_000001845BF49E6C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3165E2_2_000001845BF3165E
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF31E192_2_000001845BF31E19
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF326202_2_000001845BF32620
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF31E062_2_000001845BF31E06
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF30E102_2_000001845BF30E10
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF445E82_2_000001845BF445E8
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF35DE02_2_000001845BF35DE0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3A5AC2_2_000001845BF3A5AC
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF315702_2_000001845BF31570
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF335532_2_000001845BF33553
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF31D0C2_2_000001845BF31D0C
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800121403_2_0000000180012140
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800151503_2_0000000180015150
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800224E03_2_00000001800224E0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800206803_2_0000000180020680
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800176E03_2_00000001800176E0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001F9E03_2_000000018001F9E0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001AAD03_2_000000018001AAD0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180013E103_2_0000000180013E10
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180006FF73_2_0000000180006FF7
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002E0103_2_000000018002E010
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800060573_2_0000000180006057
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800010703_2_0000000180001070
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800020C73_2_00000001800020C7
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000A1103_2_000000018000A110
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800071133_2_0000000180007113
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000612D3_2_000000018000612D
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800441403_2_0000000180044140
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800071603_2_0000000180007160
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000517A3_2_000000018000517A
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000517C3_2_000000018000517C
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800111803_2_0000000180011180
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001A1903_2_000000018001A190
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800191903_2_0000000180019190
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000219F3_2_000000018000219F
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000A1E03_2_000000018000A1E0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800061EC3_2_00000001800061EC
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800182303_2_0000000180018230
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800012643_2_0000000180001264
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800312703_2_0000000180031270
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000227C3_2_000000018000227C
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800272903_2_0000000180027290
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002B2D03_2_000000018002B2D0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800642E03_2_00000001800642E0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800062E63_2_00000001800062E6
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000D2F03_2_000000018000D2F0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800062F93_2_00000001800062F9
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800293003_2_0000000180029300
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800033003_2_0000000180003300
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800623273_2_0000000180062327
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800253403_2_0000000180025340
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018005B3803_2_000000018005B380
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800073C03_2_00000001800073C0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800173D03_2_00000001800173D0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800083E03_2_00000001800083E0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800013F73_2_00000001800013F7
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018004C4103_2_000000018004C410
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800144103_2_0000000180014410
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001D4203_2_000000018001D420
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800234643_2_0000000180023464
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800034703_2_0000000180003470
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800244B03_2_00000001800244B0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800054E03_2_00000001800054E0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800334F03_2_00000001800334F0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800265303_2_0000000180026530
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001E5503_2_000000018001E550
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000656A3_2_000000018000656A
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800095883_2_0000000180009588
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800255903_2_0000000180025590
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001B5A03_2_000000018001B5A0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800075D23_2_00000001800075D2
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000F5E03_2_000000018000F5E0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000C5F03_2_000000018000C5F0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800166303_2_0000000180016630
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800016303_2_0000000180001630
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018003664B3_2_000000018003664B
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800326603_2_0000000180032660
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800566703_2_0000000180056670
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000769C3_2_000000018000769C
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000A6A03_2_000000018000A6A0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800486E03_2_00000001800486E0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800247003_2_0000000180024700
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800067043_2_0000000180006704
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001F7103_2_000000018001F710
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000271A3_2_000000018000271A
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800337603_2_0000000180033760
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800637703_2_0000000180063770
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000176F3_2_000000018000176F
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800187803_2_0000000180018780
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800527903_2_0000000180052790
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800367B83_2_00000001800367B8
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800257C03_2_00000001800257C0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002A7F03_2_000000018002A7F0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800308103_2_0000000180030810
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000B8223_2_000000018000B822
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001C8503_2_000000018001C850
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800278703_2_0000000180027870
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800288803_2_0000000180028880
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002F8903_2_000000018002F890
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018003A8BC3_2_000000018003A8BC
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800138D03_2_00000001800138D0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000E8DC3_2_000000018000E8DC
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800249303_2_0000000180024930
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800029713_2_0000000180002971
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000E9B03_2_000000018000E9B0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800199F03_2_00000001800199F0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180053A003_2_0000000180053A00
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000FA003_2_000000018000FA00
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180021A103_2_0000000180021A10
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180025A103_2_0000000180025A10
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002AA303_2_000000018002AA30
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180003A323_2_0000000180003A32
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180007A333_2_0000000180007A33
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001EA403_2_000000018001EA40
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180005A503_2_0000000180005A50
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180004A983_2_0000000180004A98
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000FAA03_2_000000018000FAA0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180035AD03_2_0000000180035AD0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180006B003_2_0000000180006B00
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180005B3E3_2_0000000180005B3E
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180012B503_2_0000000180012B50
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180024B603_2_0000000180024B60
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000CBAB3_2_000000018000CBAB
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180023BC03_2_0000000180023BC0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180002BD63_2_0000000180002BD6
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180008C053_2_0000000180008C05
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180030C203_2_0000000180030C20
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180006B003_2_0000000180006B00
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002FC273_2_000000018002FC27
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002FC303_2_000000018002FC30
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002FC393_2_000000018002FC39
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180007C3B3_2_0000000180007C3B
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002FC423_2_000000018002FC42
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002FC4B3_2_000000018002FC4B
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002FC543_2_000000018002FC54
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180065C603_2_0000000180065C60
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002FC5D3_2_000000018002FC5D
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000AC803_2_000000018000AC80
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180035C903_2_0000000180035C90
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180025C903_2_0000000180025C90
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180006C983_2_0000000180006C98
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180036C9E3_2_0000000180036C9E
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180061CA73_2_0000000180061CA7
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180003CA63_2_0000000180003CA6
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180019CB03_2_0000000180019CB0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180002CD23_2_0000000180002CD2
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001CCF03_2_000000018001CCF0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180038D243_2_0000000180038D24
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002AD303_2_000000018002AD30
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180006D443_2_0000000180006D44
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000ED503_2_000000018000ED50
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180062D703_2_0000000180062D70
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180001D803_2_0000000180001D80
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180002D8A3_2_0000000180002D8A
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180024D903_2_0000000180024D90
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180018DA03_2_0000000180018DA0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180007DA13_2_0000000180007DA1
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002BDC03_2_000000018002BDC0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000EDF03_2_000000018000EDF0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018003DE003_2_000000018003DE00
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180005E063_2_0000000180005E06
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180029E103_2_0000000180029E10
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180006E103_2_0000000180006E10
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000CE103_2_000000018000CE10
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000FE203_2_000000018000FE20
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001AE403_2_000000018001AE40
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180007E893_2_0000000180007E89
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180059E903_2_0000000180059E90
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180019EC03_2_0000000180019EC0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180003EC73_2_0000000180003EC7
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180006EEB3_2_0000000180006EEB
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180005F463_2_0000000180005F46
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180036F5F3_2_0000000180036F5F
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180016F603_2_0000000180016F60
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018005CF703_2_000000018005CF70
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180007F7C3_2_0000000180007F7C
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180021F803_2_0000000180021F80
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180001F883_2_0000000180001F88
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180044F903_2_0000000180044F90
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180034FA03_2_0000000180034FA0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180017FA03_2_0000000180017FA0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180015FB03_2_0000000180015FB0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180004FB53_2_0000000180004FB5
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180024FC03_2_0000000180024FC0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001EFC03_2_000000018001EFC0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800121404_2_0000000180012140
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800187804_2_0000000180018780
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180023BC04_2_0000000180023BC0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180019CB04_2_0000000180019CB0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001AE404_2_000000018001AE40
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180006FF74_2_0000000180006FF7
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018002E0104_2_000000018002E010
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800060574_2_0000000180006057
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800010704_2_0000000180001070
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800020C74_2_00000001800020C7
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018000A1104_2_000000018000A110
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800071134_2_0000000180007113
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018000612D4_2_000000018000612D
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800441404_2_0000000180044140
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800151504_2_0000000180015150
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800071604_2_0000000180007160
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018000517A4_2_000000018000517A
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018000517C4_2_000000018000517C
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800111804_2_0000000180011180
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001A1904_2_000000018001A190
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800191904_2_0000000180019190
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018000219F4_2_000000018000219F
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018000A1E04_2_000000018000A1E0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800061EC4_2_00000001800061EC
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800182304_2_0000000180018230
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800012644_2_0000000180001264
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800312704_2_0000000180031270
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018000227C4_2_000000018000227C
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800272904_2_0000000180027290
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018002B2D04_2_000000018002B2D0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800642E04_2_00000001800642E0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800062E64_2_00000001800062E6
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018000D2F04_2_000000018000D2F0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800062F94_2_00000001800062F9
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800293004_2_0000000180029300
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800033004_2_0000000180003300
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800623274_2_0000000180062327
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800253404_2_0000000180025340
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018005B3804_2_000000018005B380
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800073C04_2_00000001800073C0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800173D04_2_00000001800173D0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800083E04_2_00000001800083E0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800013F74_2_00000001800013F7
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018004C4104_2_000000018004C410
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800144104_2_0000000180014410
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001D4204_2_000000018001D420
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800234644_2_0000000180023464
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800034704_2_0000000180003470
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800244B04_2_00000001800244B0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800224E04_2_00000001800224E0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800054E04_2_00000001800054E0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800334F04_2_00000001800334F0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800265304_2_0000000180026530
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001E5504_2_000000018001E550
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018000656A4_2_000000018000656A
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800095884_2_0000000180009588
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800255904_2_0000000180025590
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001B5A04_2_000000018001B5A0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800075D24_2_00000001800075D2
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018000F5E04_2_000000018000F5E0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018000C5F04_2_000000018000C5F0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800166304_2_0000000180016630
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800016304_2_0000000180001630
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018003664B4_2_000000018003664B
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800326604_2_0000000180032660
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800566704_2_0000000180056670
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800206804_2_0000000180020680
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018000769C4_2_000000018000769C
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018000A6A04_2_000000018000A6A0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800486E04_2_00000001800486E0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800176E04_2_00000001800176E0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800247004_2_0000000180024700
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800067044_2_0000000180006704
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001F7104_2_000000018001F710
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018000271A4_2_000000018000271A
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800337604_2_0000000180033760
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800637704_2_0000000180063770
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018000176F4_2_000000018000176F
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800527904_2_0000000180052790
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800367B84_2_00000001800367B8
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800257C04_2_00000001800257C0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018002A7F04_2_000000018002A7F0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800308104_2_0000000180030810
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018000B8224_2_000000018000B822
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001C8504_2_000000018001C850
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800278704_2_0000000180027870
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800288804_2_0000000180028880
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018002F8904_2_000000018002F890
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018003A8BC4_2_000000018003A8BC
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800138D04_2_00000001800138D0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018000E8DC4_2_000000018000E8DC
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800249304_2_0000000180024930
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800029714_2_0000000180002971
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018000E9B04_2_000000018000E9B0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001F9E04_2_000000018001F9E0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800199F04_2_00000001800199F0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180053A004_2_0000000180053A00
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018000FA004_2_000000018000FA00
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180021A104_2_0000000180021A10
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180025A104_2_0000000180025A10
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018002AA304_2_000000018002AA30
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180003A324_2_0000000180003A32
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180007A334_2_0000000180007A33
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001EA404_2_000000018001EA40
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180005A504_2_0000000180005A50
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180004A984_2_0000000180004A98
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018000FAA04_2_000000018000FAA0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180035AD04_2_0000000180035AD0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001AAD04_2_000000018001AAD0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180006B004_2_0000000180006B00
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180005B3E4_2_0000000180005B3E
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180012B504_2_0000000180012B50
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180024B604_2_0000000180024B60
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018000CBAB4_2_000000018000CBAB
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180002BD64_2_0000000180002BD6
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180008C054_2_0000000180008C05
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180030C204_2_0000000180030C20
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180006B004_2_0000000180006B00
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018002FC274_2_000000018002FC27
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018002FC304_2_000000018002FC30
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018002FC394_2_000000018002FC39
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180007C3B4_2_0000000180007C3B
    Source: C:\Windows\System32\svchost.exeCode function: String function: 0000000180044F40 appears 61 times
    Source: C:\Windows\System32\svchost.exeCode function: String function: 0000000180041800 appears 91 times
    Source: C:\Windows\System32\dllhost.exeCode function: String function: 0000000180044F40 appears 61 times
    Source: C:\Windows\System32\dllhost.exeCode function: String function: 0000000180041800 appears 91 times
    Source: hvix64.exeStatic PE information: invalid certificate
    Source: hvix64.exeBinary or memory string: OriginalFilename vs hvix64.exe
    Source: hvix64.exe, 00000000.00000002.1743844700.0000022FCCF00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamearphaCrashReport.exe2 vs hvix64.exe
    Source: hvix64.exe, 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamearphaCrashReport.exe2 vs hvix64.exe
    Source: hvix64.exeStatic PE information: Section: .qtmimed ZLIB complexity 0.997458770800317
    Source: hvix64.exe, 00000000.00000002.1746476578.00007FF66709C000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: ndre-land.nonet.slnet.soin-brb.de123website.lutrentino-stirol.it
    Source: classification engineClassification label: mal92.troj.evad.winEXE@7/3@0/1
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180020680 VirtualAlloc,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,InitializeCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,3_2_0000000180020680
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180027290 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedTcpTable,VirtualAlloc,GetExtendedTcpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,3_2_0000000180027290
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180029300 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,3_2_0000000180029300
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180020480 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,GetLastError,memcpy,3_2_0000000180020480
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180027870 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedUdpTable,VirtualAlloc,GetExtendedUdpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,lstrlenA,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,3_2_0000000180027870
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180029A70 memset,memset,VirtualFree,VirtualFree,GetModuleHandleW,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,TerminateProcess,Sleep,DeleteFileW,lstrcpyW,lstrcatW,TerminateProcess,CloseHandle,Sleep,3_2_0000000180029A70
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001FD10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,GetLastError,3_2_000000018001FD10
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002CE70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,memset,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,lstrcpyW,CloseHandle,3_2_000000018002CE70
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180027290 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedTcpTable,VirtualAlloc,GetExtendedTcpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,4_2_0000000180027290
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180029300 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,4_2_0000000180029300
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180020480 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,GetLastError,memcpy,4_2_0000000180020480
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180020680 VirtualAlloc,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,InitializeCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,4_2_0000000180020680
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180027870 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedUdpTable,VirtualAlloc,GetExtendedUdpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,lstrlenA,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,4_2_0000000180027870
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180029A70 memset,memset,VirtualFree,VirtualFree,GetModuleHandleW,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,TerminateProcess,Sleep,DeleteFileW,lstrcpyW,lstrcatW,TerminateProcess,CloseHandle,Sleep,4_2_0000000180029A70
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001FD10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,GetLastError,4_2_000000018001FD10
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018002CE70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,memset,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,lstrcpyW,CloseHandle,4_2_000000018002CE70
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001C4E0 memset,memset,memset,QueryDosDeviceW,GetDriveTypeW,lstrlenW,GetVolumeInformationW,lstrlenW,GetDiskFreeSpaceExW,3_2_000000018001C4E0
    Source: C:\Windows\System32\svchost.exeCode function: memset,lstrcatW,memset,GetWindowsDirectoryW,GetLastError,lstrcatW,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,GetLastError,StartServiceW,CloseServiceHandle,CloseServiceHandle,3_2_00000001800263C0
    Source: C:\Windows\System32\dllhost.exeCode function: memset,lstrcatW,memset,GetWindowsDirectoryW,GetLastError,lstrcatW,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,GetLastError,StartServiceW,CloseServiceHandle,CloseServiceHandle,4_2_00000001800263C0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800223B0 CreateToolhelp32Snapshot,malloc,Process32FirstW,lstrlenW,lstrlenW,Process32NextW,lstrlenW,Process32NextW,free,CloseHandle,3_2_00000001800223B0
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_0000000180001A10 CoInitialize,CLSIDFromString,IIDFromString,CoCreateInstance,0_2_0000000180001A10
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_00007FF664534000 LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,5_2_00007FF664534000
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180012140 WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,memset,GetModuleFileNameW,IsUserAnAdmin,memset,wsprintfW,OpenSCManagerW,GetLastError,OpenServiceW,ChangeServiceConfig2W,GetLastError,CloseServiceHandle,CloseServiceHandle,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess,3_2_0000000180012140
    Source: C:\Windows\System32\svchost.exeFile created: C:\Program Files\Windows Mail\ParphaCrashReport64.exeJump to behavior
    Source: hvix64.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\hvix64.exeSystem information queried: HandleInformationJump to behavior
    Source: C:\Users\user\Desktop\hvix64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: hvix64.exeVirustotal: Detection: 15%
    Source: hvix64.exeReversingLabs: Detection: 13%
    Source: svchost.exeString found in binary or memory: /Processid:{F8284233-48F4-4680-ADDD-F8284233}
    Source: svchost.exeString found in binary or memory: \\.\{F8284233-48F4-4680-ADDD-F8284233}
    Source: dllhost.exeString found in binary or memory: /Processid:{F8284233-48F4-4680-ADDD-F8284233}
    Source: dllhost.exeString found in binary or memory: \\.\{F8284233-48F4-4680-ADDD-F8284233}
    Source: unknownProcess created: C:\Users\user\Desktop\hvix64.exe "C:\Users\user\Desktop\hvix64.exe"
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Mail\ParphaCrashReport64.exe "C:\Program Files\Windows Mail\ParphaCrashReport64.exe"
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcsJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Mail\ParphaCrashReport64.exe "C:\Program Files\Windows Mail\ParphaCrashReport64.exe"Jump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}Jump to behavior
    Source: C:\Users\user\Desktop\hvix64.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\hvix64.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\hvix64.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\hvix64.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\hvix64.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\hvix64.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\hvix64.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\hvix64.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\hvix64.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\hvix64.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\Desktop\hvix64.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\hvix64.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\hvix64.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\hvix64.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\hvix64.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\hvix64.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\hvix64.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\hvix64.exeSection loaded: dwrite.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: taskschd.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: devenum.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: arphadump64.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeDirectory created: C:\Program Files\Windows Mail\ParphaCrashReport64.exeJump to behavior
    Source: C:\Windows\System32\svchost.exeDirectory created: C:\Program Files\Windows Mail\arphaDump64.dllJump to behavior
    Source: hvix64.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: hvix64.exeStatic PE information: Image base 0x140000000 > 0x60000000
    Source: hvix64.exeStatic file information: File size 23278936 > 1048576
    Source: hvix64.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x9bec00
    Source: hvix64.exeStatic PE information: Raw size of .vmp2 is bigger than: 0x100000 < 0xbf0400
    Source: hvix64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: hvix64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: hvix64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: hvix64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: hvix64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: hvix64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: hvix64.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: hvix64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: D:\Build\PX\A\PoisonX\nvsphelperplugin64\x64\Release\arphaDump64.pdb source: hvix64.exe, hvix64.exe, 00000000.00000002.1743844700.0000022FCCF00000.00000004.00001000.00020000.00000000.sdmp, hvix64.exe, 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp
    Source: Binary string: D:\jenkins\workspace\ci.arphasdk.build\qtc_out\Release_X64\arphaCrashReport64.exe.pdb source: hvix64.exe, hvix64.exe, 00000000.00000002.1743844700.0000022FCCF00000.00000004.00001000.00020000.00000000.sdmp, hvix64.exe, 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe, 00000005.00000002.1770781974.00007FF664553000.00000002.00000001.01000000.00000008.sdmp, ParphaCrashReport64.exe, 00000005.00000000.1763337817.00007FF664552000.00000002.00000001.01000000.00000008.sdmp, ParphaCrashReport64.exe.2.dr
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845B3A0508 LoadLibraryA,GetProcAddressForCaller,2_2_000001845B3A0508
    Source: hvix64.exeStatic PE information: section name: .vmp2
    Source: hvix64.exeStatic PE information: section name: .qtmetad
    Source: hvix64.exeStatic PE information: section name: .qtmimed
    Source: hvix64.exeStatic PE information: section name: _RDATA
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001C3E0 push rcx; ret 3_2_000000018001C3E1
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800619F7 push FF491775h; ret 3_2_00000001800619FC
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001C3E0 push rcx; ret 4_2_000000018001C3E1
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800619F7 push FF491775h; ret 4_2_00000001800619FC
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800230FE VirtualFree,VirtualFree,malloc,malloc,VirtualFree,VirtualFree,NetUserAdd,Sleep,NetLocalGroupAddMembers,free,free,3_2_00000001800230FE
    Source: C:\Windows\System32\svchost.exeFile created: C:\Program Files\Windows Mail\ParphaCrashReport64.exeJump to dropped file
    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftMailUpdateTaskJump to behavior
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002D060 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,CloseServiceHandle,StartServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_000000018002D060

    Hooking and other Techniques for Hiding and Protection

    barindex
    Deletes itself after installation
    Source: C:\Windows\System32\svchost.exeFile deleted: c:\users\user\desktop\hvix64.exeJump to behavior
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001BFC0 OpenEventLogW,ClearEventLogW,CloseEventLog,OpenEventLogW,ClearEventLogW,CloseEventLog,OpenEventLogW,ClearEventLogW,CloseEventLog,OpenEventLogW,ClearEventLogW,CloseEventLog,3_2_000000018001BFC0
    Source: C:\Users\user\Desktop\hvix64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\hvix64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\hvix64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\hvix64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\hvix64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\hvix64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Found evasive API chain checking for user administrative privileges
    Source: C:\Windows\System32\dllhost.exeCheck user administrative privileges: IsUserAndAdmin, DecisionNode
    Source: C:\Users\user\Desktop\hvix64.exeCheck user administrative privileges: IsUserAndAdmin, DecisionNodegraph_0-13630
    Source: C:\Windows\System32\svchost.exeCheck user administrative privileges: IsUserAndAdmin, DecisionNodegraph_2-27922
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180016F60 GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,CloseHandle,WTSGetActiveConsoleSessionId,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,CreateThread,VirtualFree,VirtualFree,VirtualFree,VirtualFree,3_2_0000000180016F60
    Source: C:\Users\user\Desktop\hvix64.exeCode function: malloc,memcpy,malloc,memset,memcpy,memset,GetModuleFileNameW,malloc,memset,memcpy,OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,0_2_00000001800015B0
    Source: C:\Windows\System32\svchost.exeCode function: malloc,memcpy,malloc,memset,memcpy,memset,GetModuleFileNameW,malloc,memset,memcpy,OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,2_2_00000001800015B0
    Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,3_2_000000018002D140
    Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusW,LocalAlloc,EnumServicesStatusW,memset,OpenServiceW,lstrlenW,memcpy,lstrlenW,memcpy,VirtualAlloc,QueryServiceConfig2W,lstrlenW,memcpy,lstrcpyW,VirtualAlloc,QueryServiceConfigW,lstrcpyW,lstrlenW,memcpy,lstrlenW,memcpy,lstrlenW,memcpy,CloseServiceHandle,VirtualFree,VirtualFree,CloseServiceHandle,LocalFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,3_2_000000018002F890
    Source: C:\Windows\System32\dllhost.exeCode function: OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,4_2_000000018002D140
    Source: C:\Windows\System32\dllhost.exeCode function: OpenSCManagerW,EnumServicesStatusW,LocalAlloc,EnumServicesStatusW,memset,OpenServiceW,lstrlenW,memcpy,lstrlenW,memcpy,VirtualAlloc,QueryServiceConfig2W,lstrlenW,memcpy,lstrcpyW,VirtualAlloc,QueryServiceConfigW,lstrcpyW,lstrlenW,memcpy,lstrlenW,memcpy,lstrlenW,memcpy,CloseServiceHandle,VirtualFree,VirtualFree,CloseServiceHandle,LocalFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,4_2_000000018002F890
    Source: C:\Windows\System32\svchost.exeAPI coverage: 7.5 %
    Source: C:\Windows\System32\dllhost.exeAPI coverage: 3.2 %
    Source: C:\Windows\System32\svchost.exe TID: 7524Thread sleep count: 32 > 30Jump to behavior
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,3_2_000000018001E210
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,3_2_000000018001C850
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,3_2_000000018001CCF0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,3_2_000000018001DDD0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,4_2_000000018001E210
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,4_2_000000018001C850
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,4_2_000000018001CCF0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,4_2_000000018001DDD0
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_00007FF664548F78 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,5_2_00007FF664548F78
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180029300 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,3_2_0000000180029300
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800224E0 memset,memset,memset,memset,gethostname,gethostbyname,inet_ntoa,wsprintfW,lstrcatW,GetForegroundWindow,GetWindowTextW,VirtualAlloc,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,VirtualFree,GetComputerNameW,GetCurrentProcess,IsWow64Process,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,RegCloseKey,GetSystemInfo,wsprintfW,GlobalMemoryStatusEx,wsprintfW,VirtualAlloc,VirtualAlloc,GetUserNameW,GetCurrentProcessId,wsprintfW,VirtualFree,VirtualFree,memset,GetWindowsDirectoryW,GetLastError,GetVolumeInformationW,wsprintfA,wsprintfA,wsprintfW,CoInitializeEx,CoCreateInstance,SysFreeString,CoUninitialize,GetCurrentProcess,IsWow64Process,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,3_2_00000001800224E0
    Source: svchost.exe, 00000002.00000002.2977530184.000001845AC2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
    Source: hvix64.exeBinary or memory string: .?AVQEmulationPaintEngine@@
    Source: svchost.exe, 00000002.00000002.2977598200.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.1725807215.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2976579345.000002D977413000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: dllhost.exe, 00000004.00000002.2976440759.00000182923CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll((
    Source: C:\Users\user\Desktop\hvix64.exeAPI call chain: ExitProcess graph end nodegraph_0-13637
    Source: C:\Windows\System32\svchost.exeAPI call chain: ExitProcess graph end nodegraph_2-27929
    Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002E010 BlockInput,BlockInput,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,mouse_event,BlockInput,3_2_000000018002E010
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180064130 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0000000180064130
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_00007FF66453D1E8 GetLastError,IsDebuggerPresent,OutputDebugStringW,5_2_00007FF66453D1E8
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180016F60 GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,CloseHandle,WTSGetActiveConsoleSessionId,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,CreateThread,VirtualFree,VirtualFree,VirtualFree,VirtualFree,3_2_0000000180016F60
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180034DA0 VirtualAlloc ?,?,00000000,0000000180035130,?,?,00000000,0000000180014AAC3_2_0000000180034DA0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845B3A0508 LoadLibraryA,GetProcAddressForCaller,2_2_000001845B3A0508
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800194C0 CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,CloseHandle,WTSGetActiveConsoleSessionId,WaitForSingleObject,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,CloseHandle,WTSGetActiveConsoleSessionId,WaitForSingleObject,VirtualFree,VirtualFree,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,3_2_00000001800194C0
    Source: C:\Users\user\Desktop\hvix64.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001801129E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00000001801129E0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180060030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0000000180060030
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180064130 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0000000180064130
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180060770 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0000000180060770
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180060030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0000000180060030
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180064130 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0000000180064130
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180060770 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0000000180060770
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_00007FF66453EEF4 SetUnhandledExceptionFilter,5_2_00007FF66453EEF4
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_00007FF6645421D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FF6645421D8
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_00007FF66453E440 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FF66453E440
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_00007FF66453ED0C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FF66453ED0C

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Benign windows process drops PE files
    Source: C:\Windows\System32\svchost.exeFile created: ParphaCrashReport64.exe.2.drJump to dropped file
    Allocates memory in foreign processes
    Source: C:\Users\user\Desktop\hvix64.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1845B370000 protect: page execute and read and writeJump to behavior
    Source: C:\Users\user\Desktop\hvix64.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1845BE00000 protect: page read and writeJump to behavior
    Source: C:\Users\user\Desktop\hvix64.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1845B380000 protect: page execute and read and writeJump to behavior
    Source: C:\Users\user\Desktop\hvix64.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1845B390000 protect: page read and writeJump to behavior
    Contains functionality to inject code into remote processes
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001F9E0 VirtualAllocEx,GetLastError,VirtualAllocEx,WriteProcessMemory,GetLastError,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,memset,GetThreadContext,SetThreadContext,memset,Wow64GetThreadContext,Wow64SetThreadContext,ResumeThread,GetLastError,3_2_000000018001F9E0
    Contains functionality to inject threads in other processes
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002E4D0 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,3_2_000000018002E4D0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001F710 VirtualAllocEx,GetLastError,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,GetModuleHandleW,GetProcAddress,CreateRemoteThread,3_2_000000018001F710
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180029E10 VirtualAlloc,GetLastError,VirtualFree,VirtualFree,GetLastError,memset,lstrcatW,lstrcatW,lstrcatW,memset,memset,memcpy,VirtualFree,VirtualFree,VirtualFree,VirtualFree,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,3_2_0000000180029E10
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018002E4D0 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,4_2_000000018002E4D0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001F710 VirtualAllocEx,GetLastError,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,GetModuleHandleW,GetProcAddress,CreateRemoteThread,4_2_000000018001F710
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180029E10 VirtualAlloc,GetLastError,VirtualFree,VirtualFree,GetLastError,memset,lstrcatW,lstrcatW,lstrcatW,memset,memset,memcpy,VirtualFree,VirtualFree,VirtualFree,VirtualFree,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,4_2_0000000180029E10
    Modifies the context of a thread in another process (thread injection)
    Source: C:\Windows\System32\svchost.exeThread register set: target process: 7544Jump to behavior
    Source: C:\Windows\System32\svchost.exeThread register set: target process: 7584Jump to behavior
    Writes to foreign memory regions
    Source: C:\Users\user\Desktop\hvix64.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B370000Jump to behavior
    Source: C:\Users\user\Desktop\hvix64.exeMemory written: C:\Windows\System32\svchost.exe base: 1845BE00000Jump to behavior
    Source: C:\Users\user\Desktop\hvix64.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B380000Jump to behavior
    Source: C:\Users\user\Desktop\hvix64.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B390000Jump to behavior
    Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\System32\dllhost.exe base: 18292200000Jump to behavior
    Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\System32\dllhost.exe base: 18292290000Jump to behavior
    Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\System32\dllhost.exe base: 182921F0000Jump to behavior
    Source: C:\Windows\System32\svchost.exeCode function: WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,memset,GetModuleFileNameW,IsUserAnAdmin,memset,wsprintfW,OpenSCManagerW,GetLastError,OpenServiceW,ChangeServiceConfig2W,GetLastError,CloseServiceHandle,CloseServiceHandle,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess, svchost.exe3_2_0000000180012140
    Source: C:\Windows\System32\dllhost.exeCode function: WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,memset,GetModuleFileNameW,IsUserAnAdmin,memset,wsprintfW,OpenSCManagerW,GetLastError,OpenServiceW,ChangeServiceConfig2W,GetLastError,CloseServiceHandle,CloseServiceHandle,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess, svchost.exe4_2_0000000180012140
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002E010 BlockInput,BlockInput,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,mouse_event,BlockInput,3_2_000000018002E010
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002E010 BlockInput,BlockInput,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,mouse_event,BlockInput,3_2_000000018002E010
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcsJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Mail\ParphaCrashReport64.exe "C:\Program Files\Windows Mail\ParphaCrashReport64.exe"Jump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}Jump to behavior
    Source: C:\Windows\System32\svchost.exeFile opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeFile opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeFile opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dllJump to behavior
    Source: dllhost.exe, 00000004.00000003.2961263042.0000018294930000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program Manager
    Source: svchost.exe, 00000003.00000003.2377527258.000002D978380000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2377555589.000002D9783F0000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 00000004.00000003.2357630281.0000018294930000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program Managerl&"[System Process]
    Source: svchost.exe, 00000003.00000003.2377804772.000002D978BA0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2377579581.000002D978C20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: TCPProgram Managerl&"[System Process]
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_000000018002BBA8 cpuid 0_2_000000018002BBA8
    Source: C:\Users\user\Desktop\hvix64.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftMailUpdateTask VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftMailUpdateTask VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180027E20 CreateNamedPipeW,GetLastError,ConnectNamedPipe,GetLastError,3_2_0000000180027E20
    Source: C:\Users\user\Desktop\hvix64.exeCode function: 0_2_0000000180112B5C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_0000000180112B5C
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800224E0 memset,memset,memset,memset,gethostname,gethostbyname,inet_ntoa,wsprintfW,lstrcatW,GetForegroundWindow,GetWindowTextW,VirtualAlloc,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,VirtualFree,GetComputerNameW,GetCurrentProcess,IsWow64Process,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,RegCloseKey,GetSystemInfo,wsprintfW,GlobalMemoryStatusEx,wsprintfW,VirtualAlloc,VirtualAlloc,GetUserNameW,GetCurrentProcessId,wsprintfW,VirtualFree,VirtualFree,memset,GetWindowsDirectoryW,GetLastError,GetVolumeInformationW,wsprintfA,wsprintfA,wsprintfW,CoInitializeEx,CoCreateInstance,SysFreeString,CoUninitialize,GetCurrentProcess,IsWow64Process,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,3_2_00000001800224E0

    Stealing of Sensitive Information

    barindex
    Yara detected ValleyRAT
    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1044, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected ValleyRAT
    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1044, type: MEMORYSTR
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180021520 memset,VirtualFree,VirtualFree,socket,setsockopt,htons,inet_addr,htonl,bind,WSAGetLastError,listen,CreateThread,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,3_2_0000000180021520
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180047630 socket,setsockopt,setsockopt,setsockopt,WSAGetLastError,listen,closesocket,WSAGetLastError,closesocket,closesocket,3_2_0000000180047630
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018004A830 socket,socket,htonl,bind,getsockname,3_2_000000018004A830
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180056B30 htons,_unlink,bind,WSAGetLastError,getsockname,htons,3_2_0000000180056B30
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180021520 memset,VirtualFree,VirtualFree,socket,setsockopt,htons,inet_addr,htonl,bind,WSAGetLastError,listen,CreateThread,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,4_2_0000000180021520
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180047630 socket,setsockopt,setsockopt,setsockopt,WSAGetLastError,listen,closesocket,WSAGetLastError,closesocket,closesocket,4_2_0000000180047630
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018004A830 socket,socket,htonl,bind,getsockname,4_2_000000018004A830
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180056B30 htons,_unlink,bind,WSAGetLastError,getsockname,htons,4_2_0000000180056B30

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire Infrastructure1
    Valid Accounts    		11
    Native API    		1
    DLL Side-Loading    		1
    DLL Side-Loading    		3
    Disable or Modify Tools    		21
    Input Capture    		1
    System Time Discovery    		Remote Services1
    Archive Collected Data    		1
    Ingress Tool Transfer    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    Exploitation for Client Execution    		1
    Create Account    		1
    Valid Accounts    		1
    Deobfuscate/Decode Files or Information    		LSASS Memory11
    Account Discovery    		Remote Desktop Protocol21
    Input Capture    		1
    Encrypted Channel    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts2
    Command and Scripting Interpreter    		1
    Valid Accounts    		11
    Access Token Manipulation    		2
    Obfuscated Files or Information    		Security Account Manager1
    System Service Discovery    		SMB/Windows Admin Shares3
    Clipboard Data    		SteganographyAutomated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal Accounts1
    Scheduled Task/Job    		12
    Windows Service    		12
    Windows Service    		1
    Software Packing    		NTDS2
    File and Directory Discovery    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud Accounts12
    Service Execution    		1
    Scheduled Task/Job    		523
    Process Injection    		1
    DLL Side-Loading    		LSA Secrets25
    System Information Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
    Scheduled Task/Job    		1
    File Deletion    		Cached Domain Credentials1
    Network Share Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
    Masquerading    		DCSync41
    Security Software Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
    Valid Accounts    		Proc Filesystem1
    Virtualization/Sandbox Evasion    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
    Virtualization/Sandbox Evasion    		/etc/passwd and /etc/shadow4
    Process Discovery    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
    Access Token Manipulation    		Network Sniffing1
    System Owner/User Discovery    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd523
    Process Injection    		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
    Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
    Indicator Removal    		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    hvix64.exe15%VirustotalBrowse
    hvix64.exe13%ReversingLabsWin64.Dropper.Generic

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Program Files\Windows Mail\ParphaCrashReport64.exe4%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://support.google.com/chrome/answer/6098869?hl=eshvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
      		high
      https://support.google.com/chrome/answer/6098869hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
        		high
        https://www.google.com/chrome/privacy/eula_text.htmlhvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
          		high
          https://www.google.com/chrome/privacy/eula_text.htmlAy&udaGestionadohvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
            		high
            https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivityhvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
              		high
              https://chrome.google.com/webstore?hl=es-419Ctrl$1hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                		high
                https://chrome.google.com/webstore?hl=et&category=theme81https://myactivity.google.com/myactivity/?uhvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                  		high
                  https://chrome.google.com/webstore?hl=af&category=theme81https://myactivity.google.com/myactivity/?uhvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                    		high
                    https://chrome.google.com/webstore?hl=etCtrl$1hvix64.exefalse
                      		high
                      https://chrome.google.com/webstore?hl=es&category=theme81https://myactivity.google.com/myactivity/?uhvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                        		high
                        https://chrome.google.com/webstore?hl=fi&category=theme81https://myactivity.google.com/myactivity/?uhvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                          		high
                          https://passwords.google.comSavedhvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                            		unknown
                            https://chrome.google.com/webstore?hl=zh-TWCtrl$1hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                              		high
                              https://myactivity.google.com/hvix64.exefalse
                                		high
                                https://chrome.google.com/webstore?hl=fr&category=theme81https://myactivity.google.com/myactivity/?uhvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                  		high
                                  https://www.google.com/chrome/privacy/eula_text.htmlH&elpManagedhvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                    		high
                                    https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrlhvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                      		high
                                      https://passwords.google.comSellehvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                        		unknown
                                        https://passwords.google.comGestoordehvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                          		unknown
                                          https://chromeenterprise.google/policies/#BrowserSwitcherUrlListhvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                            		high
                                            https://passwords.google.comhvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                              		high
                                              https://policies.google.com/hvix64.exefalse
                                                		high
                                                https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                  		high
                                                  https://chrome.google.com/webstore?hl=esCtrl$1hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                    		high
                                                    https://ejemplo.com.Sehvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                      		unknown
                                                      https://chrome.google.com/webstore?hl=afCtrl$1hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                        		high
                                                        https://passwords.google.comSehvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                          		unknown
                                                          https://www.google.com/chrome/privacy/eula_text.html&AideGhvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                            		high
                                                            https://chromeenterprise.google/policies/#BrowserSwitcherEnabledhvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                              		high
                                                              https://passwords.google.comMotshvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                		unknown
                                                                https://chrome.google.com/webstore/category/extensionshvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                  		high
                                                                  https://support.google.com/chromebook?p=app_intenthvix64.exefalse
                                                                    		high
                                                                    https://chrome.google.com/webstore?hl=frCtrl$1hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                      		high
                                                                      https://chrome.google.com/webstore?hl=es-419&category=theme81https://myactivity.google.com/myactivithvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                        		high
                                                                        https://passwords.google.comThvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                          		unknown
                                                                          https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?uhvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                            		high
                                                                            https://chrome.google.com/webstore?hl=en-GB&category=theme81https://myactivity.google.com/myactivityhvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                              		high
                                                                              https://support.google.com/chrome/answer/96817hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                		high
                                                                                https://support.google.com/chrome/a/?p=browser_profile_detailshvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                  		high
                                                                                  https://chrome.google.com/webstore?hl=filCtrl$1hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                    		high
                                                                                    https://www.google.com/chrome/privacy/eula_text.htmlA&biHaldabhvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                      		high
                                                                                      https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrlhvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                        		high
                                                                                        https://www.google.com/chrome/privacy/eula_text.htmlT&ulongPinapamahalaanhvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                          		high
                                                                                          https://passwords.google.comMgahvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                            		unknown
                                                                                            https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelisthvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                              		high
                                                                                              https://support.google.com/chrome/a/answer/9122284hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                		high
                                                                                                https://chrome.google.com/webstore?hl=fil&category=theme81https://myactivity.google.com/myactivity/?hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                  		high
                                                                                                  https://chrome.google.com/webstore?hl=enCtrl$1hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                    		high
                                                                                                    https://passwords.google.comContrasehvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://chrome.google.com/webstore?hl=fiCtrl$1hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                        		high
                                                                                                        https://www.google.com/chrome/privacy/eula_text.htmlBestuurhvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                          		high
                                                                                                          https://www.google.com/chrome/privacy/eula_text.htmlO&hjeOrganisaatiosihvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                            		high
                                                                                                            http://ejemplo.comhvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                              		unknown
                                                                                                              https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylisthvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                                		high
                                                                                                                https://www.google.com/chrome/privacy/eula_text.htmlA&yudaAdministradohvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://chrome.google.com/webstore?hl=en-GBCtrl$1hvix64.exe, 00000000.00000002.1746476578.00007FF666866000.00000008.00000001.01000000.00000003.sdmp, hvix64.exe, 00000000.00000000.1719172318.00007FF666815000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                                    		high

                                                                                                                    World Map of Contacted IPs

                                                                                                                    • No. of IPs < 25%
                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                    • 75% < No. of IPs

                                                                                                                    Public IPs

                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                    18.166.193.8
                                                                                                                    		unknownUnited States
                                                                                                                    		16509AMAZON-02USfalse

                                                                                                                    General Information

                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                    Analysis ID:1579279
                                                                                                                    Start date and time:2024-12-21 12:41:13 +01:00
                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                    Overall analysis duration:0h 7m 23s
                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                    Report type:full
                                                                                                                    Cookbook file name:default.jbs
                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                    Number of analysed new started processes analysed:9
                                                                                                                    Number of new started drivers analysed:0
                                                                                                                    Number of existing processes analysed:0
                                                                                                                    Number of existing drivers analysed:0
                                                                                                                    Number of injected processes analysed:1
                                                                                                                    Technologies:
                                                                                                                    • HCA enabled
                                                                                                                    • EGA enabled
                                                                                                                    • AMSI enabled
                                                                                                                    Analysis Mode:default
                                                                                                                    Analysis stop reason:Timeout
                                                                                                                    Sample name:hvix64.exe
                                                                                                                    Detection:MAL
                                                                                                                    Classification:mal92.troj.evad.winEXE@7/3@0/1
                                                                                                                    EGA Information:
                                                                                                                    • Successful, ratio: 80%
                                                                                                                    HCA Information:
                                                                                                                    • Successful, ratio: 99%
                                                                                                                    • Number of executed functions: 56
                                                                                                                    • Number of non-executed functions: 283
                                                                                                                    Cookbook Comments:
                                                                                                                    • Found application associated with file extension: .exe

                                                                                                                    Warnings

                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                    • Excluded IPs from analysis (whitelisted): 184.28.90.27, 20.109.210.53, 13.107.246.63
                                                                                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                    • Execution Graph export aborted for target ParphaCrashReport64.exe, PID 7632 because there are no executed function
                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                    Simulations

                                                                                                                    Behavior and APIs

                                                                                                                    TimeTypeDescription
                                                                                                                    11:42:13Task SchedulerRun new task: MicrosoftMailUpdateTask path: C:\Program Files\Windows Mail\ParphaCrashReport64.exe

                                                                                                                    Joe Sandbox View / Context

                                                                                                                    IPs

                                                                                                                    No context

                                                                                                                    Domains

                                                                                                                    No context

                                                                                                                    ASNs

                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                    AMAZON-02USmips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                    • 34.221.123.182
                                                                                                                    arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                    • 3.196.33.98
                                                                                                                    arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                    • 18.203.198.124
                                                                                                                    arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                    • 15.228.127.139
                                                                                                                    sh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                    • 13.217.229.62
                                                                                                                    x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                    • 3.201.109.132
                                                                                                                    mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                    • 175.41.191.50
                                                                                                                    powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                    • 54.182.250.212
                                                                                                                    nshkarm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                    • 52.11.191.179
                                                                                                                    nshmpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                    • 13.220.3.75

                                                                                                                    JA3 Fingerprints

                                                                                                                    No context

                                                                                                                    Dropped Files

                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                    C:\Program Files\Windows Mail\ParphaCrashReport64.exe2024-12-10#U67e5#U9605_uninst.exeGet hashmaliciousValleyRATBrowse
                                                                                                                      2024-12-10#U67e5#U9605_uninst.exeGet hashmaliciousValleyRATBrowse
                                                                                                                        png131.exeGet hashmaliciousValleyRATBrowse
                                                                                                                          install.exeGet hashmaliciousValleyRATBrowse
                                                                                                                            Telegrm2.69.exeGet hashmaliciousUnknownBrowse
                                                                                                                              Telegrm2.69.exeGet hashmaliciousUnknownBrowse
                                                                                                                                file_6c73ff4553d147e39fc35434c1e9e972_2024-07-30_02_54_11_351000.zipGet hashmaliciousUnknownBrowse
                                                                                                                                  SvpnLong2.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    SvpnLong2.exeGet hashmaliciousUnknownBrowse
                                                                                                                                      Cbrome1.0.exeGet hashmaliciousUnknownBrowse

                                                                                                                                        Created / dropped Files

                                                                                                                                        C:\Program Files\Windows Mail\ParphaCrashReport64.exe

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):238384
                                                                                                                                        Entropy (8bit):6.278635939854228
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3072:fN9rZ5vuFomptSepjTxUPjfOgwXCtRLDya09M9EvoHmkQ/2Y8L6vVefD:rZ5qomPSeCx7tRNQjSfD
                                                                                                                                        MD5:8B5D51DF7BBD67AEB51E9B9DEE6BC84A
                                                                                                                                        SHA1:DD63C3D4ACF0CE27F71CCE44B8950180E48E36FA
                                                                                                                                        SHA-256:E743E8FAC075A379161E1736388451E0AF0FDE7DA595EA9D15EEB5140E3E8271
                                                                                                                                        SHA-512:1B4350D51C2107D0AA22EB01D64E1F1AB73C28114045C388BAF9547CC39A902C8A274A24479C7C2599F94C96F8772E438F21A2849316B5BD7F5D47C26A1E483B
                                                                                                                                        Malicious:false
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                        Joe Sandbox View:
                                                                                                                                        • Filename: 2024-12-10#U67e5#U9605_uninst.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: 2024-12-10#U67e5#U9605_uninst.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: png131.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: install.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: Telegrm2.69.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: Telegrm2.69.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: file_6c73ff4553d147e39fc35434c1e9e972_2024-07-30_02_54_11_351000.zip, Detection: malicious, Browse
                                                                                                                                        • Filename: SvpnLong2.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: SvpnLong2.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: Cbrome1.0.exe, Detection: malicious, Browse
                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........i...:...:...:...;...:...;)..:...;...:...;...:...;...:...;...:...;...:3..;...:...:...:3..;...:3.4:...:..\:...:3..;...:Rich...:........................PE..d......`.........."..........t......$..........@....................................j.....`..........................................................p...-...P.......h..0;......l...P...8.......................(.................... ..@............................text............................... ..`.rdata..F.... ......................@..@.data...L&... ......................@....pdata.......P......................@..@.rsrc....-...p.......2..............@..@.reloc..l............`..............@..B........................................................................................................................................................................................................................

                                                                                                                                        C:\Program Files\Windows Mail\arphaDump64.dll

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):546252
                                                                                                                                        Entropy (8bit):6.543985233910406
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12288:awnKbeNO/thmmWIK3z9rG3U9szzrHUPRxG0+UfYlrYSe:flXDp9HPYlr5e
                                                                                                                                        MD5:55EF931D0099F4A27D6291E8149F9BEE
                                                                                                                                        SHA1:3139CC82AC7E924885D12221CE269551086758F8
                                                                                                                                        SHA-256:6AC58F3AF83E181925CF487AFC833998FC7BCF7BF87DF9356D6383F562AECC9A
                                                                                                                                        SHA-512:2E72BD59E5C193D36167EA8FAB6A7CE92FFAF781024B97C755AEF576BD50C76C15C3DF05C7FFA0DD9ABDAF2738EAE5C7CE9B8B3CF9B803E475170446D0B0BEDA
                                                                                                                                        Malicious:false
                                                                                                                                        Reputation:low
                                                                                                                                        Preview:4...H..(H...D$8run.H.L$8.O...H..(...eH..%`......D..3.L..E..t"A........A..a.J..L.I....A..D....u..H.A.....H.\$.H.l$.H.t$.WAVAWH.. D......H.P.H.j L..I.......M..L.P0M..tLIcB<B.........t<I.<..O.I...j....w 3.I..D..9_.v...I...P...A..D;.t+..H...;_.r.L;.u.3.H.\$@H.l$HH.t$PH.. A_A^_.O$I..D...Y.O.I..B...I.......@SH.. H.......%...H..H.. [H....H.\$.WH.. H..H...........H..H..H.\$0H.. _H.....H.\$.UVWATAUAVAWH.. L..M..3.Z.H........2=..L.......-A..H.D$x....M..M.f.H.D$p3...A..y.H..(fA;A.s|I..9.u29E8~ZHc]8A......O.H..I..A.....A..L..G.3.H...T$p.-.O.A.......I..A.....A..W.H..D..I..H...T$x._.I....H..(..H......;.|.H.\$`H.. A_A^A]A\_^].H.\$.H.l$.H.t$ WATAUAVAWH..@L..-A........ ...H.L$ D..H..3...D.g.E..H.L$ A....E..W.H.L$$..E..W.H.L$(..E..W.H.L$,..E..W.H.L$0..E..W`H.L$4..E..H.L$8....E..W H.L$<....O.B....../.H...5...M..E3.L..A..H.........A..Y.I.q0H..(H#.fE;i.......I..D.C.A.....A.....E..A#.A...A#.A....s..K.A..@....H.....OH..B..I..RD.T. A....A....D.CT. ..u.A..@t.A.A ..E..y.A.A$..t..K.L.L$pH...E.

                                                                                                                                        C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftMailUpdateTask

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):3198
                                                                                                                                        Entropy (8bit):3.559796516107948
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:48:yei1q9tNTyOXZj9c9V9Lbra+iaiudupRCRvA9ufAuRa7T5XhPsV8ic4dTKp+++:tX4diaigVA9ll7dhFF7+
                                                                                                                                        MD5:79C8530188472FA4159DE398A9CA797F
                                                                                                                                        SHA1:0B8743354489D4460DA39E8E4EF2230E9925F638
                                                                                                                                        SHA-256:46722563913B24900DFD02AFD809AE2BBABB5CE420AA81ECBF008F7ACE247F34
                                                                                                                                        SHA-512:2079F7EA505FC410028A0D36A408AFE97E0BDED14548EE6448F692FEEF2D55D52CE6EC9DF5A016C6737595275FF6BD5F4D5397F0C128445ED262B75BF4DD7EE5
                                                                                                                                        Malicious:false
                                                                                                                                        Reputation:low
                                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.A.u.t.h.o.r.>.S.Y.S.T.E.M.<./.A.u.t.h.o.r.>..... . . . .<.D.e.s.c.r.i.p.t.i.o.n.>.M.i.c.r.o.s.o.f.t. .M.a.i.l. .U.p.d.a.t.e. .T.a.s.k. .M.a.c.h.i.n.e.C.o.r.e.<./.D.e.s.c.r.i.p.t.i.o.n.>..... . . . .<.U.R.I.>.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.M.i.c.r.o.s.o.f.t.M.a.i.l.U.p.d.a.t.e.T.a.s.k.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.B.o.o.t.T.r.i.g.g.e.r.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.B.o.o.t.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>..... . . . . . .<.U.s.e.r.I.d.>.S.-.1.-.5.-.1.8.<./.U.s.

                                                                                                                                        Static File Info

                                                                                                                                        General

                                                                                                                                        File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                        Entropy (8bit):6.997705641446781
                                                                                                                                        TrID:
                                                                                                                                        • Win64 Executable GUI (202006/5) 92.65%
                                                                                                                                        • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                                        • DOS Executable Generic (2002/1) 0.92%
                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                        File name:hvix64.exe
                                                                                                                                        File size:23'278'936 bytes
                                                                                                                                        MD5:60c37e8f119030afec51722aa561f768
                                                                                                                                        SHA1:5559158217b6df32004c8eee33c1ab21dbfde7b1
                                                                                                                                        SHA256:d29b670dbbf40bf66b5c01d20c291f39fdb503fe35fb71f0ab0565dd8797943a
                                                                                                                                        SHA512:b3ad900f0225c16b2e13e866696f889f17fd0c51a861380c8b038e6f573fc41436305b111d8bf0fcfa6569af08291199074755f77e0c46dbf24d6186667ebcfb
                                                                                                                                        SSDEEP:393216:D1/Uf6MyNXElYsjLl7Skew2j+bqJqJsv6tWKFdu9C:J4pKRiqJ
                                                                                                                                        TLSH:8B37BF07B2900699E072E078DA47C127FB71F418A76097DB35A896D92F73BF0A93B351
                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................|.....7.............................................r...................\...r.......s.......s......

                                                                                                                                        File Icon

                                                                                                                                        Icon Hash:8c183c3aceacac48

                                                                                                                                        Static PE Info

                                                                                                                                        General

                                                                                                                                        Entrypoint:0x1408afff0
                                                                                                                                        Entrypoint Section:.text
                                                                                                                                        Digitally signed:true
                                                                                                                                        Imagebase:0x140000000
                                                                                                                                        Subsystem:windows gui
                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                        Time Stamp:0x675000B5 [Wed Dec 4 07:11:49 2024 UTC]
                                                                                                                                        TLS Callbacks:
                                                                                                                                        CLR (.Net) Version:
                                                                                                                                        OS Version Major:6
                                                                                                                                        OS Version Minor:0
                                                                                                                                        File Version Major:6
                                                                                                                                        File Version Minor:0
                                                                                                                                        Subsystem Version Major:6
                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                        Import Hash:7ef050b01014b0234d5be0c3d4a81582

                                                                                                                                        Authenticode Signature

                                                                                                                                        Signature Valid:false
                                                                                                                                        Signature Issuer:CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                                                        Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                        Error Number:-2146869232
                                                                                                                                        Not Before, Not After
                                                                                                                                        • 03/02/2023 00:05:41 01/02/2024 00:05:41
                                                                                                                                        Subject Chain
                                                                                                                                        • CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                                                        Version:3
                                                                                                                                        Thumbprint MD5:8BA9D783638C7A19E193C5B6A251F742
                                                                                                                                        Thumbprint SHA-1:58FD671E2D4D200CE92D6E799EC70DF96E6D2664
                                                                                                                                        Thumbprint SHA-256:1721693D3E23C7ABF800AE7B86654ED86DCEAB48C530A57C00D24EF23FF7407E
                                                                                                                                        Serial:330000041331BC198807A90774000000000413

                                                                                                                                        Entrypoint Preview

                                                                                                                                        Instruction
                                                                                                                                        dec eax
                                                                                                                                        sub esp, 28h
                                                                                                                                        call 00007F965146886Ch
                                                                                                                                        dec eax
                                                                                                                                        add esp, 28h
                                                                                                                                        jmp 00007F9651467BCFh
                                                                                                                                        int3
                                                                                                                                        int3
                                                                                                                                        dec eax
                                                                                                                                        mov dword ptr [esp+08h], ebx
                                                                                                                                        push edi
                                                                                                                                        dec eax
                                                                                                                                        sub esp, 20h
                                                                                                                                        mov edx, 00000FA0h
                                                                                                                                        dec eax
                                                                                                                                        lea ecx, dword ptr [00D17776h]
                                                                                                                                        call dword ptr [00110668h]
                                                                                                                                        dec eax
                                                                                                                                        lea ecx, dword ptr [00BD9769h]
                                                                                                                                        call dword ptr [001102BBh]
                                                                                                                                        dec eax
                                                                                                                                        mov ebx, eax
                                                                                                                                        dec eax
                                                                                                                                        test eax, eax
                                                                                                                                        jne 00007F9651467D67h
                                                                                                                                        dec eax
                                                                                                                                        lea ecx, dword ptr [00BD979Ch]
                                                                                                                                        call dword ptr [001102A6h]
                                                                                                                                        dec eax
                                                                                                                                        mov ebx, eax
                                                                                                                                        dec eax
                                                                                                                                        test eax, eax
                                                                                                                                        je 00007F9651467DD1h
                                                                                                                                        dec eax
                                                                                                                                        lea edx, dword ptr [00BD97A7h]
                                                                                                                                        dec eax
                                                                                                                                        mov ecx, ebx
                                                                                                                                        call dword ptr [00110296h]
                                                                                                                                        dec eax
                                                                                                                                        lea edx, dword ptr [00BD97B7h]
                                                                                                                                        dec eax
                                                                                                                                        mov ecx, ebx
                                                                                                                                        dec eax
                                                                                                                                        mov edi, eax
                                                                                                                                        call dword ptr [00110283h]
                                                                                                                                        dec eax
                                                                                                                                        test edi, edi
                                                                                                                                        je 00007F9651467D67h
                                                                                                                                        dec eax
                                                                                                                                        test eax, eax
                                                                                                                                        je 00007F9651467D62h
                                                                                                                                        dec eax
                                                                                                                                        mov dword ptr [00D1773Ah], edi
                                                                                                                                        dec eax
                                                                                                                                        mov dword ptr [00D1773Bh], eax
                                                                                                                                        jmp 00007F9651467D70h
                                                                                                                                        inc ebp
                                                                                                                                        xor ecx, ecx
                                                                                                                                        inc ebp
                                                                                                                                        xor eax, eax
                                                                                                                                        xor ecx, ecx
                                                                                                                                        inc ecx
                                                                                                                                        lea edx, dword ptr [ecx+01h]
                                                                                                                                        call dword ptr [001105A7h]
                                                                                                                                        dec eax
                                                                                                                                        mov dword ptr [00D176E8h], eax
                                                                                                                                        dec eax
                                                                                                                                        test eax, eax
                                                                                                                                        je 00007F9651467D76h
                                                                                                                                        xor ecx, ecx
                                                                                                                                        call 00007F9651467879h
                                                                                                                                        test al, al
                                                                                                                                        je 00007F9651467D6Bh
                                                                                                                                        dec eax
                                                                                                                                        lea ecx, dword ptr [0000001Dh]

                                                                                                                                        Data Directories

                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x9c0f380x154.idata
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x161b0000x21ea8.rsrc
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0xa221a80x75e1c.vmp2
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x16310000x2558.rsrc
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x163d0000xc1f8.reloc
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x14d12380x1c.vmp2
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x14d14000x28.vmp2
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x14d12600x138.vmp2
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x9c00000xf10.idata
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                        Sections

                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                        .text0x10000x9bea600x9bec00ad7a18a94e844ab16267efbd30a99280unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                        .idata0x9c00000x424e0x4400ffa77a54d4f138e8c9bbfab0fcc8e5efFalse0.3131893382352941data4.775786531589324IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                        .vmp20x9c50000xc0455c0xbf04004c873b07176e22ce18d7f04c3f33cd73unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                        .qtmetad0x15ca0000x5360x600bfd0a37e057f358d80d1716d9a9abd7eFalse0.24609375data5.0500249701877475IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                                                        .qtmimed0x15cb0000x4ece50x4ee002d32d357ab751ffbbb513570c6ee6986False0.997458770800317gzip compressed data, original size modulo 2^32 07.998000978505572IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                                                        _RDATA0x161a0000x1300x2004cf87728c7431acc28c0e2229f313f5aFalse0.318359375data2.6787961516860954IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                        .rsrc0x161b0000x21ea80x2200081e384a870fe61afeb15e7ad050af826False0.06386431525735294data0.8760938299552002IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                        .reloc0x163d0000xc1f80xc200ae4ac34fee01f20308f4133c27853680False0.16233086340206185data5.483512500297378IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                        Resources

                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                        RT_ICON0x161b1f80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m0.038137347687211644
                                                                                                                                        RT_ICON0x162ba200x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 2835 x 2835 px/m0.06277590918646206
                                                                                                                                        RT_ICON0x1634ec80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m0.0839041095890411
                                                                                                                                        RT_ICON0x16390f00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.11047717842323651
                                                                                                                                        RT_ICON0x163b6980x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.15431519699812382
                                                                                                                                        RT_ICON0x163c7400x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.28102836879432624
                                                                                                                                        RT_GROUP_ICON0x163cba80x5adata0.7777777777777778
                                                                                                                                        RT_VERSION0x163cc040x29cdataEnglishUnited States0.4820359281437126

                                                                                                                                        Imports

                                                                                                                                        DLLImport
                                                                                                                                        WTSAPI32.dllWTSFreeMemory, WTSQuerySessionInformationW
                                                                                                                                        UxTheme.dllGetThemeColor, GetThemeInt, GetThemePartSize, OpenThemeData, GetThemeEnumValue, GetThemeMargins, GetCurrentThemeName, IsAppThemed, IsThemeActive, SetWindowTheme, GetThemeBool, IsThemeBackgroundPartiallyTransparent, GetThemeBackgroundRegion, CloseThemeData, GetThemeTransitionDuration, GetThemePropertyOrigin
                                                                                                                                        dwmapi.dllDwmGetWindowAttribute, DwmIsCompositionEnabled, DwmSetWindowAttribute, DwmEnableBlurBehindWindow
                                                                                                                                        GDI32.dllCreateRectRgn, DeleteDC, DeleteObject, GetRegionData, SelectClipRgn, SelectObject, CreateDIBSection, GdiFlush, BitBlt, CreateCompatibleDC, SetLayout, GetDeviceCaps, CreateCompatibleBitmap, CreateDCW, CreateBitmap, ChoosePixelFormat, SetPixelFormat, DescribePixelFormat, GetPixelFormat, SwapBuffers, GetBitmapBits, GetObjectW, CreateFontIndirectW, EnumFontFamiliesExW, GetFontData, GetStockObject, AddFontResourceExW, RemoveFontResourceExW, AddFontMemResourceEx, RemoveFontMemResourceEx, GetTextMetricsW, GetTextFaceW, GetCharABCWidthsW, GetCharABCWidthsFloatW, GetGlyphOutlineW, GetOutlineTextMetricsW, GetTextExtentPoint32W, GetCharABCWidthsI, SetBkMode, SetGraphicsMode, SetTextColor, SetTextAlign, SetWorldTransform, ExtTextOutW, CombineRgn, OffsetRgn, GetDIBits
                                                                                                                                        OLEAUT32.dllSafeArrayPutElement, SysAllocString, SafeArrayCreateVector, SysFreeString
                                                                                                                                        IMM32.dllImmGetVirtualKey, ImmSetCandidateWindow, ImmGetDefaultIMEWnd, ImmGetContext, ImmReleaseContext, ImmAssociateContext, ImmAssociateContextEx, ImmGetCompositionStringW, ImmGetOpenStatus, ImmNotifyIME, ImmSetCompositionWindow
                                                                                                                                        KERNEL32.dllEnterCriticalSection, RaiseException, lstrcmpW, GetLastError, GetCurrentThreadId, GetModuleHandleW, GetProcAddress, LocalFree, FormatMessageW, WTSGetActiveConsoleSessionId, ExpandEnvironmentStringsW, CloseHandle, CreateProcessW, CheckRemoteDebuggerPresent, OpenProcess, GlobalAlloc, GlobalUnlock, GlobalLock, GetLocaleInfoW, LoadLibraryW, LoadLibraryA, GlobalSize, GetCurrentProcessId, GetUserDefaultLangID, CreateFileW, GetFileSizeEx, ReadFile, WriteFile, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, WideCharToMultiByte, RtlPcToFileHeader, GetExitCodeProcess, GetUserGeoID, InitializeCriticalSectionEx, GetTimeZoneInformation, GetModuleHandleExW, FreeLibrary, FindNextFileW, VirtualFree, VirtualAlloc, CreateMutexW, ReleaseMutex, InitializeCriticalSection, WriteConsoleW, HeapSize, GetProcessHeap, FreeEnvironmentStringsW, FindFirstFileExW, FindNextChangeNotification, FindFirstChangeNotificationW, FindCloseChangeNotification, MultiByteToWideChar, LCMapStringW, CompareStringW, RegisterWaitForSingleObject, UnregisterWaitEx, SetFilePointerEx, SetEndOfFile, GetFileType, FlushFileBuffers, GetFileInformationByHandleEx, SystemTimeToFileTime, FileTimeToSystemTime, TzSpecificLocalTimeToSystemTime, MoveFileExW, MoveFileW, CopyFileW, DeviceIoControl, SetErrorMode, GetVolumePathNamesForVolumeNameW, GetTempPathW, SetFileTime, RemoveDirectoryW, GetLogicalDrives, GetFullPathNameW, GetFileInformationByHandle, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, CreateDirectoryW, GetCurrentDirectoryW, GetModuleFileNameW, GetStartupInfoW, GetTickCount64, QueryPerformanceFrequency, QueryPerformanceCounter, GetFileAttributesExW, GetUserPreferredUILanguages, GetUserDefaultLCID, GetCurrencyFormatW, GetTimeFormatW, GetDateFormatW, ResetEvent, GetSystemInfo, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, ResumeThread, TerminateThread, GetThreadPriority, SetThreadPriority, GetCurrentThread, CreateThread, WaitForMultipleObjects, Sleep, WaitForSingleObject, DuplicateHandle, GetSystemDirectoryW, CreateEventW, WaitForSingleObjectEx, SetEvent, IsProcessorFeaturePresent, TerminateProcess, GetCurrentProcess, OutputDebugStringW, GetLocalTime, GetSystemTime, InitializeCriticalSectionAndSpinCount, GetCommandLineW, CompareStringEx, GetConsoleWindow, GetDriveTypeW, GetVolumeInformationW, GetLongPathNameW, DeleteCriticalSection, LeaveCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetStringTypeW, SetLastError, RtlUnwind, LoadLibraryExW, ExitProcess, GetCommandLineA, ExitThread, FreeLibraryAndExitThread, SetFileAttributesW, SetStdHandle, GetConsoleMode, ReadConsoleW, GetConsoleCP, GetStdHandle, HeapFree, HeapAlloc, HeapReAlloc, RtlUnwindEx, GetCPInfo, IsValidLocale, GetGeoInfoW, SetEnvironmentVariableW, IsValidCodePage, GetACP, GetOEMCP, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EnumSystemLocalesW, GetEnvironmentStringsW, GetSystemTimeAsFileTime, InitializeSListHead
                                                                                                                                        ole32.dllOleFlushClipboard, OleGetClipboard, OleSetClipboard, CoCreateGuid, CoInitialize, CoCreateInstance, CoUninitialize, OleUninitialize, OleInitialize, RevokeDragDrop, RegisterDragDrop, CoLockObjectExternal, OleIsCurrentClipboard, DoDragDrop, CoTaskMemFree, ReleaseStgMedium, CoInitializeEx, CoGetMalloc, StringFromGUID2
                                                                                                                                        SHELL32.dllSHGetKnownFolderPath, CommandLineToArgvW, SHGetFileInfoW, SHGetStockIconInfo, ShellExecuteW, SHCreateItemFromIDList, SHCreateItemFromParsingName, SHGetMalloc, SHGetPathFromIDListW, SHGetKnownFolderIDList, SHBrowseForFolderW, Shell_NotifyIconW, Shell_NotifyIconGetRect
                                                                                                                                        USER32.dllIsZoomed, PeekMessageW, FindWindowA, SetCaretPos, GetIconInfo, CreateIconIndirect, CreateCursor, ShowCaret, HideCaret, DestroyCaret, CreateCaret, IsWindowEnabled, RegisterWindowMessageW, GetKeyboardLayout, RegisterClipboardFormatW, SetClipboardViewer, IsHungAppWindow, LoadIconW, EnumDisplayMonitors, GetMonitorInfoW, MonitorFromWindow, SetMenuItemInfoW, GetMenuItemInfoW, TrackPopupMenu, RemoveMenu, ModifyMenuW, AppendMenuW, InsertMenuW, DestroyMenu, CreatePopupMenu, CreateMenu, DrawMenuBar, SetMenu, LoadImageW, GetSysColorBrush, ChildWindowFromPointEx, WindowFromPoint, GetCursorPos, GetFocus, RegisterClassExW, GetClassInfoW, UnregisterClassW, UnregisterPowerSettingNotification, RegisterPowerSettingNotification, GetKeyboardLayoutList, GetAncestor, DestroyIcon, DestroyCursor, GetWindow, GetWindowThreadProcessId, SetParent, GetParent, SetWindowLongPtrW, GetKeyboardState, LoadCursorW, GetWindowLongW, ScreenToClient, ClientToScreen, SetCursor, AdjustWindowRectEx, GetWindowRect, GetClientRect, SetWindowTextW, InvalidateRect, SetWindowRgn, GetUpdateRect, EndPaint, BeginPaint, SetForegroundWindow, GetForegroundWindow, EnableMenuItem, GetSystemMenu, GetMenu, ReleaseCapture, SetCapture, GetCapture, IsTouchWindow, UnregisterTouchWindow, RegisterTouchWindow, SetFocus, IsIconic, IsWindowVisible, SetWindowPlacement, GetWindowPlacement, SetWindowPos, MoveWindow, FlashWindowEx, SetLayeredWindowAttributes, UpdateLayeredWindow, ShowWindow, IsChild, CreateWindowExW, AttachThreadInput, PostMessageW, SendMessageW, UpdateLayeredWindowIndirect, GetCaretBlinkTime, MessageBeep, IsWindow, GetDoubleClickTime, GetDesktopWindow, GetSysColor, ReleaseDC, GetDC, DestroyWindow, DefWindowProcW, SystemParametersInfoW, GetSystemMetrics, GetKeyState, ToAscii, ToUnicode, MapVirtualKeyW, TrackPopupMenuEx, ChangeWindowMessageFilterEx, RealGetWindowClassW, EnumWindows, GetWindowTextW, CloseTouchInputHandle, GetTouchInputInfo, GetAsyncKeyState, GetMessageExtraInfo, TrackMouseEvent, GetClipboardFormatNameW, GetWindowLongPtrW, MessageBoxW, DrawIconEx, TranslateMessage, DispatchMessageW, GetQueueStatus, GetCursor, GetCursorInfo, SetCursorPos, EnumDisplayDevicesW, SetWindowLongW, RegisterClassW, MsgWaitForMultipleObjectsEx, SetTimer, KillTimer, CharNextExA, RegisterDeviceNotificationW, UnregisterDeviceNotification, MonitorFromPoint, ChangeClipboardChain
                                                                                                                                        WINMM.dlltimeSetEvent, PlaySoundW, timeKillEvent
                                                                                                                                        USERENV.dllGetUserProfileDirectoryW
                                                                                                                                        VERSION.dllVerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
                                                                                                                                        NETAPI32.dllNetApiBufferFree, NetShareEnum
                                                                                                                                        WS2_32.dllWSAAsyncSelect
                                                                                                                                        ADVAPI32.dllRegCloseKey, RegOpenKeyExW, RegQueryValueExW, SystemFunction036, GetSidSubAuthority, GetSidSubAuthorityCount, GetTokenInformation, RegCreateKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumKeyExW, RegEnumValueW, RegFlushKey, RegQueryInfoKeyW, RegSetValueExW, OpenProcessToken, AccessCheck, AllocateAndInitializeSid, CopySid, DuplicateToken, FreeSid, GetLengthSid, MapGenericMask, LookupAccountSidW, GetEffectiveRightsFromAclW, GetNamedSecurityInfoW, BuildTrusteeWithSidW

                                                                                                                                        Possible Origin

                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                        EnglishUnited States

                                                                                                                                        Network Behavior

                                                                                                                                        Network Port Distribution

                                                                                                                                        TCP Packets

                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                        Dec 21, 2024 12:42:13.082446098 CET4973380192.168.2.418.166.193.8
                                                                                                                                        Dec 21, 2024 12:42:13.202012062 CET804973318.166.193.8192.168.2.4
                                                                                                                                        Dec 21, 2024 12:42:13.202090025 CET4973380192.168.2.418.166.193.8
                                                                                                                                        Dec 21, 2024 12:42:13.202205896 CET4973380192.168.2.418.166.193.8
                                                                                                                                        Dec 21, 2024 12:42:13.321619034 CET804973318.166.193.8192.168.2.4
                                                                                                                                        Dec 21, 2024 12:42:14.758285999 CET804973318.166.193.8192.168.2.4
                                                                                                                                        Dec 21, 2024 12:42:14.798209906 CET4973380192.168.2.418.166.193.8
                                                                                                                                        Dec 21, 2024 12:42:15.310182095 CET4973380192.168.2.418.166.193.8
                                                                                                                                        Dec 21, 2024 12:42:15.429780006 CET804973318.166.193.8192.168.2.4
                                                                                                                                        Dec 21, 2024 12:42:25.438827991 CET4973380192.168.2.418.166.193.8
                                                                                                                                        Dec 21, 2024 12:42:25.558473110 CET804973318.166.193.8192.168.2.4
                                                                                                                                        Dec 21, 2024 12:42:35.563853979 CET4973380192.168.2.418.166.193.8
                                                                                                                                        Dec 21, 2024 12:42:35.683621883 CET804973318.166.193.8192.168.2.4
                                                                                                                                        Dec 21, 2024 12:42:45.689018965 CET4973380192.168.2.418.166.193.8
                                                                                                                                        Dec 21, 2024 12:42:45.809111118 CET804973318.166.193.8192.168.2.4
                                                                                                                                        Dec 21, 2024 12:42:55.813942909 CET4973380192.168.2.418.166.193.8
                                                                                                                                        Dec 21, 2024 12:42:55.933646917 CET804973318.166.193.8192.168.2.4
                                                                                                                                        Dec 21, 2024 12:43:05.938980103 CET4973380192.168.2.418.166.193.8
                                                                                                                                        Dec 21, 2024 12:43:06.135104895 CET804973318.166.193.8192.168.2.4
                                                                                                                                        Dec 21, 2024 12:43:16.023711920 CET4973380192.168.2.418.166.193.8
                                                                                                                                        Dec 21, 2024 12:43:16.142115116 CET4973380192.168.2.418.166.193.8
                                                                                                                                        Dec 21, 2024 12:43:16.143413067 CET804973318.166.193.8192.168.2.4
                                                                                                                                        Dec 21, 2024 12:43:16.261782885 CET804973318.166.193.8192.168.2.4
                                                                                                                                        Dec 21, 2024 12:43:26.267230034 CET4973380192.168.2.418.166.193.8
                                                                                                                                        Dec 21, 2024 12:43:26.387727976 CET804973318.166.193.8192.168.2.4
                                                                                                                                        Dec 21, 2024 12:43:36.392170906 CET4973380192.168.2.418.166.193.8
                                                                                                                                        Dec 21, 2024 12:43:36.511696100 CET804973318.166.193.8192.168.2.4
                                                                                                                                        Dec 21, 2024 12:43:46.517209053 CET4973380192.168.2.418.166.193.8
                                                                                                                                        Dec 21, 2024 12:43:46.637933969 CET804973318.166.193.8192.168.2.4
                                                                                                                                        Dec 21, 2024 12:43:56.642237902 CET4973380192.168.2.418.166.193.8
                                                                                                                                        Dec 21, 2024 12:43:56.761811018 CET804973318.166.193.8192.168.2.4
                                                                                                                                        Dec 21, 2024 12:44:06.767277956 CET4973380192.168.2.418.166.193.8
                                                                                                                                        Dec 21, 2024 12:44:06.887003899 CET804973318.166.193.8192.168.2.4
                                                                                                                                        Dec 21, 2024 12:44:16.708856106 CET4973380192.168.2.418.166.193.8
                                                                                                                                        Dec 21, 2024 12:44:16.829385996 CET804973318.166.193.8192.168.2.4

                                                                                                                                        HTTP Packets

                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                        0192.168.2.44973318.166.193.8807544C:\Windows\System32\svchost.exe
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        Dec 21, 2024 12:42:13.202205896 CET56OUTData Raw: 13 1d 0d 11 0f 22 0c 20 2c 04 0e 09 06 08 29 2c 26 23 1f 1e 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 1e 1a 3d 38
                                                                                                                                        Data Ascii: " ,),&#::::::::::::::::::::::::::::::::=8
                                                                                                                                        Dec 21, 2024 12:42:14.758285999 CET85INData Raw: 0a 1a 12 13 01 0c 0d 21 1f 0f 16 16 0b 1d 29 00 2a 26 29 07 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3b 3a 3a 3a 5e 3a 3a 3a 27 3a 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c 63 b2 12 b1 e2 b3 e2 01 92 dc 56 1c 56 9c 60 9a c9 8a d9 8a 9a 00 00 b5
                                                                                                                                        Data Ascii: !)*&)::::::::::::::::;:::^:::':::::::=8xcVV`Iu
                                                                                                                                        Dec 21, 2024 12:42:15.310182095 CET845OUTData Raw: 0a 1a 12 13 01 0c 0d 21 1f 0f 16 16 0b 1d 29 00 2a 26 29 07 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3b 3a 3a 3a 50 0a 3a 3a 2f 39 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c ed 5a 5d 6b 1a 41 14 2d 06 8a 51 6b f2 e0 43 90 b4 94 50 4a 29 a5 4f 7d
                                                                                                                                        Data Ascii: !)*&)::::::::::::::::;:::P::/9::::::=8xZ]kA-QkCPJ)O}:O5+f>1(]6&Y9sg;ID5=Ci?#Lv"#I mvK"(6dZMZ)=Oc+0!yM$wKZA`H,R
                                                                                                                                        Dec 21, 2024 12:42:25.438827991 CET6OUTData Raw: 00
                                                                                                                                        Data Ascii:
                                                                                                                                        Dec 21, 2024 12:42:35.563853979 CET6OUTData Raw: 00
                                                                                                                                        Data Ascii:
                                                                                                                                        Dec 21, 2024 12:42:45.689018965 CET6OUTData Raw: 00
                                                                                                                                        Data Ascii:
                                                                                                                                        Dec 21, 2024 12:42:55.813942909 CET6OUTData Raw: 00
                                                                                                                                        Data Ascii:
                                                                                                                                        Dec 21, 2024 12:43:05.938980103 CET6OUTData Raw: 00
                                                                                                                                        Data Ascii:
                                                                                                                                        Dec 21, 2024 12:43:16.023711920 CET652OUTData Raw: 0d 1f 20 05 1a 1a 00 22 06 07 14 10 23 1f 17 18 03 04 17 10 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 32 1a 3a 3a 54 12 3a 3a 6e 38 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c ed 99 41 6b 13 51 10 c7 c1 93 e0 c5 43 0f 25 14 91 22 22 22 c5 83 a7 c1
                                                                                                                                        Data Ascii: "#::::::::::::::::2::T::n8::::::=8xAkQC%"""]Jl%b,4RLP7Bq4&1IyffMH&r"H$J!o?A>k}Y+^@y%3n4pc$rp!%t^t,_sFuildM8A;
                                                                                                                                        Dec 21, 2024 12:43:16.142115116 CET6OUTData Raw: 00
                                                                                                                                        Data Ascii:


                                                                                                                                        Statistics

                                                                                                                                        CPU Usage

                                                                                                                                        Click to jump to process

                                                                                                                                        Memory Usage

                                                                                                                                        Click to jump to process

                                                                                                                                        High Level Behavior Distribution

                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                        Behavior

                                                                                                                                        Click to jump to process

                                                                                                                                        System Behavior

                                                                                                                                        General

                                                                                                                                        Target ID:0
                                                                                                                                        Start time:06:42:09
                                                                                                                                        Start date:21/12/2024
                                                                                                                                        Path:C:\Users\user\Desktop\hvix64.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:"C:\Users\user\Desktop\hvix64.exe"
                                                                                                                                        Imagebase:0x7ff665e50000
                                                                                                                                        File size:23'278'936 bytes
                                                                                                                                        MD5 hash:60C37E8F119030AFEC51722AA561F768
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:low
                                                                                                                                        Has exited:true

                                                                                                                                        General

                                                                                                                                        Target ID:2
                                                                                                                                        Start time:06:42:09
                                                                                                                                        Start date:21/12/2024
                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                                                                                                        Imagebase:0x7ff6eef20000
                                                                                                                                        File size:55'320 bytes
                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high
                                                                                                                                        Has exited:false

                                                                                                                                        General

                                                                                                                                        Target ID:3
                                                                                                                                        Start time:06:42:11
                                                                                                                                        Start date:21/12/2024
                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\system32\svchost.exe -k netsvcs
                                                                                                                                        Imagebase:0x7ff6eef20000
                                                                                                                                        File size:55'320 bytes
                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high
                                                                                                                                        Has exited:false

                                                                                                                                        General

                                                                                                                                        Target ID:4
                                                                                                                                        Start time:06:42:12
                                                                                                                                        Start date:21/12/2024
                                                                                                                                        Path:C:\Windows\System32\dllhost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
                                                                                                                                        Imagebase:0x7ff70f330000
                                                                                                                                        File size:21'312 bytes
                                                                                                                                        MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:moderate
                                                                                                                                        Has exited:false

                                                                                                                                        General

                                                                                                                                        Target ID:5
                                                                                                                                        Start time:06:42:13
                                                                                                                                        Start date:21/12/2024
                                                                                                                                        Path:C:\Program Files\Windows Mail\ParphaCrashReport64.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:"C:\Program Files\Windows Mail\ParphaCrashReport64.exe"
                                                                                                                                        Imagebase:0x7ff664530000
                                                                                                                                        File size:238'384 bytes
                                                                                                                                        MD5 hash:8B5D51DF7BBD67AEB51E9B9DEE6BC84A
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Antivirus matches:
                                                                                                                                        • Detection: 4%, ReversingLabs
                                                                                                                                        Reputation:moderate
                                                                                                                                        Has exited:true

                                                                                                                                        Disassembly

                                                                                                                                        Reset < >

                                                                                                                                          Execution Graph

                                                                                                                                          Execution Coverage:1.5%
                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                          Signature Coverage:76.4%
                                                                                                                                          Total number of Nodes:110
                                                                                                                                          Total number of Limit Nodes:4
                                                                                                                                          execution_graph 13595 1800080f2 VirtualAllocEx WriteProcessMemory 13596 180008273 memset memcpy NtAlpcConnectPort 13595->13596 13598 18000a8b2 WriteProcessMemory 13599 18000a939 13598->13599 13600 180005824 realloc NtQuerySystemInformation 13601 1800054d5 13602 180005524 DuplicateHandle 13601->13602 13603 1800055a7 13602->13603 13604 180005a0d GetProcessId 13605 180005a8c 13604->13605 13610 180008e30 RtlAdjustPrivilege 13611 180008eb4 13610->13611 13612 180008eaf 13610->13612 13615 180112660 13611->13615 13614 180008eb9 13617 180112669 13615->13617 13616 180112674 13616->13614 13617->13616 13618 180112a14 IsProcessorFeaturePresent 13617->13618 13619 180112a2c 13618->13619 13622 180112ae8 RtlCaptureContext 13619->13622 13621 180112a3f 13621->13614 13623 180112b02 RtlLookupFunctionEntry 13622->13623 13624 180112b51 13623->13624 13625 180112b18 RtlVirtualUnwind 13623->13625 13624->13621 13625->13623 13625->13624 13626 180009bc0 VirtualAllocEx 13627 180009da0 13626->13627 13628 180001920 memset GetModuleFileNameW wcsstr 13629 1800019a8 13628->13629 13630 18000197a IsUserAnAdmin 13628->13630 13661 180001010 malloc 13629->13661 13631 180001984 13630->13631 13634 180001995 13630->13634 13640 1800015b0 13631->13640 13637 18000199f ExitProcess 13634->13637 13637->13629 13638 180112660 4 API calls 13639 1800019c0 13638->13639 13641 1800015db malloc 13640->13641 13642 180001893 13640->13642 13641->13642 13644 1800015f7 memcpy malloc 13641->13644 13643 180112660 4 API calls 13642->13643 13645 18000190e ExitProcess 13643->13645 13644->13642 13646 180001625 memset 13644->13646 13645->13634 13647 180001656 13646->13647 13648 18000165b 13646->13648 13649 18000169b memset GetModuleFileNameW malloc 13647->13649 13648->13647 13651 180001682 memcpy 13648->13651 13649->13642 13650 1800016df memset memcpy 13649->13650 13652 180001720 13650->13652 13651->13649 13652->13652 13653 180001773 OpenSCManagerW 13652->13653 13653->13642 13654 18000179b EnumServicesStatusExW malloc 13653->13654 13654->13642 13655 1800017f4 memset EnumServicesStatusExW 13654->13655 13656 180001845 CloseServiceHandle free 13655->13656 13657 180001856 CloseServiceHandle 13655->13657 13656->13642 13657->13642 13658 180001865 13657->13658 13658->13642 13659 180001870 lstrcmpiW 13658->13659 13659->13658 13660 180001895 free 13659->13660 13660->13642 13662 18000104e 13661->13662 13666 180001568 13661->13666 13665 1800010c4 malloc 13662->13665 13663 180112660 4 API calls 13664 18000159f 13663->13664 13664->13638 13665->13666 13667 1800010db memcpy memcpy 13665->13667 13666->13663 13668 180001120 13667->13668 13668->13666 13669 180001195 memset wsprintfW CreateFileW 13668->13669 13670 180001212 GetLastError 13669->13670 13671 18000121a WriteFile 13669->13671 13672 18000124c Sleep memset wsprintfW CreateFileW 13670->13672 13673 180001243 CloseHandle 13671->13673 13674 18000123d GetLastError 13671->13674 13675 1800012c4 GetLastError 13672->13675 13676 1800012cc WriteFile 13672->13676 13673->13672 13674->13673 13677 1800012fe Sleep memset wsprintfW CreateFileW 13675->13677 13678 1800012f5 CloseHandle 13676->13678 13679 1800012ef GetLastError 13676->13679 13680 180001376 GetLastError 13677->13680 13681 18000137e WriteFile 13677->13681 13678->13677 13679->13678 13682 1800013ac Sleep 13680->13682 13683 1800013a3 CloseHandle 13681->13683 13684 18000139d GetLastError 13681->13684 13682->13666 13685 1800013c1 VirtualAlloc 13682->13685 13683->13682 13684->13683 13685->13666 13686 1800013e6 memcpy CreateThread 13685->13686 13698 180001a10 CoInitialize 13686->13698 13689 180001523 memset memcpy CreateThread 13689->13666 13690 180001430 VariantInit 13691 180001498 13690->13691 13692 18000149c SysAllocString 13691->13692 13693 1800014be GetLastError 13691->13693 13695 1800014ba 13692->13695 13694 1800014c4 13693->13694 13694->13689 13696 1800014ca memset wsprintfW 13694->13696 13695->13693 13695->13694 13706 180001d60 13696->13706 13699 180001b50 13698->13699 13699->13699 13700 180001cae CLSIDFromString 13699->13700 13701 180001d04 IIDFromString 13700->13701 13702 180001d3b 13700->13702 13701->13702 13703 180001d17 CoCreateInstance 13701->13703 13704 180112660 4 API calls 13702->13704 13703->13702 13705 180001423 13704->13705 13705->13689 13705->13690 13707 180001da5 SysAllocString 13706->13707 13718 18000206a 13706->13718 13708 180001dbb 13707->13708 13711 180001dd9 SysAllocString SysAllocString 13708->13711 13708->13718 13709 180112660 4 API calls 13710 180002086 13709->13710 13710->13689 13712 180001e08 13711->13712 13713 180001f1f IIDFromString 13712->13713 13712->13718 13714 180001f4c 13713->13714 13715 180001f5e SysAllocString SysAllocString 13714->13715 13714->13718 13716 180001f88 13715->13716 13717 180001fd9 VariantInit SysAllocString 13716->13717 13716->13718 13717->13718 13718->13709

                                                                                                                                          Executed Functions

                                                                                                                                          Function 00000001800015B0 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 211servicestringCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: mallocmemset$CloseEnumHandleServiceServicesStatusmemcpy$FileManagerModuleNameOpenfreelstrcmpi
                                                                                                                                          • String ID: Schedule
                                                                                                                                          • API String ID: 3636854120-2739827629
                                                                                                                                          • Opcode ID: 7697f6b2c45ef8c94f65c33818677cfec83935d60c7d49dafd4f2fb68cf7ed65
                                                                                                                                          • Instruction ID: 6ee3f7f16e62e9fbbf62cb728b63543f6f6100922e48a7ada6915e3d38cfd098
                                                                                                                                          • Opcode Fuzzy Hash: 7697f6b2c45ef8c94f65c33818677cfec83935d60c7d49dafd4f2fb68cf7ed65
                                                                                                                                          • Instruction Fuzzy Hash: 84A1AE36705B8886EBA5CB19E4883EDB7A4F78DB94F54D128EE8903755EF38D648C700
                                                                                                                                          Function 00000001800080F2 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147memorynativeinjectionCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          • Dive right in and make a splash,We're throwing a pool party in a flash!Bring your swimsuits and sunscreen galore,We'll turn up the heat and let the good times pour!, xrefs: 0000000180008315
                                                                                                                                          • 0, xrefs: 000000018000828B
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AllocAlpcConnectMemoryPortProcessVirtualWritememcpymemset
                                                                                                                                          • String ID: 0$Dive right in and make a splash,We're throwing a pool party in a flash!Bring your swimsuits and sunscreen galore,We'll turn up the heat and let the good times pour!
                                                                                                                                          • API String ID: 2322259470-3460289035
                                                                                                                                          • Opcode ID: c43cf6f9343ddec1ca79c7315b89c45580cd43461ba35576a3c26a51ac169fb6
                                                                                                                                          • Instruction ID: a438414d86da3f9fa76c6e2917a93b97ec5bb287934b9f4f7f73d30ebcaf7dce
                                                                                                                                          • Opcode Fuzzy Hash: c43cf6f9343ddec1ca79c7315b89c45580cd43461ba35576a3c26a51ac169fb6
                                                                                                                                          • Instruction Fuzzy Hash: 6D713DB5324EC891EBA5CF65E8587DA6362F788798F80A216DE4D07668DF3CC249C700
                                                                                                                                          Function 0000000180009BC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109memoryCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 47 180009bc0-180009d4a VirtualAllocEx 48 180009da0-180009da9 47->48 49 180009db1-180009e16 48->49 50 180009dab 48->50 50->49
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AllocVirtual
                                                                                                                                          • String ID: @
                                                                                                                                          • API String ID: 4275171209-2766056989
                                                                                                                                          • Opcode ID: 08567cc30074b475b331b46d2cc87d554941ba0be2af3992f720d6e759045faf
                                                                                                                                          • Instruction ID: 13e2f726a9112c9c31c995d983c9da114070f7450b087ebba6d3042457f4b947
                                                                                                                                          • Opcode Fuzzy Hash: 08567cc30074b475b331b46d2cc87d554941ba0be2af3992f720d6e759045faf
                                                                                                                                          • Instruction Fuzzy Hash: 8F41CF32318B9881EB65CF62F854BD67764F788784F519116EE8D43B14DF38C61AC700
                                                                                                                                          Function 0000000180005824 Relevance: 3.0, APIs: 2, Instructions: 40nativeCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 54 180005824-1800058d4 realloc NtQuerySystemInformation
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InformationQuerySystemrealloc
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4089764311-0
                                                                                                                                          • Opcode ID: aa0bfc6469bc17d5eeda48fd87731ce22d6874c3ca3fc959c4416cf641374c4d
                                                                                                                                          • Instruction ID: b0525076bbbf58c043072cd616ac76dc382e5d39b6996fcf6a95a9be821e6ce1
                                                                                                                                          • Opcode Fuzzy Hash: aa0bfc6469bc17d5eeda48fd87731ce22d6874c3ca3fc959c4416cf641374c4d
                                                                                                                                          • Instruction Fuzzy Hash: 27015EB632498485FB55CBA6E86839BB362E38CBD4F44E0269E0D47758CE28C1098700
                                                                                                                                          Function 00000001800054D5 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 55 1800054d5-1800055a1 DuplicateHandle 57 1800055a7 55->57 58 1800069ad 55->58 57->58
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: DuplicateHandle
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3793708945-0
                                                                                                                                          • Opcode ID: de33ea6b4f9ce6d4b4402c8e18623ba837b56d9b22b6662e0c33dbf5e61d8208
                                                                                                                                          • Instruction ID: 9c50cbf5d08d3b6d4a605893f6b359a3682b26f1feaf6ace4ca51b493498b96a
                                                                                                                                          • Opcode Fuzzy Hash: de33ea6b4f9ce6d4b4402c8e18623ba837b56d9b22b6662e0c33dbf5e61d8208
                                                                                                                                          • Instruction Fuzzy Hash: 9211BFB1614B8885FB61CFA5E8187C773A0E38D794F45A116DE4E17B64CF38C209C704
                                                                                                                                          Function 0000000180001920 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memset$malloc$ExitFileModuleNameProcessmemcpy$AdminManagerOpenUserwcsstr
                                                                                                                                          • String ID: svchost.exe
                                                                                                                                          • API String ID: 2075570005-3106260013
                                                                                                                                          • Opcode ID: 79fe10d2032a91db138303a6d4bba14be8b863467a7872a6f2e5965e82f79385
                                                                                                                                          • Instruction ID: bee279387a080e4ef1cf93fe2260fe9373c10eb3ce040ed65f2ee5617e8a23f3
                                                                                                                                          • Opcode Fuzzy Hash: 79fe10d2032a91db138303a6d4bba14be8b863467a7872a6f2e5965e82f79385
                                                                                                                                          • Instruction Fuzzy Hash: 87019631310A4C81FBAADB21E4A93DA6360BB8C795F449025A95E46695DF3CC34CC740
                                                                                                                                          Function 000000018000AD3E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35memoryCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 51 18000ad3e-18000adcc VirtualAllocEx 52 18000add5 51->52 53 18000adce 51->53 53->52
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AllocVirtual
                                                                                                                                          • String ID: @
                                                                                                                                          • API String ID: 4275171209-2766056989
                                                                                                                                          • Opcode ID: 25e8e2e1e41b46ff06f862ad0091e17087f53469a818b64f494525446fc89b42
                                                                                                                                          • Instruction ID: 6b845daad974ccd9c6abd76d61111d535f536517db2d34ef27256cbb8d76cfd7
                                                                                                                                          • Opcode Fuzzy Hash: 25e8e2e1e41b46ff06f862ad0091e17087f53469a818b64f494525446fc89b42
                                                                                                                                          • Instruction Fuzzy Hash: 7B016DB5729A8C41FBA9CBA1F465BD62360A78DBD4F40A21A9D0E17B55DE2CC2068304
                                                                                                                                          Function 000000018000A9BE Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 59 18000a9be-18000aa4b VirtualAllocEx 60 18000aa51 59->60 61 18000b194 59->61 60->61
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AllocVirtual
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4275171209-0
                                                                                                                                          • Opcode ID: e550c5f1444e37c0b1477e103827308c662109d29a65ec8f8fad6b41b1961b1e
                                                                                                                                          • Instruction ID: 251b8e02f3a2b925dc00676b0f08ae0c6924386de3889a0ff5d432a66f8cfcc3
                                                                                                                                          • Opcode Fuzzy Hash: e550c5f1444e37c0b1477e103827308c662109d29a65ec8f8fad6b41b1961b1e
                                                                                                                                          • Instruction Fuzzy Hash: 75012CB5619E8C41FBA9CBA1F464BDA6774E78DB94F40A11ADE0E17B51DF28C20AC304
                                                                                                                                          Function 0000000180008E30 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AdjustPrivilege
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3260937286-0
                                                                                                                                          • Opcode ID: 0831086ae50f2ba65709bcbf1c33f12cfd0f3053b93a604bdcfa268e10cb0fbc
                                                                                                                                          • Instruction ID: 04bb496a426d1b43e6b52f20395e61ae4e41d159ec3593a713d9b4970c529e46
                                                                                                                                          • Opcode Fuzzy Hash: 0831086ae50f2ba65709bcbf1c33f12cfd0f3053b93a604bdcfa268e10cb0fbc
                                                                                                                                          • Instruction Fuzzy Hash: A5F04F3A334F8C81EBE9DB21E85979667A0B74CB98F41A406ED4D43764CE3DC2158B00
                                                                                                                                          Function 0000000180005A0D Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 67 180005a0d-180005a86 GetProcessId 68 1800069ba 67->68 69 180005a8c 67->69 69->68
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Process
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1235230986-0
                                                                                                                                          • Opcode ID: d16e56ca8ceffb6996a770eebb8859cff0112ba79151dc499dea6e218c25d2af
                                                                                                                                          • Instruction ID: d652ffa87c38ed1c04ac93e0a0d2335ef1528c7a1f19fbd04ef7ff50280f2555
                                                                                                                                          • Opcode Fuzzy Hash: d16e56ca8ceffb6996a770eebb8859cff0112ba79151dc499dea6e218c25d2af
                                                                                                                                          • Instruction Fuzzy Hash: 0C018BB271490485EB54CB59E4503AB7371F78DBD8F50A122EF4E87764DF29C256C704
                                                                                                                                          Function 000000018000AF22 Relevance: 1.5, APIs: 1, Instructions: 31injectionCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 70 18000af22-18000afa4 WriteProcessMemory 71 18000afaa 70->71 72 18000b1a0 70->72 71->72
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: MemoryProcessWrite
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3559483778-0
                                                                                                                                          • Opcode ID: 4492a0bf8fcf8f33afd06441f64975728a7ffe302e5029ee3f64efdc84710f0c
                                                                                                                                          • Instruction ID: 56856a108c934b35fd8b12db096080665d1aff2e22ecb35535ebb708edeb7d18
                                                                                                                                          • Opcode Fuzzy Hash: 4492a0bf8fcf8f33afd06441f64975728a7ffe302e5029ee3f64efdc84710f0c
                                                                                                                                          • Instruction Fuzzy Hash: 9101E8B5319E8891FBA9CB52E898386A362A78DBD0F51D1169D0D47768CE2DC109C304
                                                                                                                                          Function 000000018000A8B2 Relevance: 1.5, APIs: 1, Instructions: 30injectionCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 73 18000a8b2-18000a937 WriteProcessMemory 74 18000a939 73->74 75 18000a940 73->75 74->75
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: MemoryProcessWrite
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3559483778-0
                                                                                                                                          • Opcode ID: a9c6a2df7492c35cbc3cd719515342c8cda296547e204cd9f67484ff88ad8695
                                                                                                                                          • Instruction ID: 440d9c2e63d84a318507e4d3145013176a8cc7cafd38941c5fd7eab054e276a3
                                                                                                                                          • Opcode Fuzzy Hash: a9c6a2df7492c35cbc3cd719515342c8cda296547e204cd9f67484ff88ad8695
                                                                                                                                          • Instruction Fuzzy Hash: 4A013CF5319E8881FBA5CB56E898786A762E78EBD4F41D1168D4D0B768CF3DC109C304
                                                                                                                                          Function 000000018000B100 Relevance: 1.5, APIs: 1, Instructions: 30injectionCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 76 18000b100-18000b183 WriteProcessMemory 77 18000b185 76->77 78 18000b18c 76->78 77->78
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: MemoryProcessWrite
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3559483778-0
                                                                                                                                          • Opcode ID: 35ffae5299d4c335a8ff36bc6453c7f7216bb7ebbfbf3e1d59d74c353a4e1218
                                                                                                                                          • Instruction ID: 24c97e1a4b5bf787aa031fe235fe3c6da918f95ea593df74073bd4adbefb4954
                                                                                                                                          • Opcode Fuzzy Hash: 35ffae5299d4c335a8ff36bc6453c7f7216bb7ebbfbf3e1d59d74c353a4e1218
                                                                                                                                          • Instruction Fuzzy Hash: 73F03CF5329E9981FBA5CB12EC58786A322F789BD4F41E1168D0D4B768CE2DC2098384

                                                                                                                                          Non-executed Functions

                                                                                                                                          Function 0000000180001010 Relevance: 72.1, APIs: 39, Strings: 2, Instructions: 317filesleepmemoryCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 79 180001010-180001048 malloc 80 18000104e-18000107d call 180113300 79->80 81 180001590-1800015a9 call 180112660 79->81 86 180001084-18000108c 80->86 87 18000107f-180001082 80->87 89 180001093-1800010a4 86->89 90 18000108e-180001091 86->90 88 1800010c4-1800010d5 malloc 87->88 93 180001578-180001588 88->93 94 1800010db-180001116 memcpy * 2 88->94 91 1800010a6-1800010a9 89->91 92 1800010ab-1800010be call 180113336 89->92 90->88 91->88 92->88 93->81 96 180001120-18000116c 94->96 96->96 98 18000116e-18000117a 96->98 99 180001180-18000118b 98->99 99->99 100 18000118d-18000118f 99->100 100->93 101 180001195-180001210 memset wsprintfW CreateFileW 100->101 102 180001212-180001218 GetLastError 101->102 103 18000121a-18000123b WriteFile 101->103 104 18000124c-1800012c2 Sleep memset wsprintfW CreateFileW 102->104 105 180001243-180001246 CloseHandle 103->105 106 18000123d GetLastError 103->106 107 1800012c4-1800012ca GetLastError 104->107 108 1800012cc-1800012ed WriteFile 104->108 105->104 106->105 109 1800012fe-180001374 Sleep memset wsprintfW CreateFileW 107->109 110 1800012f5-1800012f8 CloseHandle 108->110 111 1800012ef GetLastError 108->111 112 180001376-18000137c GetLastError 109->112 113 18000137e-18000139b WriteFile 109->113 110->109 111->110 114 1800013ac-1800013bb Sleep 112->114 115 1800013a3-1800013a6 CloseHandle 113->115 116 18000139d GetLastError 113->116 117 1800013c1-1800013e0 VirtualAlloc 114->117 118 180001568-180001570 114->118 115->114 116->115 117->118 119 1800013e6-18000142a memcpy CreateThread call 180001a10 117->119 118->93 122 180001523-180001562 memset memcpy CreateThread 119->122 123 180001430-18000149a VariantInit 119->123 122->118 125 18000149c-1800014bc SysAllocString 123->125 126 1800014be GetLastError 123->126 125->126 127 1800014c4-1800014c8 125->127 126->127 127->122 129 1800014ca-18000151e memset wsprintfW call 180001d60 127->129 129->122
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ErrorLast$File$Creatememset$memcpywsprintf$CloseHandleSleepWrite$AllocThreadmalloc$InitStringVariantVirtual
                                                                                                                                          • String ID: %s\%s$\Microsoft\Windows
                                                                                                                                          • API String ID: 1085075972-4137575348
                                                                                                                                          • Opcode ID: 11d6cde565b72d1d43927487ff83bed9824f46b89a23802b2bfd78be970e790e
                                                                                                                                          • Instruction ID: ca852493329d7e8b29278f03f5207e3e8a0b6c409a20f5d7edd43a4be3d27a44
                                                                                                                                          • Opcode Fuzzy Hash: 11d6cde565b72d1d43927487ff83bed9824f46b89a23802b2bfd78be970e790e
                                                                                                                                          • Instruction Fuzzy Hash: 4DF18A32610F8985F7A6CF24E8087DD33A0F78DBA8F449215EE9A17694EF38C249C700
                                                                                                                                          Function 0000000180001A10 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 162comCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 131 180001a10-180001b4f CoInitialize 132 180001b50-180001b5c 131->132 132->132 133 180001b5e-180001c9b 132->133 134 180001ca0-180001cac 133->134 134->134 135 180001cae-180001d02 CLSIDFromString 134->135 136 180001d04-180001d15 IIDFromString 135->136 137 180001d3b-180001d5a call 180112660 135->137 136->137 138 180001d17-180001d39 CoCreateInstance 136->138 138->137
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FromString$CreateInitializeInstance
                                                                                                                                          • String ID: :_:$:Y:$:$A::$X:[:$X:^:$Y::$Y:\:$\:[:$\:^:$^:G:
                                                                                                                                          • API String ID: 511945936-2205580742
                                                                                                                                          • Opcode ID: 024cd465da59768dcf6c08cf3900c20a72cd4ffd1450610ea91f3c4b38ce9232
                                                                                                                                          • Instruction ID: 28b9f900473ef5d70d4cda544e42fab565c9dc4f26e78512e927f69b0d8a042f
                                                                                                                                          • Opcode Fuzzy Hash: 024cd465da59768dcf6c08cf3900c20a72cd4ffd1450610ea91f3c4b38ce9232
                                                                                                                                          • Instruction Fuzzy Hash: 0291FD73D18BD4CAE311CF7994016EDBB70F799348F14A249EB946A919EB78E684CF00
                                                                                                                                          Function 0000000180001D60 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 227memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: String$Alloc$FromInitVariant
                                                                                                                                          • String ID: SYSTEM${4c3d624d-fd6b-49a3-b9b7-09cb3cd3f047}
                                                                                                                                          • API String ID: 929278495-107290059
                                                                                                                                          • Opcode ID: ce7cb2923214bf6d84e2195aaa923cf65e5dbc7fe3967ba643ece21ae7ad8fe5
                                                                                                                                          • Instruction ID: 371f9a688604c33e3b5ae190077701ce0554801126743d20ac49bde758192535
                                                                                                                                          • Opcode Fuzzy Hash: ce7cb2923214bf6d84e2195aaa923cf65e5dbc7fe3967ba643ece21ae7ad8fe5
                                                                                                                                          • Instruction Fuzzy Hash: E5B1C236B00B558AEB40DF6AD88829D77B1FB88FA9F559016DE0E57B28DF35C189C300
                                                                                                                                          Function 0000000180028464 Relevance: 14.7, APIs: 9, Instructions: 1208COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 808467561-0
                                                                                                                                          • Opcode ID: e6e2a47d0b7aca8797bf2f78af511f090b7de726a253ea606c4e540f123b5b7a
                                                                                                                                          • Instruction ID: 4599084cfb13f8c747939fbc3aba35a6bd4e8a08bbcc0f0b71949d4f47730483
                                                                                                                                          • Opcode Fuzzy Hash: e6e2a47d0b7aca8797bf2f78af511f090b7de726a253ea606c4e540f123b5b7a
                                                                                                                                          • Instruction Fuzzy Hash: 5FB2E0766022998BE7A7CE69D544BED37A5F78C3C8F509125EA0657B88DF34CB48CB00
                                                                                                                                          Function 0000000180007550 Relevance: 9.2, Strings: 7, Instructions: 485COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: ?Vse4"$NtAlpcConnectPort$NtAlpcCreatePort$NtAlpcSetInformation$TpAllocAlpcCompletion$\RPC Control\$ntdll.dll
                                                                                                                                          • API String ID: 0-3440571002
                                                                                                                                          • Opcode ID: 3e7f587f86fd0b2bf1a8a0d1d2c8b2dcce1149cee181315916f08b714af195f2
                                                                                                                                          • Instruction ID: 8c3100648684ed6cf3a6acba9f1e9974d33f54458c7afc613a7cd7d66638faa8
                                                                                                                                          • Opcode Fuzzy Hash: 3e7f587f86fd0b2bf1a8a0d1d2c8b2dcce1149cee181315916f08b714af195f2
                                                                                                                                          • Instruction Fuzzy Hash: 53124DF5720E9891EF94CBB9E8687C66362F78D798F81A117DE0D57624DE38C20AC700
                                                                                                                                          Function 0000000180016D88 Relevance: 7.0, Strings: 5, Instructions: 783COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ExceptionThrow
                                                                                                                                          • String ID: __restrict$__swift_1$__swift_2$__unaligned$call
                                                                                                                                          • API String ID: 432778473-3141380587
                                                                                                                                          • Opcode ID: 6a396b12831feff5c6f80a323355d14ea9fae3a8da964f50d645d654625ebbdc
                                                                                                                                          • Instruction ID: 673e966dcc0d85f334313fac89718d38bf41ed5ef13417959e8c730922fdb805
                                                                                                                                          • Opcode Fuzzy Hash: 6a396b12831feff5c6f80a323355d14ea9fae3a8da964f50d645d654625ebbdc
                                                                                                                                          • Instruction Fuzzy Hash: 5C627E72701E8882EB86EB25D4583DD27A1FB8EBD4F408125FA5E577A6DF38C649C700
                                                                                                                                          Function 0000000180023B98 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 248COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: gfffffff
                                                                                                                                          • API String ID: 3215553584-1523873471
                                                                                                                                          • Opcode ID: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
                                                                                                                                          • Instruction ID: 7c5b9028af6473dd728daef05391e74bafcea77e80a4e195b251d3550d854208
                                                                                                                                          • Opcode Fuzzy Hash: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
                                                                                                                                          • Instruction Fuzzy Hash: 869145767057CC86EF97CB2AE4013EDABA5A758BC4F06C022EA5947395DE3DC60AC701
                                                                                                                                          Function 0000000180003DBC Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: C:\windows\$C:\windows\system32\$WinSta0\Default$taskmgr.exe
                                                                                                                                          • API String ID: 0-638001070
                                                                                                                                          • Opcode ID: 3c7d1f0fb87f662b2079bad57b09a5afaa48cb8c83d5525282594a227a335d39
                                                                                                                                          • Instruction ID: 1bf4e9e1e70513e3816d114cab4aa84c7a719184b3830627372934e1f9606700
                                                                                                                                          • Opcode Fuzzy Hash: 3c7d1f0fb87f662b2079bad57b09a5afaa48cb8c83d5525282594a227a335d39
                                                                                                                                          • Instruction Fuzzy Hash: 0C8127F5324E9982EF95CBA8F8697D66322F7897D8F80A112CD1E57624DE38D209C704
                                                                                                                                          Function 0000000180003AE0 Relevance: 5.1, Strings: 4, Instructions: 116COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: C:\windows\$C:\windows\system32\$WinSta0\Default$winver.exe
                                                                                                                                          • API String ID: 0-1160837885
                                                                                                                                          • Opcode ID: 1308d712bd6591429a8d37c48bbd1829232a434116c75b441977ccfa919fa798
                                                                                                                                          • Instruction ID: 55855d67a1f766f1614c6ad6b77d44964cb4204ffe99e224a87b86ff19b563fd
                                                                                                                                          • Opcode Fuzzy Hash: 1308d712bd6591429a8d37c48bbd1829232a434116c75b441977ccfa919fa798
                                                                                                                                          • Instruction Fuzzy Hash: C841A4B5324E9882FF55CB69F8687966322F789BD8F40A116CD5E4B764DE3CC20AC704
                                                                                                                                          Function 0000000180028038 Relevance: 4.8, APIs: 3, Instructions: 317COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memcpy_s
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1502251526-0
                                                                                                                                          • Opcode ID: 4ea583caa57715286bcbaff0c0c248d65fdcd68c244adb70adfc071040c02cb8
                                                                                                                                          • Instruction ID: 57088630f82899a46a4f04304140a90d468cb093ad556e4d18a7d8c59b71a2f9
                                                                                                                                          • Opcode Fuzzy Hash: 4ea583caa57715286bcbaff0c0c248d65fdcd68c244adb70adfc071040c02cb8
                                                                                                                                          • Instruction Fuzzy Hash: 5EC1387671628987EB66CF19E044B9EB791F7987C4F44C125EB4A43B84DB38EA09DB00
                                                                                                                                          Function 000000018001FED8 Relevance: 2.7, Strings: 2, Instructions: 209COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: 0$ko-KR
                                                                                                                                          • API String ID: 3215553584-2196303776
                                                                                                                                          • Opcode ID: f96d09346a2f6e77d59369c2194a8b950e6b78dbaa0c336e0d12ce098f52cc8c
                                                                                                                                          • Instruction ID: 454ebc8193fa5ca865f8f1965dd2a4e4b4682b0a5584ee5ea9980d899769f2f6
                                                                                                                                          • Opcode Fuzzy Hash: f96d09346a2f6e77d59369c2194a8b950e6b78dbaa0c336e0d12ce098f52cc8c
                                                                                                                                          • Instruction Fuzzy Hash: 3A71D33521070D82FBFB9A1990807E963A1E74D7C4FA4D126BE49437ABCF35CA4B9705
                                                                                                                                          Function 0000000180003220 Relevance: 2.6, Strings: 2, Instructions: 77COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: 0$p
                                                                                                                                          • API String ID: 0-2059906072
                                                                                                                                          • Opcode ID: e7e5a160b0dc7bf11acf6e058a7a07693b04e0544c402e7120b811fb21f28438
                                                                                                                                          • Instruction ID: 3ee67f828506e40d833cc10e170725f94807106ad1cab914bfb00022e22d59fe
                                                                                                                                          • Opcode Fuzzy Hash: e7e5a160b0dc7bf11acf6e058a7a07693b04e0544c402e7120b811fb21f28438
                                                                                                                                          • Instruction Fuzzy Hash: A731F075605E9D81EB55DF56E894BD62321F388BD8F42A212ED4E0BB24EE3CC15AC700
                                                                                                                                          Function 0000000180024EB0 Relevance: 1.8, APIs: 1, Instructions: 269COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3215553584-0
                                                                                                                                          • Opcode ID: 9a675805437782ecf3217d5187c311e375e8358acccf04f95891004c6cc889dd
                                                                                                                                          • Instruction ID: 1f61cd1c6d9a0cc47e5c3170d1c15f4e9de5b8ae94a737795fa3a990e1df4aaf
                                                                                                                                          • Opcode Fuzzy Hash: 9a675805437782ecf3217d5187c311e375e8358acccf04f95891004c6cc889dd
                                                                                                                                          • Instruction Fuzzy Hash: 0BA1E67231069881EBA3DB66A8047DAA3A0F78DBD4F549526FE9D07BC4DF78C64D8304
                                                                                                                                          Function 000000018002C080 Relevance: 1.7, APIs: 1, Instructions: 232COMMONLIBRARYCODE
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _clrfp
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3618594692-0
                                                                                                                                          • Opcode ID: 0e21b991dae342f80746e460734db2b0327f033799438967f91080e093b168d9
                                                                                                                                          • Instruction ID: 0593f73a9b31075b8e6bf2cb9e383320a294c5aeb291d1da762f6cdddc12ea76
                                                                                                                                          • Opcode Fuzzy Hash: 0e21b991dae342f80746e460734db2b0327f033799438967f91080e093b168d9
                                                                                                                                          • Instruction Fuzzy Hash: 10B12B73600B88CBEB56CF29C88679C77A0F349B88F19C916EB59877A8CB35C955C701
                                                                                                                                          Function 0000000180010F18 Relevance: 1.6, Strings: 1, Instructions: 398COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ExceptionThrow
                                                                                                                                          • String ID: l section in CAtlBaseModule
                                                                                                                                          • API String ID: 432778473-2709337986
                                                                                                                                          • Opcode ID: a127ccbb264a5a4aec1e8b8c97d9fa5e153886bac66a3a6cc8a19aedac249b0e
                                                                                                                                          • Instruction ID: 3133a5dfd5f79aac6ce2c53f471fbcfe22b2aa6c2a7d5a5a984ae032cb248d46
                                                                                                                                          • Opcode Fuzzy Hash: a127ccbb264a5a4aec1e8b8c97d9fa5e153886bac66a3a6cc8a19aedac249b0e
                                                                                                                                          • Instruction Fuzzy Hash: 23027C36600E8886EB96DF25E8443DD73A1FB8DBD5F448526EA4E43BA4DF38C648C700
                                                                                                                                          Function 00000001800180EE Relevance: 1.6, Strings: 1, Instructions: 365COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: __restrict
                                                                                                                                          • API String ID: 0-803856930
                                                                                                                                          • Opcode ID: 5745e3cfed15ffb7b3e2fa7717aad80a57a6249b3a0910dbd319ea413861beba
                                                                                                                                          • Instruction ID: 2a1f3f8c5416bf1435224dd1e95b651f0a407b08188742a7ac323c2b5a68232f
                                                                                                                                          • Opcode Fuzzy Hash: 5745e3cfed15ffb7b3e2fa7717aad80a57a6249b3a0910dbd319ea413861beba
                                                                                                                                          • Instruction Fuzzy Hash: DAF15936601F4886EB928F65D8543DC73A5EB8DBC8F548526FE0E47BA4DE78CB498340
                                                                                                                                          Function 000000018001FC0C Relevance: 1.5, Strings: 1, Instructions: 209COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: 0
                                                                                                                                          • API String ID: 3215553584-4108050209
                                                                                                                                          • Opcode ID: 5f4ddedfd77a8f2be46d5b27c9f7dfb0d5136d7c17e53cee70af679ad4ba4177
                                                                                                                                          • Instruction ID: 71f2418fc044250fc616a08c0bb954c8cfb89a1255eab9d4a98bc77a135e3a3b
                                                                                                                                          • Opcode Fuzzy Hash: 5f4ddedfd77a8f2be46d5b27c9f7dfb0d5136d7c17e53cee70af679ad4ba4177
                                                                                                                                          • Instruction Fuzzy Hash: 5871E235210A0D82FBFB9A29A0407F92392E7487C4F94D016BE46577EACF35CA4B9745
                                                                                                                                          Function 0000000180002C8A Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: 201ef99a-7fa0-444c-9399-19ba84f12a1a
                                                                                                                                          • API String ID: 0-3963691810
                                                                                                                                          • Opcode ID: 305143c906e545cbbdba88b15ed8d96aa5c5b1023b370279aab489ed2de4cf70
                                                                                                                                          • Instruction ID: f859e3b1c76c282179c02603d62779a177e542a7d14e57d8a75f66858979eba8
                                                                                                                                          • Opcode Fuzzy Hash: 305143c906e545cbbdba88b15ed8d96aa5c5b1023b370279aab489ed2de4cf70
                                                                                                                                          • Instruction Fuzzy Hash: A54153B1715B9D46EF89CB78D9653A62322FB8C7ACF40A516C90E47765DE38C209C300
                                                                                                                                          Function 0000000180002526 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: ncalrpc
                                                                                                                                          • API String ID: 0-2983622238
                                                                                                                                          • Opcode ID: 8e139b6873f62461d47cfb06735ed223aa3699eae5bf13dfab6a051279dd2f2d
                                                                                                                                          • Instruction ID: 72ca54434e2e545ad87ad6f85711ca4f80c48705b1af1cf0b8a8e1738ac29a0d
                                                                                                                                          • Opcode Fuzzy Hash: 8e139b6873f62461d47cfb06735ed223aa3699eae5bf13dfab6a051279dd2f2d
                                                                                                                                          • Instruction Fuzzy Hash: 99312FB1721A6952EF49CF78E8687966762F79C794F91E522CE0E4B624DE3CC209C700
                                                                                                                                          Function 0000000180014848 Relevance: .5, Instructions: 511COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3e631ec45a2daf68f48d52614a6345ed429c570a616f22469c908a5fe8b28b5b
                                                                                                                                          • Instruction ID: 6d80879f2b6ca484a565809d41c0eb2dabc8ae21e66747f9efe079bfb1bd8c10
                                                                                                                                          • Opcode Fuzzy Hash: 3e631ec45a2daf68f48d52614a6345ed429c570a616f22469c908a5fe8b28b5b
                                                                                                                                          • Instruction Fuzzy Hash: DA22D177310AA882EB46DB65C0547AC33B6FB48B84F028116FB599B7B1DF38D668C354
                                                                                                                                          Function 000000018000DEE8 Relevance: .4, Instructions: 368COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 1622125fadd830d72695094e7b85cc31ec002336933b0e724cad098e10e2d7b0
                                                                                                                                          • Instruction ID: 946e0dd2bba7b3100fd246393857d7d015b19ff97fe3a12f1d34a5a40530aed8
                                                                                                                                          • Opcode Fuzzy Hash: 1622125fadd830d72695094e7b85cc31ec002336933b0e724cad098e10e2d7b0
                                                                                                                                          • Instruction Fuzzy Hash: E4E181722046C986EBB2CB15E8943E977A1F78E7D4F84C121EA8A936D5DF78C64DC700
                                                                                                                                          Function 0000000180029E8C Relevance: .3, Instructions: 325COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: cfe71d8e7cd50308ca462f153a194306955503b02d46b76410196ab8a6e65239
                                                                                                                                          • Instruction ID: c02e86e1f92cc5576d6cd232989999bceb531278b49536794b781076c4770d9c
                                                                                                                                          • Opcode Fuzzy Hash: cfe71d8e7cd50308ca462f153a194306955503b02d46b76410196ab8a6e65239
                                                                                                                                          • Instruction Fuzzy Hash: BFE1D032708A848AE793CF68E5803DD77B1F74A7D8F548116EA4E57B99DE38C25AC700
                                                                                                                                          Function 00000001800151E8 Relevance: .2, Instructions: 228COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 16ae51d95b1815005dd45d5e3ab8a349bfdaaf9539e2a3891bf7a9a4281af68b
                                                                                                                                          • Instruction ID: 207e761d23252ea67ff1337872d1fa257f2b4668b6d9f4a23401ae9418e5b291
                                                                                                                                          • Opcode Fuzzy Hash: 16ae51d95b1815005dd45d5e3ab8a349bfdaaf9539e2a3891bf7a9a4281af68b
                                                                                                                                          • Instruction Fuzzy Hash: AFB1AB72A10B8886E352CF39D8457DC37A4F389B88F519216EE4D17B66DF35D689CB00
                                                                                                                                          Function 00000001800069E0 Relevance: .1, Instructions: 132COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a86f20f7f5deea267c01afef8e7a4c05c31875faa151d310fea3b18ea46ae3c1
                                                                                                                                          • Instruction ID: 30b487c4dbfd5edb157edb9dd0446cf9089909246d75a709a71c41256c183c41
                                                                                                                                          • Opcode Fuzzy Hash: a86f20f7f5deea267c01afef8e7a4c05c31875faa151d310fea3b18ea46ae3c1
                                                                                                                                          • Instruction Fuzzy Hash: 4F410672B10A5886EB14CF64F815B9AB3A8F788794F505025DF8E47B68EF3CC156C700
                                                                                                                                          Function 000000018000469C Relevance: .1, Instructions: 132COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: bfda2f7c180109932206dffacf20a53aef2a56dc1179a3e9a6f89e125c1a26ad
                                                                                                                                          • Instruction ID: 6a73b4ca67aa358b5cca9cf8f50e7addbf38a80432c4fb2377473208703d20e7
                                                                                                                                          • Opcode Fuzzy Hash: bfda2f7c180109932206dffacf20a53aef2a56dc1179a3e9a6f89e125c1a26ad
                                                                                                                                          • Instruction Fuzzy Hash: 645126E9654B9982EF94DBA9F8693D62322FB497D8F80F112CE1E57724DD38D209C304
                                                                                                                                          Function 00000001800096E0 Relevance: .1, Instructions: 129COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 073128fd360148c17e41ec35af6a18c2df5ced6b4e463a8a16fec66cb74d860e
                                                                                                                                          • Instruction ID: b6fa69fb7e3d6089a58b1dc0a55349c666dd73e1d328c0310e1d9ae523244059
                                                                                                                                          • Opcode Fuzzy Hash: 073128fd360148c17e41ec35af6a18c2df5ced6b4e463a8a16fec66cb74d860e
                                                                                                                                          • Instruction Fuzzy Hash: A351CF32715F8896EB64CB65F94478A73A5F7887C4F54412AEA8E83B28EF3CD119C700
                                                                                                                                          Function 0000000180008EC0 Relevance: .1, Instructions: 128COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: de1111058f7c16aa1c110f3b5979ca66c856bb8bda45b3eaebbbd55d773fd606
                                                                                                                                          • Instruction ID: 9937fe3f73516922539d469a7d9b5dbd200fa43091dfd9594953e81ca0841af9
                                                                                                                                          • Opcode Fuzzy Hash: de1111058f7c16aa1c110f3b5979ca66c856bb8bda45b3eaebbbd55d773fd606
                                                                                                                                          • Instruction Fuzzy Hash: 7F51C2B5760E9982EB64CF65E8687D66321FB89BD4F44E126DE0E57B24DE3CC11AC300
                                                                                                                                          Function 0000000180021F44 Relevance: .1, Instructions: 126COMMONLIBRARYCODE
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a53c239ed1f9684605d2ef346be0b8bf89de5d156fdc40e0d799da5887b65061
                                                                                                                                          • Instruction ID: 211af31c44281ca6c3f3932d9a28d26ed70725301ca9e5a4bb4aa04c7d8998f6
                                                                                                                                          • Opcode Fuzzy Hash: a53c239ed1f9684605d2ef346be0b8bf89de5d156fdc40e0d799da5887b65061
                                                                                                                                          • Instruction Fuzzy Hash: 25419232310A5886EB85CF6AE954399A391E34CFD4F49D427EE4D97B58DE3CC649C300
                                                                                                                                          Function 000000018000B1AC Relevance: .1, Instructions: 122COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 68527aba035480757e2393879a0d4de352a47f6bf703ed5fa56455fc597868c2
                                                                                                                                          • Instruction ID: 9b73b6c5183f860324fa61cee2baeb0ca0f8f8b507aed4a99a4e0eda6c344d24
                                                                                                                                          • Opcode Fuzzy Hash: 68527aba035480757e2393879a0d4de352a47f6bf703ed5fa56455fc597868c2
                                                                                                                                          • Instruction Fuzzy Hash: 984103B3714E4995EB25CF61E86478AB3A5F3887D8F44E126EE4D07A58DF38C246C300
                                                                                                                                          Function 000000018001AA6C Relevance: .1, Instructions: 111COMMONLIBRARYCODE
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: eaae997217fc1b3336f25de6e62d34e0746f7d3c2a6a256d0b5f71472e0a0425
                                                                                                                                          • Instruction ID: 048e6db2ecfd184872977d7eb727c5e493510e05d032e6f18c4ab6865a9947bf
                                                                                                                                          • Opcode Fuzzy Hash: eaae997217fc1b3336f25de6e62d34e0746f7d3c2a6a256d0b5f71472e0a0425
                                                                                                                                          • Instruction Fuzzy Hash: B341B37261C6888AF7EB8F15B4847967B91E34E3D0F11C429F94A87691DF79C6888F00
                                                                                                                                          Function 0000000180006AB0 Relevance: .1, Instructions: 110COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 59276b993bbd5f607d6d3a9a9acf607f8ad274a0d99c33aa421d3a75b3b8979b
                                                                                                                                          • Instruction ID: ea9816badbe891c07a2aded6d1ec92d5857af46983f2473552b7590bc608b90a
                                                                                                                                          • Opcode Fuzzy Hash: 59276b993bbd5f607d6d3a9a9acf607f8ad274a0d99c33aa421d3a75b3b8979b
                                                                                                                                          • Instruction Fuzzy Hash: 24419D76B20A8886EB14CB65F45479AB365F38CBC4F40912ADE4E53B68DE3CC216C740
                                                                                                                                          Function 000000018000C2D0 Relevance: .1, Instructions: 107COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f3a4f3e3c3f40ea96cedb268f2507c4aa92d7cf089ba266e7691892548829ecb
                                                                                                                                          • Instruction ID: ff810da637aa1fd401c95da2c6d69315e604f84d2d111450c1a2a7c20e68e2a5
                                                                                                                                          • Opcode Fuzzy Hash: f3a4f3e3c3f40ea96cedb268f2507c4aa92d7cf089ba266e7691892548829ecb
                                                                                                                                          • Instruction Fuzzy Hash: B941FFB2318F89D6DB54CFA5E4A579A7B61F388788F84901ADE4E47A14DF38C12AC340
                                                                                                                                          Function 000000018000C6F0 Relevance: .1, Instructions: 106COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a7caa211d1805da3631b5417297298fbd746491c9ff13b9b06d3acbe089dc0ae
                                                                                                                                          • Instruction ID: 1f6bebfb10a220892d2831274fb9d9e41c253fa787b11ea253d3ff134c5c468f
                                                                                                                                          • Opcode Fuzzy Hash: a7caa211d1805da3631b5417297298fbd746491c9ff13b9b06d3acbe089dc0ae
                                                                                                                                          • Instruction Fuzzy Hash: FF419FB2214F88D2EB54CF55E88478AB7A6F3447C4F94D126EE8D5BA18CF78C15AC740
                                                                                                                                          Function 000000018000BEB0 Relevance: .1, Instructions: 104COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 9dc054b22e393740934c6599b1190f187be60ae239c821f3ddf288e380813183
                                                                                                                                          • Instruction ID: d558cfae5a731fffe16df58c07b62597b32ae423ecf54f032ed4b289fbb168ab
                                                                                                                                          • Opcode Fuzzy Hash: 9dc054b22e393740934c6599b1190f187be60ae239c821f3ddf288e380813183
                                                                                                                                          • Instruction Fuzzy Hash: 4041D3B2324E4DD2DF48CB15E454B9A7365F748BC8F658216DA4E87768EF39C21AC700
                                                                                                                                          Function 000000018000B620 Relevance: .1, Instructions: 102COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 711a5f6cc3d39d5f0aef55b7034a878137727931ce5006779a437fec81a29920
                                                                                                                                          • Instruction ID: c4b80034388e89da8ffe7b427c8155ba048d36e5b74cf413b7ce4096cc0294b9
                                                                                                                                          • Opcode Fuzzy Hash: 711a5f6cc3d39d5f0aef55b7034a878137727931ce5006779a437fec81a29920
                                                                                                                                          • Instruction Fuzzy Hash: AC4126B2728E48A2DB14CF25E69878E7762F3443C4F45A206EE4E57328DF39C225C700
                                                                                                                                          Function 000000018000C370 Relevance: .1, Instructions: 85COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c02ea177d7df7be9d47921f817159e6b389a93a74e3aee8d1a395a9d44e4e98a
                                                                                                                                          • Instruction ID: 30f2c0aa2bc627d33595a3753288768bcaf23473739ac437f1ff85fbf168e941
                                                                                                                                          • Opcode Fuzzy Hash: c02ea177d7df7be9d47921f817159e6b389a93a74e3aee8d1a395a9d44e4e98a
                                                                                                                                          • Instruction Fuzzy Hash: FA31CFB2764E8987EB94CFA4E4657EA3B21F384398F84911BDE4F47A14DE68C01AC341
                                                                                                                                          Function 000000018000435B Relevance: .1, Instructions: 84COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c43f2c2cbd10ab131c97a87bfb9a8d77e076664a556218998fa3f3ff93ba8f25
                                                                                                                                          • Instruction ID: 42c4d16a0e0d136c5a94160c46d85d5892129638e54f14ca30ac4ff8e229c4e5
                                                                                                                                          • Opcode Fuzzy Hash: c43f2c2cbd10ab131c97a87bfb9a8d77e076664a556218998fa3f3ff93ba8f25
                                                                                                                                          • Instruction Fuzzy Hash: 65310DF9654B9892EB55DBB8F8697C62322F74D7D8F81B502CE0E27624DE38D209C740
                                                                                                                                          Function 000000018000947B Relevance: .1, Instructions: 83COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 2bce6376752d693395b932a5d9318ffbe6d4c9bed5557d96fc3b5228a6ed1993
                                                                                                                                          • Instruction ID: 91db3ca7ca736f51b2b9f4a1fdda40ff6b442f2c49d3b76bc6f7bd54feb42801
                                                                                                                                          • Opcode Fuzzy Hash: 2bce6376752d693395b932a5d9318ffbe6d4c9bed5557d96fc3b5228a6ed1993
                                                                                                                                          • Instruction Fuzzy Hash: 2531FBB5314E8481EF99CF66ECA93A66362FB88BE4F54E1168E0F57B64CE3DC1458304
                                                                                                                                          Function 0000000180004153 Relevance: .1, Instructions: 74COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 11c12f5db1e7ae7d88fc0262756b9d0bf6622ca984ac394aaf837a3336d7d9a4
                                                                                                                                          • Instruction ID: b9540b73c02fa2fd8fd9ed4b04a7558bae6bb2522907684b3f8178f982c6447f
                                                                                                                                          • Opcode Fuzzy Hash: 11c12f5db1e7ae7d88fc0262756b9d0bf6622ca984ac394aaf837a3336d7d9a4
                                                                                                                                          • Instruction Fuzzy Hash: 3F215EF53159A882EB95CF65E8787972322FB49BD8F81E112CD1E57764DE38C209C304
                                                                                                                                          Function 000000018000B280 Relevance: .1, Instructions: 73COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e74b49f80d6d3cffa9bfb68b489edd80f871d1e69f348bd9d5bedd62bb40d514
                                                                                                                                          • Instruction ID: 34ebe62695f2a6a6ea2397927167a92a4784dc70ec7df40509b9419055f8788e
                                                                                                                                          • Opcode Fuzzy Hash: e74b49f80d6d3cffa9bfb68b489edd80f871d1e69f348bd9d5bedd62bb40d514
                                                                                                                                          • Instruction Fuzzy Hash: 7D31C1F6715A499AEB14CF60E46478AB3A5F3447C8F48E226EA4E47A1CDF78C219C304
                                                                                                                                          Function 0000000180004CB0 Relevance: .1, Instructions: 73COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 29ed0da8da41128ee95df92606b628508953cd21a2e597ae56ff743980468b27
                                                                                                                                          • Instruction ID: ea228047f8abccb8f34d8cb69d0855da280cee6fe6b78123f25de321abaee775
                                                                                                                                          • Opcode Fuzzy Hash: 29ed0da8da41128ee95df92606b628508953cd21a2e597ae56ff743980468b27
                                                                                                                                          • Instruction Fuzzy Hash: BD2101B2724E8885EB95CF62E828B9A7361F38CBD4F419126DE4E47B54CE3CC10AC700
                                                                                                                                          Function 0000000180006F70 Relevance: .1, Instructions: 73COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 659e1158283c071cac0272366369d00d1cfa562a966f2f5affa459bf10e8deba
                                                                                                                                          • Instruction ID: 6d7058e35041f85eefca8006119c3596d2fa62747ef7dd2be534be946fff4e46
                                                                                                                                          • Opcode Fuzzy Hash: 659e1158283c071cac0272366369d00d1cfa562a966f2f5affa459bf10e8deba
                                                                                                                                          • Instruction Fuzzy Hash: BB21D5B2764E5892DB59CFB6E864BC63761E759BD4F40A116EE0D57324EE38CA06C300
                                                                                                                                          Function 000000018000B6C0 Relevance: .1, Instructions: 72COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 879b8cc6a287b552be2b8c7838c9cf5361018535551b3c5eae2337da7c2a05c9
                                                                                                                                          • Instruction ID: 64e956f36281cdf23b4cab459502cafc9c3b83219f603c2a53f066b43bdf7739
                                                                                                                                          • Opcode Fuzzy Hash: 879b8cc6a287b552be2b8c7838c9cf5361018535551b3c5eae2337da7c2a05c9
                                                                                                                                          • Instruction Fuzzy Hash: 9931A2B2724A49A6DB15CF64D25878E7B62F3443D8F49A206DB0E57628EF39C16AC700
                                                                                                                                          Function 0000000180003833 Relevance: .1, Instructions: 70COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7643b34bb1144c09516ca8224fed32c138a04b2f755b136cd71388444af2efbb
                                                                                                                                          • Instruction ID: 8007ea01a93bf6de8c95f9a16faa5e8d6c04bd6e38d315922757046993a1328b
                                                                                                                                          • Opcode Fuzzy Hash: 7643b34bb1144c09516ca8224fed32c138a04b2f755b136cd71388444af2efbb
                                                                                                                                          • Instruction Fuzzy Hash: 5F2148F5761EA982EB89CFB5E86979A2321E749BD8F41A112CD0E17724DE2CD6098300
                                                                                                                                          Function 0000000180002666 Relevance: .1, Instructions: 67COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c104ebe3e0084b9c2d6c68d3b1b1809b1ba36be3a0ef8b7a361271054a232770
                                                                                                                                          • Instruction ID: baf3eb62263214422a0973d769ae56c08939dd68f110effc1bb9cb03c9f86de4
                                                                                                                                          • Opcode Fuzzy Hash: c104ebe3e0084b9c2d6c68d3b1b1809b1ba36be3a0ef8b7a361271054a232770
                                                                                                                                          • Instruction Fuzzy Hash: CE2159F5720AA892EB85CFB4E468BD627A1F74C3A4F81A413DE0D47620EE39C209C300
                                                                                                                                          Function 00000001800044C1 Relevance: .1, Instructions: 63COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 5d83384389e1bc3f5c40116a0a1417798e316c1697b6e029db620e488cbd2b1f
                                                                                                                                          • Instruction ID: 7d1135aa24797edbf35de8feb47ffd13e3235087d5b84f893e072cfd3e31e24b
                                                                                                                                          • Opcode Fuzzy Hash: 5d83384389e1bc3f5c40116a0a1417798e316c1697b6e029db620e488cbd2b1f
                                                                                                                                          • Instruction Fuzzy Hash: D1118EA271498C46FB96DBB4F969BD76322EB4C3A9F80A012DD0D07A55DD3CC24AC700
                                                                                                                                          Function 0000000180002A19 Relevance: .1, Instructions: 61COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0213aaa7a16af12e76c05f13803a6cb1816da3aa76317169f32ff85a43e83aea
                                                                                                                                          • Instruction ID: 95480194bb9f6c9ad9d964584a4fad66eb43ce3f3ee230db89eb3e49904c33dd
                                                                                                                                          • Opcode Fuzzy Hash: 0213aaa7a16af12e76c05f13803a6cb1816da3aa76317169f32ff85a43e83aea
                                                                                                                                          • Instruction Fuzzy Hash: 56210BF2711A5D92EB49DF75D868BD667A2E78CBD4F41E512CD0E5B624DE3CC2098300
                                                                                                                                          Function 0000000180003717 Relevance: .1, Instructions: 59COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3f85260008f1cca6d719552e34a0840437b2decd6b2aec5b8999dc0ce01bbffe
                                                                                                                                          • Instruction ID: 02ba138fbc53fc0a7e206b6c0fccc1f4cb11f22df8a79a790e142c2087e4c986
                                                                                                                                          • Opcode Fuzzy Hash: 3f85260008f1cca6d719552e34a0840437b2decd6b2aec5b8999dc0ce01bbffe
                                                                                                                                          • Instruction Fuzzy Hash: 48213BB6761A5DC5EF49DF65E868B8A6721F788BD8F41A122CD0E47728DE3CD209C700
                                                                                                                                          Function 000000018000290C Relevance: .1, Instructions: 57COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 803c451430e3029bb009500dace81e7bc3217c3b4584f2ef31f91a53a698693d
                                                                                                                                          • Instruction ID: 4519c20df033b0754d584584f46a47e9c3f61284702b1b178af72c485ed47193
                                                                                                                                          • Opcode Fuzzy Hash: 803c451430e3029bb009500dace81e7bc3217c3b4584f2ef31f91a53a698693d
                                                                                                                                          • Instruction Fuzzy Hash: E02160F5714F8482EB45CBB5E8593CA63B1FB897A4F40A506DA4E57A24EE3CD20AC700
                                                                                                                                          Function 0000000180002170 Relevance: .1, Instructions: 57COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 566796d93a591df3f5db1c38c43d6e1f2c58bb1bf9c844d883f4a478785d6911
                                                                                                                                          • Instruction ID: bc53908923a101081ac78a2ff91d1596a8a62396a49556bd27b6b69a29ae519e
                                                                                                                                          • Opcode Fuzzy Hash: 566796d93a591df3f5db1c38c43d6e1f2c58bb1bf9c844d883f4a478785d6911
                                                                                                                                          • Instruction Fuzzy Hash: 6511E3E262096C82FB59DFA6A869F862332E349BD8F01E123DD5E5B714DD39C10BC300
                                                                                                                                          Function 000000018000360B Relevance: .1, Instructions: 57COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3a56065663d7f32470598edd8e4c56aa3322786b1e37be48fd2162c7dda414fd
                                                                                                                                          • Instruction ID: 8fbfe2caa4e00eb4ae2a73ae29cd16ebba4a4082f14f5113274d96e794981e6d
                                                                                                                                          • Opcode Fuzzy Hash: 3a56065663d7f32470598edd8e4c56aa3322786b1e37be48fd2162c7dda414fd
                                                                                                                                          • Instruction Fuzzy Hash: 0721A4B2709A9882EB55CF64E4687977761FB8C798F41A116DE4E47A14EF3DC109C700
                                                                                                                                          Function 00000001800045A9 Relevance: .1, Instructions: 53COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 4de039b8aeb4dd7a341e305cb49e7d4a566f2f03f9a363aa92138b342856feec
                                                                                                                                          • Instruction ID: 9e59c1c7de84271de07ddad5238888e61d5fae15b8e3d2a62c0818bf1ca1a5d9
                                                                                                                                          • Opcode Fuzzy Hash: 4de039b8aeb4dd7a341e305cb49e7d4a566f2f03f9a363aa92138b342856feec
                                                                                                                                          • Instruction Fuzzy Hash: 2F1151B5714E9882EB54CB74E46839A6361F7887B8F80A316C92E576E4DF39C10AC744
                                                                                                                                          Function 0000000180002777 Relevance: .1, Instructions: 52COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b00286fc56aac180519fed44c3472dbbed5625b745e2bf1041001a8241787df3
                                                                                                                                          • Instruction ID: 453c13d840d8ab8480c25eabad8a5a4e6cf22c2320a7064174f112572a8564ab
                                                                                                                                          • Opcode Fuzzy Hash: b00286fc56aac180519fed44c3472dbbed5625b745e2bf1041001a8241787df3
                                                                                                                                          • Instruction Fuzzy Hash: 8E113CE171196846FF89CF65D9697665393EB8C7E4F81E426CE0E8B768ED3CC1098304
                                                                                                                                          Function 000000018000225E Relevance: .1, Instructions: 51COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3e6f47147aee9d0c5d2e3a57a73bf876d140cefaec2fbc1aba1964aca6a06b7c
                                                                                                                                          • Instruction ID: dcb26d1462b17352493136ca1a284502f5bdb4a1f8be4333a819d013a470b478
                                                                                                                                          • Opcode Fuzzy Hash: 3e6f47147aee9d0c5d2e3a57a73bf876d140cefaec2fbc1aba1964aca6a06b7c
                                                                                                                                          • Instruction Fuzzy Hash: 3311C2B6624A9E42E709DFF4B424FCA3771E389750F00B517DE4A53510DE38C21AC300
                                                                                                                                          Function 000000018000284D Relevance: .0, Instructions: 48COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0e8879920a56ce6d951eaa2299e71384d51284fb55c40a98b48f618b07d76cb7
                                                                                                                                          • Instruction ID: 1bcc190078e11d5e3502c0fb8cfdf52a8957de65a2b1b8071e9e04ba3849ecfd
                                                                                                                                          • Opcode Fuzzy Hash: 0e8879920a56ce6d951eaa2299e71384d51284fb55c40a98b48f618b07d76cb7
                                                                                                                                          • Instruction Fuzzy Hash: 9D1100F5721E9841FB49CB75D4683D66362E788794F80A917CA0F57664DD39C2498340
                                                                                                                                          Function 0000000180003CF2 Relevance: .0, Instructions: 48COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 62fa84bd9608fd1e2ded7a46ac84a71bf4807f0703b11cbbff9e650931e748d0
                                                                                                                                          • Instruction ID: 81b86e7094c320bcc5e7f926c263843823ab5f04b050e6f3beb40bfc522f2c83
                                                                                                                                          • Opcode Fuzzy Hash: 62fa84bd9608fd1e2ded7a46ac84a71bf4807f0703b11cbbff9e650931e748d0
                                                                                                                                          • Instruction Fuzzy Hash: 4F114FB5614E9882EB54CB78F4687DA6321F78C798F80B113CD0E57625EE39C21AC340
                                                                                                                                          Function 0000000180003530 Relevance: .0, Instructions: 48COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 169374a88c9bc48999de202173db2c687a39263e6fb74efa0de97639e935559a
                                                                                                                                          • Instruction ID: 58ab01e0f729e006e025e3cd5db47f1a357a7dbbf023e6ea43b04656e7f2b6d0
                                                                                                                                          • Opcode Fuzzy Hash: 169374a88c9bc48999de202173db2c687a39263e6fb74efa0de97639e935559a
                                                                                                                                          • Instruction Fuzzy Hash: 6A113DB1715E6881EB59CF65E9587866362F74C798F82E122CC4E47728EE39C248C700
                                                                                                                                          Function 0000000180002A06 Relevance: .0, Instructions: 47COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6214b3987fdb11ae9af8bb44ed0752c7393761a47505b246c2a752352195c6b7
                                                                                                                                          • Instruction ID: 246bc5305b8913a4d01db227893256f8bf5d597bde7be6eae501e461eb4fa0bc
                                                                                                                                          • Opcode Fuzzy Hash: 6214b3987fdb11ae9af8bb44ed0752c7393761a47505b246c2a752352195c6b7
                                                                                                                                          • Instruction Fuzzy Hash: A4113CB2711E5C91EB49CF25E868B9A67A1F78CB94F41E526DE0E47768DE3CC209C300
                                                                                                                                          Function 0000000180003464 Relevance: .0, Instructions: 46COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7a304966c8f6e6c63f3b4d1dc84eaa042215815f68f4f7ed99f7cad32e1286f1
                                                                                                                                          • Instruction ID: 91f1bf17694832eb7885352137df2ae2a0c82d5e88c9f87b3bad460dc89f63f9
                                                                                                                                          • Opcode Fuzzy Hash: 7a304966c8f6e6c63f3b4d1dc84eaa042215815f68f4f7ed99f7cad32e1286f1
                                                                                                                                          • Instruction Fuzzy Hash: 451169F531286D82EB89CF65E929B865322E7487D8F82F112CC0E4B718ED39D109C700
                                                                                                                                          Function 0000000180005E58 Relevance: .0, Instructions: 46COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 214099cfcd0ee3826ed9ef66e5b675abfeddc10177d1ca11de6341e968b0d06b
                                                                                                                                          • Instruction ID: 39990edd012c80a11a8c246ade81e0b00b1fb03419df7482220b1a2638345046
                                                                                                                                          • Opcode Fuzzy Hash: 214099cfcd0ee3826ed9ef66e5b675abfeddc10177d1ca11de6341e968b0d06b
                                                                                                                                          • Instruction Fuzzy Hash: 7E11A5F1330A8886FB95CBB5E8683DA6361E78D7D4F84B012CE0E47765CE28C20AC304
                                                                                                                                          Function 0000000180003880 Relevance: .0, Instructions: 43COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: dcce50d7d365edf9bc1dcf0723df82f9ff79db8457ccb87dc38c7b0742b08610
                                                                                                                                          • Instruction ID: 15f0b12e67b83b815c9156cfa897ef3110cdd404d207d48cd89176b21f2d8fa0
                                                                                                                                          • Opcode Fuzzy Hash: dcce50d7d365edf9bc1dcf0723df82f9ff79db8457ccb87dc38c7b0742b08610
                                                                                                                                          • Instruction Fuzzy Hash: 06015EB5751E6D82EB89DF75E4697DA2320EB48B94F82B512CC0E57320ED3CDA0AC300
                                                                                                                                          Function 0000000180002E24 Relevance: .0, Instructions: 43COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6f73bb3cb6f5cf5abec075b9014cb563e06a4567c89c5d20f7171c5a4b410b69
                                                                                                                                          • Instruction ID: 22dcafcaff4b78d83aaf35a6f31f5da21172cbe544e4bfae6083fdcba81ddec3
                                                                                                                                          • Opcode Fuzzy Hash: 6f73bb3cb6f5cf5abec075b9014cb563e06a4567c89c5d20f7171c5a4b410b69
                                                                                                                                          • Instruction Fuzzy Hash: 080152F5611E9D82EB45CBB9E8A83D76325E78D7E8F40E1128E0E67625DE38C2098300
                                                                                                                                          Function 00000001800033B8 Relevance: .0, Instructions: 41COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 797ab2e302fecb4ee9151d5ec147357b9b6b8374a5a73c2aa17e4c7710b83c27
                                                                                                                                          • Instruction ID: c05fe9916e29f3615726ac8ab40efd06a7f832fe150a5180127c36e0d361f74a
                                                                                                                                          • Opcode Fuzzy Hash: 797ab2e302fecb4ee9151d5ec147357b9b6b8374a5a73c2aa17e4c7710b83c27
                                                                                                                                          • Instruction Fuzzy Hash: 130125F1652E5E82FB59CBA4E569BC66362EB487D8F40F1179D0D07618EE3CD219C304
                                                                                                                                          Function 000000018002BBA8 Relevance: .0, Instructions: 32COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c92cc2c6b8134dcd1d90e81fd4ee0dc0e69cf849aebd7e5d77ccca44f26df776
                                                                                                                                          • Instruction ID: c5723c18dcfd40d5e26eb64c6513ed8ad7c8279d3e69258c72aec0d621b19a73
                                                                                                                                          • Opcode Fuzzy Hash: c92cc2c6b8134dcd1d90e81fd4ee0dc0e69cf849aebd7e5d77ccca44f26df776
                                                                                                                                          • Instruction Fuzzy Hash: 15F06871714A548AEBD5CF2CA44276A77D0F30C3C4FA0C519E68983B04D63D8165CF04
                                                                                                                                          Function 000000018001A7E8 Relevance: 15.1, APIs: 10, Instructions: 98COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__security_init_cookie__vcrt_initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1326835672-0
                                                                                                                                          • Opcode ID: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
                                                                                                                                          • Instruction ID: 20208a98ab850ec38ed8325cc0af7ea2ed5af357558f35f83d8d5c5aa49ef683
                                                                                                                                          • Opcode Fuzzy Hash: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
                                                                                                                                          • Instruction Fuzzy Hash: C631923160994C86FBE7BBA5D4523EA2391AB4E3C4F45C425B94A473D7DE28CB4E8350
                                                                                                                                          Function 0000000180019F69 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 108COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: __scrt_fastfail$__scrt_initialize_onexit_tables
                                                                                                                                          • String ID: `eh vector vbase constructor iterator'$`local vftable'$`udt returning'$onstructor closure'
                                                                                                                                          • API String ID: 2273495996-2419032777
                                                                                                                                          • Opcode ID: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
                                                                                                                                          • Instruction ID: 430d6e6a62d8c94c9c04e7e52013dca82c213aedb955d9ad44379b1780147ad5
                                                                                                                                          • Opcode Fuzzy Hash: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
                                                                                                                                          • Instruction Fuzzy Hash: FF416D35206B4C82FBA79B20E9503EA2361AB4EBD0F54D525E90E477A4DF3CC68E8304
                                                                                                                                          Function 000000018002B9A8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _set_statfp
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1156100317-0
                                                                                                                                          • Opcode ID: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
                                                                                                                                          • Instruction ID: 3b9bd57b40fff3d8961f464b14179896b260d9c17b5d0c480fa0c6cf32fa7499
                                                                                                                                          • Opcode Fuzzy Hash: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
                                                                                                                                          • Instruction Fuzzy Hash: CB117732690A4D01F7E72129D4553F93340AB6D3F4F45C634BA76976D6CE248BC94302
                                                                                                                                          Function 000000018001F660 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: *$ko-KR
                                                                                                                                          • API String ID: 3215553584-1095117856
                                                                                                                                          • Opcode ID: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
                                                                                                                                          • Instruction ID: 247b425bc4075f99800c1718c7ffe54540729addd1f222e63731e205efc231c0
                                                                                                                                          • Opcode Fuzzy Hash: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
                                                                                                                                          • Instruction Fuzzy Hash: B0718F72504E58C6E7FA9F2980443BC3BA0F34DBD8F649216EA4646399DF31CA8AC750
                                                                                                                                          Function 0000000180017B98 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 184COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: __swift_1$__swift_2
                                                                                                                                          • API String ID: 0-2914474356
                                                                                                                                          • Opcode ID: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
                                                                                                                                          • Instruction ID: e36f902788c0381efdc077c6dc949100de42eee437ea8b415927d241f746463c
                                                                                                                                          • Opcode Fuzzy Hash: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
                                                                                                                                          • Instruction Fuzzy Hash: CF618E32300A8882EF96DB29E5447E963A1FB4CBD4F488525EF6D4779ADF38D645C340
                                                                                                                                          Function 0000000180023FE4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: gfff$o-l1-2-1
                                                                                                                                          • API String ID: 3215553584-1082851355
                                                                                                                                          • Opcode ID: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
                                                                                                                                          • Instruction ID: 4e08fe91d50fd43471445e9309ac5ad4362738dffbe45d8770cad9fb3b789804
                                                                                                                                          • Opcode Fuzzy Hash: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
                                                                                                                                          • Instruction Fuzzy Hash: 5951F4737147C886E7A78B35E9413997B91E399BD0F48D221EB944BAD6CE38C698C700
                                                                                                                                          Function 0000000180024430 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: api-ms-win-core-sysinfo-l1-2-1$synch-l1-2-0
                                                                                                                                          • API String ID: 3215553584-688204690
                                                                                                                                          • Opcode ID: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
                                                                                                                                          • Instruction ID: 9d4985de47fc3aa1ddc341b920f7898ed377652abc42465d74999370fa1411ca
                                                                                                                                          • Opcode Fuzzy Hash: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
                                                                                                                                          • Instruction Fuzzy Hash: 86418E72705F888AE782CF65E8507CE73A5F7193C8F518126EA9807B99DF38C629C340
                                                                                                                                          Function 000000018001D646 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: DestructExceptionObject$__vcrt_getptd_noexit
                                                                                                                                          • String ID: csm
                                                                                                                                          • API String ID: 3780691363-1018135373
                                                                                                                                          • Opcode ID: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
                                                                                                                                          • Instruction ID: 011c5e600e2baba1b5aebe761702f78806dc8dec4a9d5acc90072a234146c346
                                                                                                                                          • Opcode Fuzzy Hash: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
                                                                                                                                          • Instruction Fuzzy Hash: 40212D76204A4887E7B2DF15E05079E7760F39DBE4F008206EEA943795CF39DA8ACB01
                                                                                                                                          Function 000000018001A972 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: __std_exception_copy
                                                                                                                                          • String ID: `vector destructor iterator'$nt delete closure'
                                                                                                                                          • API String ID: 592178966-1611991873
                                                                                                                                          • Opcode ID: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
                                                                                                                                          • Instruction ID: c8ada3eb98077b3e77d28a4839308a809c4d6d91d1a7368aad5ed78790c858ba
                                                                                                                                          • Opcode Fuzzy Hash: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
                                                                                                                                          • Instruction Fuzzy Hash: 9EE01AB1200B0490DB068F65E8513E873A4EB4CB90F48C032AA5C47354EF38C6A9C301
                                                                                                                                          Function 000000018001AA4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1742238830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1742106603.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742515479.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742552950.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1742586469.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_hvix64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                                                                                                          • String ID: File
                                                                                                                                          • API String ID: 932687459-749574446
                                                                                                                                          • Opcode ID: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
                                                                                                                                          • Instruction ID: 9145d171dbcecb2188c45693134888adfda474ee1ae56853841174419c243042
                                                                                                                                          • Opcode Fuzzy Hash: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
                                                                                                                                          • Instruction Fuzzy Hash: 49C08C3221488D91EB62EB10E8917DA5330B7A8384F818111F19C824B69F1CC30ECB00

                                                                                                                                          Execution Graph

                                                                                                                                          Execution Coverage:1.9%
                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                          Signature Coverage:5.6%
                                                                                                                                          Total number of Nodes:107
                                                                                                                                          Total number of Limit Nodes:17
                                                                                                                                          execution_graph 27872 1845b3a0000 27875 1845b3a0a68 27872->27875 27874 1845b3a0019 27876 1845b3a0a84 27875->27876 27878 1845b3a0b0e 27876->27878 27879 1845b3a0768 27876->27879 27878->27874 27882 1845b3a0778 27879->27882 27881 1845b3a0771 27881->27878 27883 1845b3a07a8 27882->27883 27885 1845b3a088a 27883->27885 27886 1845b3a0508 27883->27886 27885->27881 27888 1845b3a052c 27886->27888 27887 1845b3a061d LoadLibraryA 27887->27888 27890 1845b3a06fa 27887->27890 27888->27887 27889 1845b3a06c1 GetProcAddressForCaller 27888->27889 27888->27890 27889->27888 27889->27890 27890->27885 27891 1845b370345 27892 1845b3703ff 27891->27892 27894 1845b370360 27891->27894 27893 1845b370387 VirtualFree 27893->27894 27894->27892 27894->27893 27895 1845b370000 27898 1845b370a68 27895->27898 27897 1845b370019 27899 1845b370a84 27898->27899 27901 1845b370b0e 27899->27901 27902 1845b370768 27899->27902 27901->27897 27905 1845b370778 27902->27905 27904 1845b370771 27904->27901 27906 1845b3707a8 27905->27906 27908 1845b37088a 27906->27908 27909 1845b370508 27906->27909 27908->27904 27912 1845b37052c 27909->27912 27910 1845b3706fa 27910->27908 27911 1845b37061d LoadLibraryA 27911->27910 27911->27912 27912->27910 27912->27911 27917 1800019d0 DeleteFileW 27918 1800019e3 SleepEx DeleteFileW 27917->27918 27919 1800019fb 27917->27919 27918->27918 27918->27919 27920 180001920 memset GetModuleFileNameW wcsstr 27921 1800019a8 27920->27921 27922 18000197a IsUserAnAdmin 27920->27922 27932 180001010 malloc 27921->27932 27924 180001984 27922->27924 27925 180001995 27922->27925 27969 1800015b0 28 API calls 27924->27969 27929 18000199f ExitProcess 27925->27929 27928 18000198c ExitProcess 27933 180001568 27932->27933 27938 18000104e 27932->27938 27934 180112660 8 API calls 27933->27934 27935 18000159f 27934->27935 27970 180112660 27935->27970 27936 1800010c4 malloc 27936->27933 27937 1800010db memcpy memcpy 27936->27937 27939 180001120 27937->27939 27938->27936 27939->27933 27940 180001195 memset wsprintfW CreateFileW 27939->27940 27941 180001212 GetLastError 27940->27941 27942 18000121a WriteFile 27940->27942 27943 18000124c SleepEx memset wsprintfW CreateFileW 27941->27943 27944 180001243 CloseHandle 27942->27944 27945 18000123d GetLastError 27942->27945 27946 1800012c4 GetLastError 27943->27946 27947 1800012cc WriteFile 27943->27947 27944->27943 27945->27944 27948 1800012fe SleepEx memset wsprintfW CreateFileW 27946->27948 27949 1800012f5 CloseHandle 27947->27949 27950 1800012ef GetLastError 27947->27950 27951 180001376 GetLastError 27948->27951 27952 18000137e WriteFile 27948->27952 27949->27948 27950->27949 27953 1800013ac SleepEx 27951->27953 27954 1800013a3 CloseHandle 27952->27954 27955 18000139d GetLastError 27952->27955 27953->27933 27956 1800013c1 VirtualAlloc 27953->27956 27954->27953 27955->27954 27956->27933 27957 1800013e6 memcpy CreateThread 27956->27957 27979 180001a10 CoInitializeEx 27957->27979 27960 180001523 memset memcpy CreateThread 27960->27933 27961 180001430 VariantInit 27962 180001498 27961->27962 27963 18000149c SysAllocString 27962->27963 27964 1800014be GetLastError 27962->27964 27966 1800014ba 27963->27966 27965 1800014c4 27964->27965 27965->27960 27967 1800014ca memset wsprintfW 27965->27967 27966->27964 27966->27965 27987 180001d60 27967->27987 27969->27928 27971 180112669 27970->27971 27972 1800019c0 27971->27972 27973 180112a14 IsProcessorFeaturePresent 27971->27973 27974 180112a2c 27973->27974 28000 180112ae8 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 27974->28000 27976 180112a3f 28001 1801129e0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 27976->28001 27980 180001b50 27979->27980 27980->27980 27981 180001cae CLSIDFromString 27980->27981 27982 180001d04 IIDFromString 27981->27982 27983 180001d3b 27981->27983 27982->27983 27984 180001d17 CoCreateInstance 27982->27984 27985 180112660 8 API calls 27983->27985 27984->27983 27986 180001423 27985->27986 27986->27960 27986->27961 27988 180001da5 SysAllocString 27987->27988 27999 18000206a 27987->27999 27990 180001dbb 27988->27990 27989 180112660 8 API calls 27991 180002086 27989->27991 27992 180001dd9 SysAllocString SysAllocString 27990->27992 27990->27999 27991->27960 27993 180001e08 27992->27993 27994 180001f1f IIDFromString 27993->27994 27993->27999 27995 180001f4c 27994->27995 27996 180001f5e SysAllocString SysAllocString 27995->27996 27995->27999 27997 180001f88 27996->27997 27998 180001fd9 VariantInit SysAllocString 27997->27998 27997->27999 27998->27999 27999->27989 28000->27976

                                                                                                                                          Executed Functions

                                                                                                                                          Function 0000000180001010 Relevance: 72.1, APIs: 39, Strings: 2, Instructions: 317filememorythreadCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 0 180001010-180001048 malloc 1 18000104e-18000107d call 180113300 0->1 2 180001590-1800015a9 call 180112660 0->2 7 180001084-18000108c 1->7 8 18000107f-180001082 1->8 10 180001093-1800010a4 7->10 11 18000108e-180001091 7->11 9 1800010c4-1800010d5 malloc 8->9 14 180001578-180001588 9->14 15 1800010db-180001116 memcpy * 2 9->15 12 1800010a6-1800010a9 10->12 13 1800010ab-1800010be call 180113336 10->13 11->9 12->9 13->9 14->2 17 180001120-18000116c 15->17 17->17 19 18000116e-18000117a 17->19 20 180001180-18000118b 19->20 20->20 21 18000118d-18000118f 20->21 21->14 22 180001195-180001210 memset wsprintfW CreateFileW 21->22 23 180001212-180001218 GetLastError 22->23 24 18000121a-18000123b WriteFile 22->24 25 18000124c-1800012c2 SleepEx memset wsprintfW CreateFileW 23->25 26 180001243-180001246 CloseHandle 24->26 27 18000123d GetLastError 24->27 28 1800012c4-1800012ca GetLastError 25->28 29 1800012cc-1800012ed WriteFile 25->29 26->25 27->26 30 1800012fe-180001374 SleepEx memset wsprintfW CreateFileW 28->30 31 1800012f5-1800012f8 CloseHandle 29->31 32 1800012ef GetLastError 29->32 33 180001376-18000137c GetLastError 30->33 34 18000137e-18000139b WriteFile 30->34 31->30 32->31 35 1800013ac-1800013bb SleepEx 33->35 36 1800013a3-1800013a6 CloseHandle 34->36 37 18000139d GetLastError 34->37 38 1800013c1-1800013e0 VirtualAlloc 35->38 39 180001568-180001570 35->39 36->35 37->36 38->39 40 1800013e6-18000142a memcpy CreateThread call 180001a10 38->40 39->14 43 180001523-180001562 memset memcpy CreateThread 40->43 44 180001430-18000149a VariantInit 40->44 43->39 46 18000149c-1800014bc SysAllocString 44->46 47 1800014be GetLastError 44->47 46->47 48 1800014c4-1800014c8 46->48 47->48 48->43 50 1800014ca-18000151e memset wsprintfW call 180001d60 48->50 50->43
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2975241569.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975593099.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975672931.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975738503.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ErrorLast$File$Creatememset$memcpywsprintf$CloseHandleSleepWrite$AllocThreadmalloc$InitStringVariantVirtual
                                                                                                                                          • String ID: %s\%s$\Microsoft\Windows
                                                                                                                                          • API String ID: 1085075972-4137575348
                                                                                                                                          • Opcode ID: 11d6cde565b72d1d43927487ff83bed9824f46b89a23802b2bfd78be970e790e
                                                                                                                                          • Instruction ID: ca852493329d7e8b29278f03f5207e3e8a0b6c409a20f5d7edd43a4be3d27a44
                                                                                                                                          • Opcode Fuzzy Hash: 11d6cde565b72d1d43927487ff83bed9824f46b89a23802b2bfd78be970e790e
                                                                                                                                          • Instruction Fuzzy Hash: 4DF18A32610F8985F7A6CF24E8087DD33A0F78DBA8F449215EE9A17694EF38C249C700
                                                                                                                                          Function 0000000180001A10 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 162comCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2975241569.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975593099.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975672931.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975738503.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FromString$CreateInitializeInstance
                                                                                                                                          • String ID: :_:$:Y:$:$A::$X:[:$X:^:$Y::$Y:\:$\:[:$\:^:$^:G:
                                                                                                                                          • API String ID: 511945936-2205580742
                                                                                                                                          • Opcode ID: 024cd465da59768dcf6c08cf3900c20a72cd4ffd1450610ea91f3c4b38ce9232
                                                                                                                                          • Instruction ID: 28b9f900473ef5d70d4cda544e42fab565c9dc4f26e78512e927f69b0d8a042f
                                                                                                                                          • Opcode Fuzzy Hash: 024cd465da59768dcf6c08cf3900c20a72cd4ffd1450610ea91f3c4b38ce9232
                                                                                                                                          • Instruction Fuzzy Hash: 0291FD73D18BD4CAE311CF7994016EDBB70F799348F14A249EB946A919EB78E684CF00
                                                                                                                                          Function 000001845B3A0508 Relevance: 24.7, APIs: 2, Strings: 12, Instructions: 231libraryCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2979050070.000001845B3A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001845B3A0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_1845b3a0000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AddressCallerLibraryLoadProc
                                                                                                                                          • String ID: RtlA$RtlR$ateH$eAll$eHea$eap$l.dl$l.dl$lloc$ntdl$ntdl$ocat
                                                                                                                                          • API String ID: 4215043672-3994871222
                                                                                                                                          • Opcode ID: 1e80394ff1d37946f5ee3994f364bbb739b556a1a1e79a645345825dff1cf6d4
                                                                                                                                          • Instruction ID: c381af4db78858afda48622ee0d699de6729f89d134ab15c92d4731855fb9dee
                                                                                                                                          • Opcode Fuzzy Hash: 1e80394ff1d37946f5ee3994f364bbb739b556a1a1e79a645345825dff1cf6d4
                                                                                                                                          • Instruction Fuzzy Hash: 4771D130604A0A8BEB58EF58C845BED77E1FF94710F20815AD80AE7296DF35E9428F85
                                                                                                                                          Function 0000000180001D60 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 227memoryCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 149 180001d60-180001d9f 150 180001da5-180001dd3 SysAllocString 149->150 151 180002078 149->151 150->151 157 180001dd9-180001e0a SysAllocString * 2 150->157 152 18000207a-180002097 call 180112660 151->152 157->151 159 180001e10-180001e49 157->159 159->151 164 180001e4f-180001e8c 159->164 164->151 169 180001e92-180001efb 164->169 169->151 177 180001f01-180001f55 IIDFromString 169->177 181 180002075 177->181 182 180001f5b-180001fb4 SysAllocString * 2 177->182 181->151 182->151 188 180001fba-180001fd3 182->188 188->151 190 180001fd9-18000205f VariantInit SysAllocString 188->190 191 18000206a-180002070 190->191 192 180002072 191->192 193 180002098-1800020ad 191->193 192->181 193->152
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2975241569.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975593099.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975672931.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975738503.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: String$Alloc$FromInitVariant
                                                                                                                                          • String ID: SYSTEM${4c3d624d-fd6b-49a3-b9b7-09cb3cd3f047}
                                                                                                                                          • API String ID: 929278495-107290059
                                                                                                                                          • Opcode ID: ce7cb2923214bf6d84e2195aaa923cf65e5dbc7fe3967ba643ece21ae7ad8fe5
                                                                                                                                          • Instruction ID: 371f9a688604c33e3b5ae190077701ce0554801126743d20ac49bde758192535
                                                                                                                                          • Opcode Fuzzy Hash: ce7cb2923214bf6d84e2195aaa923cf65e5dbc7fe3967ba643ece21ae7ad8fe5
                                                                                                                                          • Instruction Fuzzy Hash: E5B1C236B00B558AEB40DF6AD88829D77B1FB88FA9F559016DE0E57B28DF35C189C300
                                                                                                                                          Function 000001845B370508 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 231libraryCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2978971054.000001845B370000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001845B370000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_1845b370000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                          • String ID: RtlA$RtlR$ateH$eAll$eHea$eap$l.dl$l.dl$lloc$ntdl$ntdl$ocat
                                                                                                                                          • API String ID: 1029625771-3994871222
                                                                                                                                          • Opcode ID: 1e80394ff1d37946f5ee3994f364bbb739b556a1a1e79a645345825dff1cf6d4
                                                                                                                                          • Instruction ID: a74a42356ef8f54fa7955b3c366e675d3a8961867c6609bc0195d9789616b061
                                                                                                                                          • Opcode Fuzzy Hash: 1e80394ff1d37946f5ee3994f364bbb739b556a1a1e79a645345825dff1cf6d4
                                                                                                                                          • Instruction Fuzzy Hash: 8471A031614A0A8BEB58EF58C855BED77E1FF94310F21815AD80AE7286DF34DA42CF85
                                                                                                                                          Function 00000001800019D0 Relevance: 4.5, APIs: 3, Instructions: 16fileCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 196 1800019d0-1800019e1 DeleteFileW 197 1800019e3-1800019f9 SleepEx DeleteFileW 196->197 198 1800019fb-180001a02 196->198 197->197 197->198
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2975241569.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975593099.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975672931.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975738503.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: DeleteFile$Sleep
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2100639427-0
                                                                                                                                          • Opcode ID: 819f48160997e5889829df66ddb1cfbaf94046e4fda21bae77f85b2f67c4eaa9
                                                                                                                                          • Instruction ID: ee9c1bd20bde787a3df6403edb75ddca03fdaf3f5216dae4a0b383b50a80e175
                                                                                                                                          • Opcode Fuzzy Hash: 819f48160997e5889829df66ddb1cfbaf94046e4fda21bae77f85b2f67c4eaa9
                                                                                                                                          • Instruction Fuzzy Hash: 5CD05E20301A0986FB9A5BB2E8583E613A85B0DBD2F0860249C1685280DF18C7CE8301
                                                                                                                                          Function 000001845B3A0345 Relevance: 1.4, APIs: 1, Instructions: 108COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 212 1845b3a0345-1845b3a035a 213 1845b3a03ff-1845b3a041c 212->213 214 1845b3a0360-1845b3a0361 212->214 215 1845b3a0363-1845b3a0385 214->215 216 1845b3a0387-1845b3a0397 VirtualFree 215->216 217 1845b3a0399-1845b3a03ba 215->217 218 1845b3a03e8-1845b3a03f9 216->218 219 1845b3a03bc-1845b3a03c0 217->219 220 1845b3a03d5-1845b3a03e5 217->220 218->213 218->215 221 1845b3a03c2-1845b3a03c6 219->221 222 1845b3a03c8-1845b3a03cb 219->222 220->218 223 1845b3a03d1-1845b3a03d3 221->223 222->218 224 1845b3a03cd-1845b3a03ce 222->224 223->218 223->220 224->223
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2979050070.000001845B3A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001845B3A0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_1845b3a0000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FreeVirtual
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1263568516-0
                                                                                                                                          • Opcode ID: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
                                                                                                                                          • Instruction ID: ef4bb6c71454d22b561e0105ee1553b42766148eaa3c283ca195eff69e386f39
                                                                                                                                          • Opcode Fuzzy Hash: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
                                                                                                                                          • Instruction Fuzzy Hash: 2131C3316586018BDB5CEA1CE8C26A973D0F795304B30529EE9C7D71C7EE39E9438B89
                                                                                                                                          Function 000001845B370345 Relevance: 1.4, APIs: 1, Instructions: 108COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 199 1845b370345-1845b37035a 200 1845b370360-1845b370361 199->200 201 1845b3703ff-1845b37041c 199->201 202 1845b370363-1845b370385 200->202 203 1845b370399-1845b3703ba 202->203 204 1845b370387-1845b370397 VirtualFree 202->204 206 1845b3703d5-1845b3703e5 203->206 207 1845b3703bc-1845b3703c0 203->207 205 1845b3703e8-1845b3703f9 204->205 205->201 205->202 206->205 208 1845b3703c8-1845b3703cb 207->208 209 1845b3703c2-1845b3703c6 207->209 208->205 211 1845b3703cd-1845b3703ce 208->211 210 1845b3703d1-1845b3703d3 209->210 210->205 210->206 211->210
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2978971054.000001845B370000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001845B370000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_1845b370000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FreeVirtual
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1263568516-0
                                                                                                                                          • Opcode ID: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
                                                                                                                                          • Instruction ID: fb5624946f701f58ffc31c8419db3424fa54852be020087c6986d22e8504e12a
                                                                                                                                          • Opcode Fuzzy Hash: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
                                                                                                                                          • Instruction Fuzzy Hash: 7131C3316586018BEB5CDA1CE8C26AD73D0F795304B20519EE9C7D7187EE39E9438B89

                                                                                                                                          Non-executed Functions

                                                                                                                                          Function 00000001800015B0 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 211servicestringCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2975241569.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975593099.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975672931.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975738503.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: mallocmemset$CloseEnumHandleServiceServicesStatusmemcpy$FileManagerModuleNameOpenfreelstrcmpi
                                                                                                                                          • String ID: Schedule
                                                                                                                                          • API String ID: 3636854120-2739827629
                                                                                                                                          • Opcode ID: 7697f6b2c45ef8c94f65c33818677cfec83935d60c7d49dafd4f2fb68cf7ed65
                                                                                                                                          • Instruction ID: 6ee3f7f16e62e9fbbf62cb728b63543f6f6100922e48a7ada6915e3d38cfd098
                                                                                                                                          • Opcode Fuzzy Hash: 7697f6b2c45ef8c94f65c33818677cfec83935d60c7d49dafd4f2fb68cf7ed65
                                                                                                                                          • Instruction Fuzzy Hash: 84A1AE36705B8886EBA5CB19E4883EDB7A4F78DB94F54D128EE8903755EF38D648C700
                                                                                                                                          Function 000001845BF30E10 Relevance: 13.9, Strings: 11, Instructions: 162COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 1186 1845bf30e10-1845bf30f4f call 1845c0487d0 1189 1845bf30f50-1845bf30f5c 1186->1189 1189->1189 1190 1845bf30f5e-1845bf3109b 1189->1190 1191 1845bf310a0-1845bf310ac 1190->1191 1191->1191 1192 1845bf310ae-1845bf31102 call 1845c0487c8 1191->1192 1195 1845bf31104-1845bf31115 call 1845c0487b8 1192->1195 1196 1845bf3113b-1845bf3115a call 1845c041a60 1192->1196 1195->1196 1201 1845bf31117-1845bf31139 call 1845c0487c0 1195->1201 1201->1196
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2982180629.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2982197847.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: :_:$:Y:$:$A::$X:[:$X:^:$Y::$Y:\:$\:[:$\:^:$^:G:
                                                                                                                                          • API String ID: 0-2205580742
                                                                                                                                          • Opcode ID: d90148109c58263767cfb54190a6e54a75e0a48cc10efb8014eb7dc9dcd99103
                                                                                                                                          • Instruction ID: dcab3b9f2db7d9d944fb45beb8de10387a31829edead7d99da5042bcf1608516
                                                                                                                                          • Opcode Fuzzy Hash: d90148109c58263767cfb54190a6e54a75e0a48cc10efb8014eb7dc9dcd99103
                                                                                                                                          • Instruction Fuzzy Hash: 9791EE73D18BD58BE311CF7994016AEBB70F795348F14A349EA846691AEF78E680CF00
                                                                                                                                          Function 0000000180023B98 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 248COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2975241569.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975593099.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975672931.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975738503.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: gfffffff
                                                                                                                                          • API String ID: 3215553584-1523873471
                                                                                                                                          • Opcode ID: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
                                                                                                                                          • Instruction ID: 7c5b9028af6473dd728daef05391e74bafcea77e80a4e195b251d3550d854208
                                                                                                                                          • Opcode Fuzzy Hash: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
                                                                                                                                          • Instruction Fuzzy Hash: 869145767057CC86EF97CB2AE4013EDABA5A758BC4F06C022EA5947395DE3DC60AC701
                                                                                                                                          Function 000001845BF52F98 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 248COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2982180629.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2982197847.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: gfffffff
                                                                                                                                          • API String ID: 3215553584-1523873471
                                                                                                                                          • Opcode ID: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
                                                                                                                                          • Instruction ID: bbbae7935abc3b7bee493bde96c9e43f93909778a7fcba09dae96741df72da8d
                                                                                                                                          • Opcode Fuzzy Hash: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
                                                                                                                                          • Instruction Fuzzy Hash: BC912373B057C987EB15CB2EA4103EDBBA5A755B84F05C022CA9A877D5EF39C606CB01
                                                                                                                                          Function 000000018001A7E8 Relevance: 15.1, APIs: 10, Instructions: 98COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2975241569.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975593099.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975672931.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975738503.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__security_init_cookie__vcrt_initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1326835672-0
                                                                                                                                          • Opcode ID: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
                                                                                                                                          • Instruction ID: 20208a98ab850ec38ed8325cc0af7ea2ed5af357558f35f83d8d5c5aa49ef683
                                                                                                                                          • Opcode Fuzzy Hash: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
                                                                                                                                          • Instruction Fuzzy Hash: C631923160994C86FBE7BBA5D4523EA2391AB4E3C4F45C425B94A473D7DE28CB4E8350
                                                                                                                                          Function 000001845BF49BE8 Relevance: 15.1, APIs: 10, Instructions: 98COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2982180629.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2982197847.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__security_init_cookie__vcrt_initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1326835672-0
                                                                                                                                          • Opcode ID: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
                                                                                                                                          • Instruction ID: 649731ae198dc1f129116bc9484d2e52d335e8c361f54c9094adad0cce7e989a
                                                                                                                                          • Opcode Fuzzy Hash: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
                                                                                                                                          • Instruction Fuzzy Hash: 423141337012038BFB64EB68D4563ED2391AB55344F44C429AACACB6D7DF298745CF15
                                                                                                                                          Function 0000000180019F69 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 108COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 1098 180019f69-180019fb0 call 18002dfb8 call 18002e018 1103 180019fb2-180019fc6 call 18002e018 1098->1103 1104 180019fcc-18001a00b call 18002e0a8 * 3 1098->1104 1103->1104 1109 18001a0c2-18001a0eb call 18001ac44 call 18002dfc0 1103->1109 1117 18001a08b-18001a0a8 call 18002e208 1104->1117 1118 18001a00d-18001a010 1104->1118 1121 18001a0f3-18001a0f7 1109->1121 1122 18001a0ed call 18002e088 1109->1122 1128 18001a0b7-18001a0c1 call 18001ac44 1117->1128 1129 18001a0aa 1117->1129 1118->1117 1120 18001a012-18001a015 1118->1120 1120->1117 1124 18001a017-18001a059 call 18002e480 1120->1124 1122->1121 1130 18001a060-18001a06a call 180019d44 1124->1130 1128->1109 1129->1130 1136 18001a0ac-18001a0b6 call 18001ac44 1130->1136 1137 18001a06c-18001a08a call 180019f58 1130->1137 1136->1128
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2975241569.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975593099.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975672931.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975738503.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: __scrt_fastfail$__scrt_initialize_onexit_tables
                                                                                                                                          • String ID: `eh vector vbase constructor iterator'$`local vftable'$`udt returning'$onstructor closure'
                                                                                                                                          • API String ID: 2273495996-2419032777
                                                                                                                                          • Opcode ID: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
                                                                                                                                          • Instruction ID: 430d6e6a62d8c94c9c04e7e52013dca82c213aedb955d9ad44379b1780147ad5
                                                                                                                                          • Opcode Fuzzy Hash: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
                                                                                                                                          • Instruction Fuzzy Hash: FF416D35206B4C82FBA79B20E9503EA2361AB4EBD0F54D525E90E477A4DF3CC68E8304
                                                                                                                                          Function 000001845BF49369 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 108COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2982180629.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2982197847.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: __scrt_fastfail$__scrt_initialize_onexit_tables
                                                                                                                                          • String ID: `eh vector vbase constructor iterator'$`local vftable'$`udt returning'$onstructor closure'
                                                                                                                                          • API String ID: 2273495996-2419032777
                                                                                                                                          • Opcode ID: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
                                                                                                                                          • Instruction ID: 9136cc2e46e2b1c2881ad59cf5e40b820321d34a5dd54a28c1c77466e197d6bf
                                                                                                                                          • Opcode Fuzzy Hash: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
                                                                                                                                          • Instruction Fuzzy Hash: EE415B37302B0287FA14DB64E8117DD2361AB8AB90F44D925C98E877E4DF2DD645CB18
                                                                                                                                          Function 0000000180001920 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 38COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2975241569.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975593099.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975672931.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975738503.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memset$malloc$ExitFileModuleNameProcessmemcpy$AdminManagerOpenUserwcsstr
                                                                                                                                          • String ID: svchost.exe
                                                                                                                                          • API String ID: 2075570005-3106260013
                                                                                                                                          • Opcode ID: 58df4dc3bab4f7dd2091c0286527b5df24bc2997b8bd963c05bea4cdd90a2c72
                                                                                                                                          • Instruction ID: a7e4a02683164cc51efae999f71ec939c82b81573c8ef5df0e77f5c8c66af7f8
                                                                                                                                          • Opcode Fuzzy Hash: 58df4dc3bab4f7dd2091c0286527b5df24bc2997b8bd963c05bea4cdd90a2c72
                                                                                                                                          • Instruction Fuzzy Hash: 7E015231311A4D81FBAAEB21E8A93DA6360BB8D795F449125A99E46295DF3CC34CC740
                                                                                                                                          Function 000000018002B9A8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2975241569.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975593099.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975672931.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975738503.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _set_statfp
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1156100317-0
                                                                                                                                          • Opcode ID: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
                                                                                                                                          • Instruction ID: 3b9bd57b40fff3d8961f464b14179896b260d9c17b5d0c480fa0c6cf32fa7499
                                                                                                                                          • Opcode Fuzzy Hash: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
                                                                                                                                          • Instruction Fuzzy Hash: CB117732690A4D01F7E72129D4553F93340AB6D3F4F45C634BA76976D6CE248BC94302
                                                                                                                                          Function 000001845BF5ADA8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2982180629.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2982197847.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _set_statfp
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1156100317-0
                                                                                                                                          • Opcode ID: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
                                                                                                                                          • Instruction ID: 7b68062c370480586a6b508ff13b72486563f8fde28c0239a908538b01f45b2f
                                                                                                                                          • Opcode Fuzzy Hash: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
                                                                                                                                          • Instruction Fuzzy Hash: 8B11A333A54E0313F7641125E8513ED10C06B59374F18C62DAAF6866DACF388AE24F28
                                                                                                                                          Function 000000018001F660 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2975241569.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975593099.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975672931.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975738503.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: *$ko-KR
                                                                                                                                          • API String ID: 3215553584-1095117856
                                                                                                                                          • Opcode ID: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
                                                                                                                                          • Instruction ID: 247b425bc4075f99800c1718c7ffe54540729addd1f222e63731e205efc231c0
                                                                                                                                          • Opcode Fuzzy Hash: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
                                                                                                                                          • Instruction Fuzzy Hash: B0718F72504E58C6E7FA9F2980443BC3BA0F34DBD8F649216EA4646399DF31CA8AC750
                                                                                                                                          Function 000001845BF4EA60 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2982180629.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2982197847.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: *$ko-KR
                                                                                                                                          • API String ID: 3215553584-1095117856
                                                                                                                                          • Opcode ID: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
                                                                                                                                          • Instruction ID: f16193010dff068c7ed84621fe4ca362c5b18af2dab87b3d1b5dacbfb3e3261e
                                                                                                                                          • Opcode Fuzzy Hash: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
                                                                                                                                          • Instruction Fuzzy Hash: 47718E7350465287E76CDF288144ABE3BA0F309B58F249226DBC6C2299DF71CA82DF55
                                                                                                                                          Function 0000000180017B98 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 184COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2975241569.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975593099.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975672931.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975738503.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: __swift_1$__swift_2
                                                                                                                                          • API String ID: 0-2914474356
                                                                                                                                          • Opcode ID: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
                                                                                                                                          • Instruction ID: e36f902788c0381efdc077c6dc949100de42eee437ea8b415927d241f746463c
                                                                                                                                          • Opcode Fuzzy Hash: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
                                                                                                                                          • Instruction Fuzzy Hash: CF618E32300A8882EF96DB29E5447E963A1FB4CBD4F488525EF6D4779ADF38D645C340
                                                                                                                                          Function 000001845BF46F98 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 184COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2982180629.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2982197847.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: __swift_1$__swift_2
                                                                                                                                          • API String ID: 0-2914474356
                                                                                                                                          • Opcode ID: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
                                                                                                                                          • Instruction ID: eedcba72b94e8455cf12a778523fd45130f16c321118e2a38ffc4f48c2386725
                                                                                                                                          • Opcode Fuzzy Hash: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
                                                                                                                                          • Instruction Fuzzy Hash: 0C617833300B4283EE14DF29E94479DB3A1FB85B94F4885259FA987B99DF38D681CB40
                                                                                                                                          Function 000001845BF41C08 Relevance: 5.4, Strings: 4, Instructions: 387COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2982180629.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2982197847.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$h-l1-2-0.dll
                                                                                                                                          • API String ID: 0-1747795296
                                                                                                                                          • Opcode ID: 0f20d8eddffe02f4355215346de876ec0be27590aef8c60f560b2699b0830f65
                                                                                                                                          • Instruction ID: a2a64c9656dbf3ac80e007cf1625033fad391ae153a40853377359a67ab715bb
                                                                                                                                          • Opcode Fuzzy Hash: 0f20d8eddffe02f4355215346de876ec0be27590aef8c60f560b2699b0830f65
                                                                                                                                          • Instruction Fuzzy Hash: 0DE15B73301B4693EF14EB2DD54029C27A0F745FA0F848129DA9D977A2DF38CAA5CB80
                                                                                                                                          Function 0000000180023FE4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2975241569.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975593099.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975672931.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975738503.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: gfff$o-l1-2-1
                                                                                                                                          • API String ID: 3215553584-1082851355
                                                                                                                                          • Opcode ID: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
                                                                                                                                          • Instruction ID: 4e08fe91d50fd43471445e9309ac5ad4362738dffbe45d8770cad9fb3b789804
                                                                                                                                          • Opcode Fuzzy Hash: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
                                                                                                                                          • Instruction Fuzzy Hash: 5951F4737147C886E7A78B35E9413997B91E399BD0F48D221EB944BAD6CE38C698C700
                                                                                                                                          Function 000001845BF533E4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2982180629.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2982197847.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: gfff$o-l1-2-1
                                                                                                                                          • API String ID: 3215553584-1082851355
                                                                                                                                          • Opcode ID: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
                                                                                                                                          • Instruction ID: 35f44d6248e26576cf52ff3a087703af49e5567ca7485271ac6f2982216cf897
                                                                                                                                          • Opcode Fuzzy Hash: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
                                                                                                                                          • Instruction Fuzzy Hash: CC5115737147C687E7258F29A94139DAB91E381B90F48E225D7D987AD6CF38D644CB00
                                                                                                                                          Function 0000000180024430 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2975241569.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975593099.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975672931.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975738503.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: api-ms-win-core-sysinfo-l1-2-1$synch-l1-2-0
                                                                                                                                          • API String ID: 3215553584-688204690
                                                                                                                                          • Opcode ID: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
                                                                                                                                          • Instruction ID: 9d4985de47fc3aa1ddc341b920f7898ed377652abc42465d74999370fa1411ca
                                                                                                                                          • Opcode Fuzzy Hash: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
                                                                                                                                          • Instruction Fuzzy Hash: 86418E72705F888AE782CF65E8507CE73A5F7193C8F518126EA9807B99DF38C629C340
                                                                                                                                          Function 000001845BF53830 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2982180629.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2982197847.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: api-ms-win-core-sysinfo-l1-2-1$synch-l1-2-0
                                                                                                                                          • API String ID: 3215553584-688204690
                                                                                                                                          • Opcode ID: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
                                                                                                                                          • Instruction ID: fcc4e98753c76f204dac5035a5fdf26dc6fcf29de7bff09a069ead2da3181eff
                                                                                                                                          • Opcode Fuzzy Hash: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
                                                                                                                                          • Instruction Fuzzy Hash: CD416873A01B459BE700CF25E8417DD33E5E719388F40C626AA9987B98DF39C625CB84
                                                                                                                                          Function 000000018001D646 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2975241569.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975593099.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975672931.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975738503.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: DestructExceptionObject$__vcrt_getptd_noexit
                                                                                                                                          • String ID: csm
                                                                                                                                          • API String ID: 3780691363-1018135373
                                                                                                                                          • Opcode ID: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
                                                                                                                                          • Instruction ID: 011c5e600e2baba1b5aebe761702f78806dc8dec4a9d5acc90072a234146c346
                                                                                                                                          • Opcode Fuzzy Hash: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
                                                                                                                                          • Instruction Fuzzy Hash: 40212D76204A4887E7B2DF15E05079E7760F39DBE4F008206EEA943795CF39DA8ACB01
                                                                                                                                          Function 000001845BF4CA46 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2982180629.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2982197847.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: DestructExceptionObject$__vcrt_getptd_noexit
                                                                                                                                          • String ID: csm
                                                                                                                                          • API String ID: 3780691363-1018135373
                                                                                                                                          • Opcode ID: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
                                                                                                                                          • Instruction ID: 68cf5074ba69b881289d54ed96a6c5298438dc51312a792323b2b4b7cd58f0c1
                                                                                                                                          • Opcode Fuzzy Hash: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
                                                                                                                                          • Instruction Fuzzy Hash: BB21283760464287E631DF16E05039EB760F388BA9F408211DED983BA5DF39DA86CF11
                                                                                                                                          Function 000000018001A972 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2975241569.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975593099.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975672931.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975738503.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: __std_exception_copy
                                                                                                                                          • String ID: `vector destructor iterator'$nt delete closure'
                                                                                                                                          • API String ID: 592178966-1611991873
                                                                                                                                          • Opcode ID: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
                                                                                                                                          • Instruction ID: c8ada3eb98077b3e77d28a4839308a809c4d6d91d1a7368aad5ed78790c858ba
                                                                                                                                          • Opcode Fuzzy Hash: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
                                                                                                                                          • Instruction Fuzzy Hash: 9EE01AB1200B0490DB068F65E8513E873A4EB4CB90F48C032AA5C47354EF38C6A9C301
                                                                                                                                          Function 000001845BF49D72 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2982180629.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2982197847.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: __std_exception_copy
                                                                                                                                          • String ID: `vector destructor iterator'$nt delete closure'
                                                                                                                                          • API String ID: 592178966-1611991873
                                                                                                                                          • Opcode ID: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
                                                                                                                                          • Instruction ID: 3043ecb2c8399d8b9c14b74e94f74efd8f5ba6a037f6f9b56c79e4a541fbf60e
                                                                                                                                          • Opcode Fuzzy Hash: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
                                                                                                                                          • Instruction Fuzzy Hash: 59E04F73200B0092DF158F55F8501EC73A4EB4CB50B48D0229A9C87355EF38C6E9C704
                                                                                                                                          Function 000000018001AA4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2975312748.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2975241569.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975593099.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975672931.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2975738503.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                                                                                                          • String ID: File
                                                                                                                                          • API String ID: 932687459-749574446
                                                                                                                                          • Opcode ID: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
                                                                                                                                          • Instruction ID: 9145d171dbcecb2188c45693134888adfda474ee1ae56853841174419c243042
                                                                                                                                          • Opcode Fuzzy Hash: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
                                                                                                                                          • Instruction Fuzzy Hash: 49C08C3221488D91EB62EB10E8917DA5330B7A8384F818111F19C824B69F1CC30ECB00
                                                                                                                                          Function 000001845BF49E4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2982180629.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2982197847.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                                                                                                          • String ID: File
                                                                                                                                          • API String ID: 932687459-749574446
                                                                                                                                          • Opcode ID: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
                                                                                                                                          • Instruction ID: 4ee1287ad15bde44113e449cd526210951ad5c3771337bd71063dc856ee1dd59
                                                                                                                                          • Opcode Fuzzy Hash: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
                                                                                                                                          • Instruction Fuzzy Hash: 8EC04C7321458797DA20EB15D8921DD6331B7A8344F908551A2DD829B7DF19C719CF00
                                                                                                                                          Function 000001845BF48974 Relevance: 5.1, Strings: 4, Instructions: 57COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2982180629.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2982197847.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: `vector constructor iterator'$ctor closure'$deleting destructor'$deleting destructor'
                                                                                                                                          • API String ID: 0-4293706295
                                                                                                                                          • Opcode ID: e616ce5f37f1b4e4ce6758aa9da7daa550d8ae5af315314d3572aa898a2e0930
                                                                                                                                          • Instruction ID: 2112eeed5991ed57b2554ea9d727f45c05c098cfdd79fe416daec37c3b6cbcc5
                                                                                                                                          • Opcode Fuzzy Hash: e616ce5f37f1b4e4ce6758aa9da7daa550d8ae5af315314d3572aa898a2e0930
                                                                                                                                          • Instruction Fuzzy Hash: 9421C537612A0397FE54DF55F859BAC23A0AB58F40F48C52888CA833A4EF78D248CB05
                                                                                                                                          Function 000001845BF48874 Relevance: 5.1, Strings: 4, Instructions: 57COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2982180629.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2982197847.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: `vector constructor iterator'$ctor closure'$deleting destructor'$deleting destructor'
                                                                                                                                          • API String ID: 0-4293706295
                                                                                                                                          • Opcode ID: f8712fd5a3c25522077a4ff2ee864bf8c10fba992a64d8f947a4c16263d71c49
                                                                                                                                          • Instruction ID: ffb873e33f24ff64d72577ffc472100e7d24292a4ee4940022bad741f5a5994a
                                                                                                                                          • Opcode Fuzzy Hash: f8712fd5a3c25522077a4ff2ee864bf8c10fba992a64d8f947a4c16263d71c49
                                                                                                                                          • Instruction Fuzzy Hash: E621D637612A0387FE54DF55F859BAC23A0AB59F51F48C428C8CA833A0EF38D248CB05
                                                                                                                                          Function 000001845BF48774 Relevance: 5.1, Strings: 4, Instructions: 57COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2982180629.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2982197847.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: `vector constructor iterator'$ctor closure'$deleting destructor'$deleting destructor'
                                                                                                                                          • API String ID: 0-4293706295
                                                                                                                                          • Opcode ID: 318f5717511456cabe01ac0f45910221d27ad42c297a2242a16efb7a4ad3622b
                                                                                                                                          • Instruction ID: 2b3f0a30c1259a21c04e86109ef383670515a3d33997fa5eeeaeab5e64445a9a
                                                                                                                                          • Opcode Fuzzy Hash: 318f5717511456cabe01ac0f45910221d27ad42c297a2242a16efb7a4ad3622b
                                                                                                                                          • Instruction Fuzzy Hash: A521E737612B0387FE54DF55F859BAC23A0AB58B50F48C428C88A833A0EF3CD248CB05
                                                                                                                                          Function 000001845BF48674 Relevance: 5.1, Strings: 4, Instructions: 57COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000002.00000002.2982091154.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                          • Associated: 00000002.00000002.2982180629.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000002.00000002.2982197847.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: `vector constructor iterator'$ctor closure'$deleting destructor'$deleting destructor'
                                                                                                                                          • API String ID: 0-4293706295
                                                                                                                                          • Opcode ID: 8c09dbcfe2dae1ad0642468bfe82c4cc15e963c79359e8f814b649e352f9735f
                                                                                                                                          • Instruction ID: cde2585cf13153271a4d7d089664989d999627a01a63d61e9ea037d58361e748
                                                                                                                                          • Opcode Fuzzy Hash: 8c09dbcfe2dae1ad0642468bfe82c4cc15e963c79359e8f814b649e352f9735f
                                                                                                                                          • Instruction Fuzzy Hash: E221D837612B0387FE54DF55F859BAC23A0A758B90F48C428C88E833A0EF38D248CB15

                                                                                                                                          Execution Graph

                                                                                                                                          Execution Coverage:3.8%
                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                          Signature Coverage:35.2%
                                                                                                                                          Total number of Nodes:862
                                                                                                                                          Total number of Limit Nodes:82
                                                                                                                                          execution_graph 29442 180015621 29445 1800224e0 29442->29445 29444 18001562c 29446 180022526 memset memset memset 29445->29446 29447 180022667 memset gethostname gethostbyname inet_ntoa wsprintfW 29446->29447 29449 180022792 lstrcatW GetForegroundWindow 29447->29449 29451 1800227c3 GetWindowTextW 29449->29451 29452 1800227d9 VirtualAlloc 29449->29452 29451->29452 29453 1800228ab GetComputerNameW GetCurrentProcess IsWow64Process RegOpenKeyExW 29452->29453 29454 1800227fc GetModuleHandleW 29452->29454 29455 1800229af GlobalMemoryStatusEx wsprintfW VirtualAlloc VirtualAlloc 29453->29455 29456 180022930 RegQueryValueExW 29453->29456 29454->29453 29457 180022818 GetProcAddress 29454->29457 29460 180022a93 memset GetWindowsDirectoryW 29455->29460 29461 180022a32 29455->29461 29458 180022971 RegCloseKey GetSystemInfo wsprintfW 29456->29458 29459 180022969 RegCloseKey 29456->29459 29462 180022832 GetModuleHandleW 29457->29462 29463 18002282d 29457->29463 29458->29455 29459->29455 29465 180022ad3 GetVolumeInformationW wsprintfA wsprintfA wsprintfW CoInitializeEx 29460->29465 29466 180022ac9 GetLastError 29460->29466 29461->29460 29464 180022a37 GetUserNameW GetCurrentProcessId 29461->29464 29467 18002288b 29462->29467 29468 18002285f GetProcAddress 29462->29468 29463->29462 29513 18002c950 memset CreateToolhelp32Snapshot 29464->29513 29473 180022ce8 GetCurrentProcess IsWow64Process 29465->29473 29474 180022bd9 CoCreateInstance 29465->29474 29466->29465 29503 18002bdc0 29467->29503 29468->29467 29471 180022874 29468->29471 29471->29467 29480 180022d2e 29473->29480 29474->29473 29477 180022c09 29474->29477 29475 18002289a VirtualFree 29475->29453 29477->29473 29478 180022cb2 SysFreeString 29477->29478 29479 180022ce2 CoUninitialize 29477->29479 29478->29477 29479->29473 29520 180013330 VirtualAlloc 29480->29520 29485 180013330 51 API calls 29486 180022e89 29485->29486 29487 180022ec2 VirtualFree 29486->29487 29488 180022ed7 29486->29488 29487->29488 29489 180022ee9 VirtualFree 29488->29489 29610 180026f00 IsBadReadPtr 29488->29610 29491 180022f02 VirtualFree 29489->29491 29492 180022f17 29489->29492 29491->29492 29494 180022f29 VirtualFree 29492->29494 29495 180026f00 6 API calls 29492->29495 29497 180022f40 29494->29497 29496 180022f25 29495->29496 29496->29494 29498 180022f75 29497->29498 29499 180022f60 VirtualFree 29497->29499 29500 180022f87 VirtualFree 29498->29500 29501 180026f00 6 API calls 29498->29501 29499->29498 29500->29444 29502 180022f83 29501->29502 29502->29500 29504 18002be50 29503->29504 29505 18002c586 memset 29504->29505 29506 18002c730 lstrcatW 29505->29506 29507 18002c5dd 29505->29507 29506->29475 29508 18002c602 29507->29508 29509 18002c5eb lstrcatW 29507->29509 29512 18002c628 29507->29512 29508->29506 29510 18002c611 lstrcatW 29508->29510 29508->29512 29509->29508 29510->29512 29511 18002c72a lstrcatW 29511->29506 29512->29506 29512->29511 29514 18002c991 Process32FirstW 29513->29514 29515 180022a57 wsprintfW VirtualFree VirtualFree 29513->29515 29516 18002c9af 29514->29516 29519 18002c9c8 29514->29519 29515->29460 29518 18002c9b6 Process32NextW 29516->29518 29516->29519 29517 18002ca3e CloseHandle 29517->29515 29518->29516 29518->29519 29519->29515 29519->29517 29521 180013842 29520->29521 29522 180013359 VirtualAlloc 29520->29522 29596 1800223b0 CreateToolhelp32Snapshot 29521->29596 29523 1800133b0 IsBadReadPtr 29522->29523 29524 18001339f InitializeCriticalSection 29522->29524 29525 1800133c6 29523->29525 29526 18001341b IsBadReadPtr 29523->29526 29524->29523 29525->29526 29527 1800133cb EnterCriticalSection VirtualAlloc 29525->29527 29528 180013431 29526->29528 29529 180013486 IsBadReadPtr 29526->29529 29530 180013411 LeaveCriticalSection 29527->29530 29531 1800133f1 29527->29531 29528->29529 29532 180013436 EnterCriticalSection VirtualAlloc 29528->29532 29533 1800134f1 IsBadReadPtr 29529->29533 29534 18001349c 29529->29534 29530->29526 29531->29530 29535 18001347c LeaveCriticalSection 29532->29535 29536 18001345c 29532->29536 29538 180013507 29533->29538 29539 18001355c IsBadReadPtr 29533->29539 29534->29533 29537 1800134a1 EnterCriticalSection VirtualAlloc 29534->29537 29535->29529 29536->29535 29542 1800134e7 LeaveCriticalSection 29537->29542 29543 1800134c7 29537->29543 29538->29539 29544 18001350c EnterCriticalSection VirtualAlloc 29538->29544 29540 180013572 29539->29540 29541 1800135c7 IsBadReadPtr 29539->29541 29540->29541 29547 180013577 EnterCriticalSection VirtualAlloc 29540->29547 29548 180013632 IsBadReadPtr 29541->29548 29549 1800135dd 29541->29549 29542->29533 29543->29542 29545 180013552 LeaveCriticalSection 29544->29545 29546 180013532 29544->29546 29545->29539 29546->29545 29550 1800135bd LeaveCriticalSection 29547->29550 29551 18001359d 29547->29551 29553 180013648 29548->29553 29554 18001367e 29548->29554 29549->29548 29552 1800135e2 EnterCriticalSection VirtualAlloc 29549->29552 29550->29541 29551->29550 29556 180013628 LeaveCriticalSection 29552->29556 29557 180013608 29552->29557 29553->29554 29558 18001364d EnterCriticalSection 29553->29558 29555 180013681 IsBadReadPtr 29554->29555 29559 1800136d1 29555->29559 29560 18001369b 29555->29560 29556->29548 29557->29556 29561 180013662 29558->29561 29562 180013675 LeaveCriticalSection 29558->29562 29565 1800136d4 IsBadReadPtr 29559->29565 29560->29559 29564 1800136a0 EnterCriticalSection 29560->29564 29561->29562 29563 180013848 LeaveCriticalSection 29561->29563 29562->29554 29563->29555 29566 1800136b5 29564->29566 29567 1800136c8 LeaveCriticalSection 29564->29567 29568 18001372c 29565->29568 29569 1800136ee 29565->29569 29566->29567 29571 18001385a LeaveCriticalSection 29566->29571 29567->29559 29570 18001372f IsBadReadPtr 29568->29570 29569->29568 29572 1800136f3 EnterCriticalSection 29569->29572 29573 180013749 29570->29573 29574 18001377f 29570->29574 29571->29565 29575 180013723 LeaveCriticalSection 29572->29575 29576 180013708 29572->29576 29573->29574 29577 18001374e EnterCriticalSection 29573->29577 29578 180013782 IsBadReadPtr 29574->29578 29575->29568 29576->29575 29583 18001386c LeaveCriticalSection 29576->29583 29579 180013763 29577->29579 29580 180013776 LeaveCriticalSection 29577->29580 29581 1800137d2 29578->29581 29582 18001379c 29578->29582 29579->29580 29585 18001387e LeaveCriticalSection 29579->29585 29580->29574 29584 1800137d5 IsBadReadPtr 29581->29584 29582->29581 29586 1800137a1 EnterCriticalSection 29582->29586 29583->29570 29587 18001382c 29584->29587 29588 1800137ef 29584->29588 29585->29578 29589 1800137b6 29586->29589 29590 1800137c9 LeaveCriticalSection 29586->29590 29587->29521 29588->29587 29591 1800137f4 EnterCriticalSection 29588->29591 29589->29590 29592 180013890 LeaveCriticalSection 29589->29592 29590->29581 29593 180013823 LeaveCriticalSection 29591->29593 29594 180013809 29591->29594 29592->29584 29593->29587 29594->29593 29595 1800138a2 LeaveCriticalSection 29594->29595 29595->29587 29597 1800223d4 malloc 29596->29597 29598 1800224d1 29596->29598 29599 1800224c3 CloseHandle 29597->29599 29600 1800223f0 Process32FirstW 29597->29600 29598->29485 29599->29598 29601 180022412 lstrlenW 29600->29601 29602 1800224ba free 29600->29602 29603 180022425 lstrlenW 29601->29603 29604 18002245a Process32NextW 29601->29604 29602->29599 29607 18002244b 29603->29607 29605 1800224b5 29604->29605 29606 18002246a 29604->29606 29605->29602 29608 180022470 lstrlenW 29606->29608 29609 1800224a5 Process32NextW 29606->29609 29607->29604 29608->29606 29609->29605 29609->29608 29611 180022ee5 29610->29611 29612 180026f18 29610->29612 29611->29489 29612->29611 29613 180026f1d EnterCriticalSection 29612->29613 29614 180026f39 29613->29614 29615 180026f5a LeaveCriticalSection DeleteCriticalSection VirtualFree 29613->29615 29616 180026f40 VirtualFree 29614->29616 29615->29611 29616->29615 29616->29616 29617 180032930 WSASocketW 29618 1800329a6 getaddrinfo WSAGetLastError 29617->29618 29619 18003299b GetLastError 29617->29619 29621 1800329e5 29618->29621 29622 1800329da WSAGetLastError 29618->29622 29620 180032aff 29619->29620 29621->29622 29623 1800329eb htons connect 29621->29623 29622->29620 29623->29619 29624 180032a27 setsockopt setsockopt setsockopt WSAIoctl setsockopt 29623->29624 29624->29620 29625 180032c50 VirtualAlloc CreateEventW WSARecv WSAGetLastError 29626 180032d54 29625->29626 29627 180032d04 WaitForMultipleObjects 29625->29627 29630 180032d69 29626->29630 29631 180032d5e CloseHandle 29626->29631 29628 180032d26 WSAGetOverlappedResult 29627->29628 29629 180032d1d 29627->29629 29632 180032d4c WSAGetLastError 29628->29632 29629->29626 29629->29632 29633 180032d84 VirtualFree 29630->29633 29634 180032d95 29630->29634 29631->29630 29632->29626 29633->29634 29635 180027eb0 GetTickCount CreateFileW 29636 180027f72 29635->29636 29637 180027f0f 29635->29637 29637->29636 29638 180027f10 GetLastError 29637->29638 29639 180027f24 GetTickCount 29637->29639 29638->29637 29638->29639 29639->29636 29640 180027f33 SleepEx CreateFileW 29639->29640 29640->29636 29640->29638 29641 180011c70 CreateEventW VirtualAlloc 29651 180020680 VirtualAlloc 29641->29651 29643 180011cd5 WaitForSingleObject 29644 180011cea NtQuerySystemInformation 29643->29644 29647 180011cc7 29643->29647 29644->29647 29645 180011d0e VirtualFree VirtualAlloc 29645->29647 29646 180011d41 memset NtQuerySystemInformation 29646->29647 29647->29643 29647->29645 29647->29646 29648 180011d7c lstrcmpiW 29647->29648 29649 180011dcb WaitForSingleObject 29647->29649 29648->29647 29649->29647 29650 180011de4 CloseHandle 29649->29650 29650->29647 29652 180020d9b 29651->29652 29653 1800206a9 GetCurrentProcess OpenProcessToken 29651->29653 29652->29647 29654 1800206e3 LookupPrivilegeValueW AdjustTokenPrivileges GetLastError 29653->29654 29655 180020741 VirtualAlloc 29653->29655 29654->29655 29656 180020731 29654->29656 29657 180020771 IsBadReadPtr 29655->29657 29658 180020760 InitializeCriticalSection 29655->29658 29656->29655 29661 18002073b CloseHandle 29656->29661 29659 180020787 29657->29659 29660 1800207dc IsBadReadPtr 29657->29660 29658->29657 29659->29660 29662 18002078c EnterCriticalSection VirtualAlloc 29659->29662 29663 1800207f2 29660->29663 29664 180020847 IsBadReadPtr 29660->29664 29661->29655 29665 1800207d2 LeaveCriticalSection 29662->29665 29666 1800207b2 29662->29666 29663->29664 29667 1800207f7 EnterCriticalSection VirtualAlloc 29663->29667 29668 1800208b2 IsBadReadPtr 29664->29668 29669 18002085d 29664->29669 29665->29660 29666->29665 29670 18002083d LeaveCriticalSection 29667->29670 29671 18002081d 29667->29671 29673 1800208c8 29668->29673 29674 18002091d IsBadReadPtr 29668->29674 29669->29668 29672 180020862 EnterCriticalSection VirtualAlloc 29669->29672 29670->29664 29671->29670 29678 1800208a8 LeaveCriticalSection 29672->29678 29679 180020888 29672->29679 29673->29674 29675 1800208cd EnterCriticalSection VirtualAlloc 29673->29675 29676 180020933 29674->29676 29677 180020988 IsBadReadPtr 29674->29677 29680 180020913 LeaveCriticalSection 29675->29680 29681 1800208f3 29675->29681 29676->29677 29682 180020938 EnterCriticalSection VirtualAlloc 29676->29682 29683 1800209f3 IsBadReadPtr 29677->29683 29684 18002099e 29677->29684 29678->29668 29679->29678 29680->29674 29681->29680 29685 18002097e LeaveCriticalSection 29682->29685 29686 18002095e 29682->29686 29688 180020a09 29683->29688 29689 180020a5e IsBadReadPtr 29683->29689 29684->29683 29687 1800209a3 EnterCriticalSection VirtualAlloc 29684->29687 29685->29677 29686->29685 29692 1800209e9 LeaveCriticalSection 29687->29692 29693 1800209c9 29687->29693 29688->29689 29694 180020a0e EnterCriticalSection VirtualAlloc 29688->29694 29690 180020a74 29689->29690 29691 180020ac9 IsBadReadPtr 29689->29691 29690->29691 29697 180020a79 EnterCriticalSection VirtualAlloc 29690->29697 29698 180020b1c 29691->29698 29699 180020adf 29691->29699 29692->29683 29693->29692 29695 180020a54 LeaveCriticalSection 29694->29695 29696 180020a34 29694->29696 29695->29689 29696->29695 29700 180020abf LeaveCriticalSection 29697->29700 29701 180020a9f 29697->29701 29703 180020b1f IsBadReadPtr 29698->29703 29699->29698 29702 180020ae4 EnterCriticalSection 29699->29702 29700->29691 29701->29700 29706 180020b13 LeaveCriticalSection 29702->29706 29707 180020af9 29702->29707 29704 180020b38 29703->29704 29705 180020b6e 29703->29705 29704->29705 29708 180020b3d EnterCriticalSection 29704->29708 29709 180020b71 IsBadReadPtr 29705->29709 29706->29698 29707->29706 29714 180020da1 LeaveCriticalSection 29707->29714 29710 180020b52 29708->29710 29711 180020b65 LeaveCriticalSection 29708->29711 29712 180020bc1 29709->29712 29713 180020b8b 29709->29713 29710->29711 29715 180020db3 LeaveCriticalSection 29710->29715 29711->29705 29717 180020bc4 IsBadReadPtr 29712->29717 29713->29712 29716 180020b90 EnterCriticalSection 29713->29716 29714->29703 29715->29709 29718 180020bb8 LeaveCriticalSection 29716->29718 29719 180020ba5 29716->29719 29720 180020c1c 29717->29720 29721 180020bde 29717->29721 29718->29712 29719->29718 29723 180020dc5 LeaveCriticalSection 29719->29723 29722 180020c1f IsBadReadPtr 29720->29722 29721->29720 29724 180020be3 EnterCriticalSection 29721->29724 29727 180020c39 29722->29727 29728 180020c6f 29722->29728 29723->29717 29725 180020c13 LeaveCriticalSection 29724->29725 29726 180020bf8 29724->29726 29725->29720 29726->29725 29731 180020dd7 LeaveCriticalSection 29726->29731 29727->29728 29729 180020c3e EnterCriticalSection 29727->29729 29730 180020c72 IsBadReadPtr 29728->29730 29732 180020c66 LeaveCriticalSection 29729->29732 29737 180020c53 29729->29737 29733 180020cc2 29730->29733 29734 180020c8c 29730->29734 29731->29722 29732->29728 29735 180020cc5 IsBadReadPtr 29733->29735 29734->29733 29738 180020c91 EnterCriticalSection 29734->29738 29739 180020d1c 29735->29739 29740 180020cdf 29735->29740 29736 180020de9 LeaveCriticalSection 29736->29730 29737->29732 29737->29736 29741 180020ca6 29738->29741 29742 180020cb9 LeaveCriticalSection 29738->29742 29745 180020d1f IsBadReadPtr 29739->29745 29740->29739 29744 180020ce4 EnterCriticalSection 29740->29744 29741->29742 29743 180020dfb LeaveCriticalSection 29741->29743 29742->29733 29743->29735 29746 180020d13 LeaveCriticalSection 29744->29746 29747 180020cf9 29744->29747 29748 180020d39 29745->29748 29749 180020d6f 29745->29749 29746->29739 29747->29746 29751 180020e0d LeaveCriticalSection 29747->29751 29748->29749 29750 180020d3e EnterCriticalSection 29748->29750 29749->29652 29752 180020d53 29750->29752 29753 180020d66 LeaveCriticalSection 29750->29753 29751->29745 29752->29753 29754 180020e1f LeaveCriticalSection 29752->29754 29753->29749 29754->29749 29755 180011e90 CreateThread 29756 180011ed1 IsBadReadPtr 29755->29756 29757 180011f64 GetNativeSystemInfo 29755->29757 29758 180011f57 29756->29758 29759 180011efe 29756->29759 29760 180011f94 29757->29760 29761 180011f9a CreateThread 29757->29761 29758->29757 29759->29758 29762 180011f03 EnterCriticalSection VirtualAlloc 29759->29762 29760->29761 29768 180011ff2 29760->29768 29763 180011fc6 CreateThread 29761->29763 29764 180011fbd CloseHandle 29761->29764 29765 180011f45 LeaveCriticalSection 29762->29765 29766 180011f30 29762->29766 29767 180011fe9 CloseHandle 29763->29767 29763->29768 29764->29763 29765->29758 29766->29765 29767->29768 29769 180013e10 29770 180013330 51 API calls 29769->29770 29771 180013e36 29770->29771 29772 180013e78 VirtualAlloc 29771->29772 29773 180014129 29771->29773 29775 180013e94 29772->29775 29781 180013e9b 29772->29781 29774 180015070 3 API calls 29773->29774 29788 180014139 29774->29788 29776 180013fd4 VirtualFree 29775->29776 29777 180013fe9 29775->29777 29776->29777 29778 180013ffb VirtualFree 29777->29778 29779 180026f00 6 API calls 29777->29779 29780 180014201 29778->29780 29782 180013ff7 29779->29782 29781->29775 29783 180013f9f VirtualAlloc 29781->29783 29782->29778 29784 180014016 29783->29784 29785 180013fbb VirtualFree 29783->29785 29801 180036444 29784->29801 29785->29775 29790 1800141c7 VirtualFree 29788->29790 29791 1800141dc 29788->29791 29790->29791 29792 1800141ea 29791->29792 29793 180026f00 6 API calls 29791->29793 29794 1800141f1 VirtualFree 29792->29794 29793->29792 29794->29780 29796 1800140d8 VirtualFree 29797 1800140ed 29796->29797 29798 1800140ff VirtualFree VirtualFree 29797->29798 29799 180026f00 6 API calls 29797->29799 29798->29794 29800 1800140fb 29799->29800 29800->29798 29807 180036458 29801->29807 29804 180015070 _time64 srand 29805 180015100 rand 29804->29805 29805->29805 29806 180014047 29805->29806 29806->29796 29806->29797 29814 18003996c 29807->29814 29809 1800364b2 29811 180036514 29809->29811 29813 18001402c 29809->29813 29817 180038d24 22 API calls 29809->29817 29818 180039638 29811->29818 29813->29804 29822 1800396ec 29814->29822 29817->29809 29819 180039659 29818->29819 29820 18003965f 29819->29820 29821 18003967c free 29819->29821 29820->29813 29821->29820 29823 180039732 29822->29823 29829 18003980c 29822->29829 29824 1800397f4 malloc 29823->29824 29823->29829 29825 180039816 malloc 29824->29825 29824->29829 29827 18003988e 29825->29827 29826 180039921 29828 180039638 free 29826->29828 29827->29826 29830 1800398f1 29827->29830 29828->29829 29829->29809 29832 180039998 memset 29830->29832 29832->29829 29833 180017e90 GetCurrentProcessId ProcessIdToSessionId WTSEnumerateSessionsW 29834 180017f75 CreateThread 29833->29834 29837 180017eea 29833->29837 29835 180017f65 WTSFreeMemory 29835->29834 29836 180017f00 WTSQuerySessionInformationW 29836->29837 29837->29835 29837->29836 29838 180017f4d WTSFreeMemory 29837->29838 29839 180017f60 29837->29839 29841 1800176e0 memset GetSystemDirectoryW 29837->29841 29838->29837 29839->29835 29842 180017724 GetLastError 29841->29842 29843 18001772a lstrcatW IsBadReadPtr 29841->29843 29842->29843 29845 18001791a 29843->29845 29846 18001794f 29843->29846 29845->29846 29847 18001791f EnterCriticalSection 29845->29847 29848 180020680 73 API calls 29846->29848 29849 180017934 29847->29849 29850 180017946 LeaveCriticalSection 29847->29850 29851 18001796f 29848->29851 29849->29850 29852 180017bda LeaveCriticalSection 29849->29852 29850->29846 29854 180017b95 29851->29854 29855 1800179ad IsBadReadPtr 29851->29855 29852->29846 29853 180017bc3 29852->29853 29853->29838 29856 180026f00 6 API calls 29854->29856 29857 180017a19 CreateThread 29855->29857 29858 1800179ce 29855->29858 29861 180017b9e VirtualFree 29856->29861 29859 180017a51 IsBadReadPtr 29857->29859 29860 180017abb 29857->29860 29858->29857 29862 1800179d3 EnterCriticalSection VirtualAlloc 29858->29862 29859->29860 29863 180017a71 29859->29863 29877 180028120 VirtualAlloc 29860->29877 29861->29853 29865 1800179fa 29862->29865 29866 180017a0f LeaveCriticalSection 29862->29866 29863->29860 29867 180017a76 EnterCriticalSection VirtualAlloc 29863->29867 29865->29866 29866->29857 29869 180017ab1 LeaveCriticalSection 29867->29869 29870 180017a9c 29867->29870 29869->29860 29870->29869 29871 180017b08 IsBadReadPtr 29872 180017b21 29871->29872 29873 180017b6b CreateThread 29871->29873 29872->29873 29874 180017b26 EnterCriticalSection VirtualAlloc 29872->29874 29873->29854 29875 180017b61 LeaveCriticalSection 29874->29875 29876 180017b4c 29874->29876 29875->29873 29876->29875 29878 180028145 InitializeCriticalSection 29877->29878 29879 180017ac3 memset GetCurrentProcessId wsprintfW 29877->29879 29878->29879 29879->29871 29880 180015150 memset wsprintfW 29881 1800151b7 CreateFileW 29880->29881 29882 1800151f5 GetFileSize 29881->29882 29904 1800152b5 29881->29904 29883 18001520b ReadFile 29882->29883 29882->29904 29885 1800152ac CloseHandle 29883->29885 29890 18001522f 29883->29890 29884 1800152c0 SetThreadExecutionState SystemParametersInfoW SystemParametersInfoW 29886 1800152fa lstrlenW 29884->29886 29887 180015569 29884->29887 29885->29904 29888 180015334 lstrlenA 29886->29888 29886->29904 29889 180015349 lstrcmpiW lstrcmpiW lstrcmpiW 29888->29889 29888->29904 29889->29904 29890->29885 29891 180020680 73 API calls 29892 1800153c4 htons 29891->29892 29893 1800153df 29892->29893 29894 180026f00 6 API calls 29893->29894 29895 1800153e8 VirtualFree 29894->29895 29908 180014410 VirtualAlloc 29895->29908 29897 180015441 VirtualAlloc 29897->29904 29906 1800154f0 29897->29906 29899 180015545 WaitForSingleObject 29899->29904 29900 180015511 VirtualFree 29900->29906 29901 180015488 CreateThread 29902 180013330 51 API calls 29901->29902 29902->29904 29903 1800154d2 VirtualFree 29903->29904 29904->29881 29904->29884 29904->29891 29904->29897 29904->29900 29904->29901 29904->29903 29905 1800154f9 VirtualFree 29904->29905 29904->29906 29905->29906 29906->29899 29906->29900 29906->29904 29906->29905 29907 180026f00 6 API calls 29906->29907 30025 180014d20 47 API calls 29906->30025 29907->29906 29909 180014d0f 29908->29909 29910 18001443f VirtualAlloc 29908->29910 29909->29904 29911 180014481 IsBadReadPtr 29910->29911 29912 180014470 InitializeCriticalSection 29910->29912 29913 18001449a 29911->29913 29914 1800144ef IsBadReadPtr 29911->29914 29912->29911 29913->29914 29915 18001449f EnterCriticalSection VirtualAlloc 29913->29915 29916 180014508 29914->29916 29917 18001455d IsBadReadPtr 29914->29917 29920 1800144e5 LeaveCriticalSection 29915->29920 29921 1800144c5 29915->29921 29916->29917 29922 18001450d EnterCriticalSection VirtualAlloc 29916->29922 29918 180014576 29917->29918 29919 1800145cb IsBadReadPtr 29917->29919 29918->29919 29923 18001457b EnterCriticalSection VirtualAlloc 29918->29923 29924 1800145e4 29919->29924 29925 180014639 IsBadReadPtr 29919->29925 29920->29914 29921->29920 29926 180014553 LeaveCriticalSection 29922->29926 29927 180014533 29922->29927 29928 1800145c1 LeaveCriticalSection 29923->29928 29929 1800145a1 29923->29929 29924->29925 29930 1800145e9 EnterCriticalSection VirtualAlloc 29924->29930 29931 180014652 29925->29931 29932 1800146a7 InitializeCriticalSection IsBadReadPtr 29925->29932 29926->29917 29927->29926 29928->29919 29929->29928 29935 18001462f LeaveCriticalSection 29930->29935 29936 18001460f 29930->29936 29931->29932 29937 180014657 EnterCriticalSection VirtualAlloc 29931->29937 29933 1800146d3 29932->29933 29934 18001470c 29932->29934 29933->29934 29938 1800146d8 EnterCriticalSection 29933->29938 29939 18001470f IsBadReadPtr 29934->29939 29935->29925 29936->29935 29940 18001469d LeaveCriticalSection 29937->29940 29941 18001467d 29937->29941 29942 180014703 LeaveCriticalSection 29938->29942 29943 1800146ed 29938->29943 29944 180014762 29939->29944 29945 18001472c 29939->29945 29940->29932 29941->29940 29942->29934 29943->29942 29950 180014a04 LeaveCriticalSection 29943->29950 29947 180014765 IsBadReadPtr 29944->29947 29945->29944 29946 180014731 EnterCriticalSection 29945->29946 29951 180014746 29946->29951 29952 180014759 LeaveCriticalSection 29946->29952 29948 180014782 29947->29948 29949 1800147bc 29947->29949 29948->29949 29953 180014787 EnterCriticalSection 29948->29953 29954 1800147bf IsBadReadPtr 29949->29954 29950->29939 29951->29952 29955 180014a16 LeaveCriticalSection 29951->29955 29952->29944 29956 1800147b3 LeaveCriticalSection 29953->29956 29957 18001479c 29953->29957 29958 180014812 29954->29958 29959 1800147dc 29954->29959 29955->29947 29956->29949 29957->29956 29962 180014a28 LeaveCriticalSection 29957->29962 29961 180014815 IsBadReadPtr 29958->29961 29959->29958 29960 1800147e1 EnterCriticalSection 29959->29960 29963 1800147f6 29960->29963 29964 180014809 LeaveCriticalSection 29960->29964 29965 180014832 29961->29965 29966 18001486c 29961->29966 29962->29954 29963->29964 29969 180014a3a LeaveCriticalSection 29963->29969 29964->29958 29965->29966 29967 180014837 EnterCriticalSection 29965->29967 29968 18001486f CreateEventW WSACreateEvent CreateEventW CreateEventW 29966->29968 29970 180014863 LeaveCriticalSection 29967->29970 29971 18001484c 29967->29971 29972 1800148eb 29968->29972 29973 180014a9f 29968->29973 29969->29961 29970->29966 29971->29970 29977 180014a4c LeaveCriticalSection 29971->29977 30026 180032de0 20 API calls 29972->30026 29975 180014aa7 29973->29975 29976 180014bfb VirtualAlloc 29973->29976 30027 180034fa0 42 API calls 29975->30027 29978 180014c1e CreateEventW CreateEventW CreateEventW CreateEventW 29976->29978 30016 1800149f1 29976->30016 29977->29968 29981 180013330 51 API calls 29978->29981 29979 1800148f0 29982 1800148fc IsBadReadPtr 29979->29982 29979->30016 29984 180014c89 InitializeCriticalSection 29981->29984 29985 180014912 29982->29985 29986 18001494c 29982->29986 29983 180014aac 29987 180014ab8 IsBadReadPtr 29983->29987 29983->30016 29984->30016 29985->29986 29989 180014917 EnterCriticalSection 29985->29989 29988 18001494f IsBadReadPtr 29986->29988 29990 180014b0c 29987->29990 29991 180014ace 29987->29991 29992 180014968 29988->29992 29993 18001499e 29988->29993 29995 180014943 LeaveCriticalSection 29989->29995 29996 18001492c 29989->29996 29994 180014b0f IsBadReadPtr 29990->29994 29991->29990 29997 180014ad3 EnterCriticalSection 29991->29997 29992->29993 29998 18001496d EnterCriticalSection 29992->29998 30001 1800149a1 IsBadReadPtr 29993->30001 29999 180014b28 29994->29999 30000 180014b5e 29994->30000 29995->29986 29996->29995 30009 180014a5e LeaveCriticalSection 29996->30009 30002 180014b03 LeaveCriticalSection 29997->30002 30003 180014ae8 29997->30003 30004 180014982 29998->30004 30005 180014995 LeaveCriticalSection 29998->30005 29999->30000 30006 180014b2d EnterCriticalSection 29999->30006 30008 180014b61 IsBadReadPtr 30000->30008 30007 1800149bb 30001->30007 30001->30016 30002->29990 30003->30002 30010 180014bc8 LeaveCriticalSection 30003->30010 30004->30005 30011 180014a70 LeaveCriticalSection 30004->30011 30005->29993 30012 180014b42 30006->30012 30013 180014b55 LeaveCriticalSection 30006->30013 30014 1800149c0 EnterCriticalSection 30007->30014 30007->30016 30015 180014b7b 30008->30015 30008->30016 30009->29988 30010->29994 30011->30001 30012->30013 30017 180014bda LeaveCriticalSection 30012->30017 30013->30000 30018 1800149d5 30014->30018 30019 1800149e8 LeaveCriticalSection 30014->30019 30015->30016 30020 180014b80 EnterCriticalSection 30015->30020 30016->29909 30017->30008 30018->30019 30021 180014a82 LeaveCriticalSection 30018->30021 30019->30016 30022 180014ba4 LeaveCriticalSection 30020->30022 30023 180014b95 30020->30023 30021->30016 30022->30016 30023->30022 30024 180014bec LeaveCriticalSection 30023->30024 30024->30016 30026->29979 30027->29983 30028 18001aad0 GetModuleHandleW RegisterClassW CreateWindowExW 30029 18001ac46 30028->30029 30030 18001abae SetWindowLongPtrW WTSRegisterSessionNotification 30028->30030 30030->30029 30031 18001abd1 ShowWindow GetMessageW 30030->30031 30032 18001ac0b 30031->30032 30033 18001ac3d WTSUnRegisterSessionNotification 30031->30033 30034 18001ac10 TranslateMessage DispatchMessageW GetMessageW 30032->30034 30033->30029 30034->30033 30034->30034 30035 180013bd0 30036 180013c12 WSAEventSelect 30035->30036 30037 180013c0a 30035->30037 30038 180013c36 30036->30038 30039 180013dc8 30036->30039 30037->30036 30038->30039 30040 180013330 51 API calls 30038->30040 30051 180013c5a 30040->30051 30041 180013c60 SetThreadExecutionState SystemParametersInfoW SystemParametersInfoW 30042 180013cb2 WSAWaitForMultipleEvents 30041->30042 30041->30051 30043 180013d7b WSAGetLastError 30042->30043 30042->30051 30052 180013d38 30043->30052 30044 180013ce5 WSAEnumNetworkEvents 30044->30043 30044->30051 30045 180013ddd 30045->30043 30046 180013da5 30048 180013db7 VirtualFree 30046->30048 30049 180026f00 6 API calls 30046->30049 30047 180013d90 VirtualFree 30047->30046 30048->30039 30050 180013db3 30049->30050 30050->30048 30051->30041 30051->30042 30051->30043 30051->30044 30051->30045 30051->30052 30054 180013d61 SetEvent 30051->30054 30056 1800138d0 30051->30056 30052->30039 30052->30046 30052->30047 30054->30052 30064 180013904 30056->30064 30057 1800139f5 VirtualAlloc 30058 180013a19 VirtualAlloc 30057->30058 30059 180013b8a 30057->30059 30058->30059 30060 180013a39 30058->30060 30059->30051 30065 1800362e4 30060->30065 30063 180013b2b VirtualFree 30063->30064 30064->30057 30064->30059 30064->30063 30068 1800362fc 30065->30068 30067 180013a58 VirtualFree 30067->30063 30067->30064 30069 180036339 30068->30069 30072 180037cbc 30069->30072 30071 18003636c 30071->30067 30073 180037be0 30072->30073 30074 180037c56 malloc 30073->30074 30075 180037c16 30073->30075 30074->30075 30075->30071 30076 2d9773b0345 30077 2d9773b03ff 30076->30077 30079 2d9773b0360 30076->30079 30078 2d9773b0387 VirtualFree 30078->30079 30079->30077 30079->30078 30080 180032b20 30081 180032b44 CreateEventW WSASend WSAGetLastError 30080->30081 30082 180032b37 30080->30082 30083 180032bd8 WaitForMultipleObjects 30081->30083 30084 180032c2b 30081->30084 30087 180032bfd WSAGetOverlappedResult 30083->30087 30089 180032bf4 30083->30089 30085 180032c35 CloseHandle 30084->30085 30086 180032c3b 30084->30086 30085->30086 30088 180032c23 WSAGetLastError 30087->30088 30088->30084 30089->30084 30089->30088 30090 2d9773b0000 30093 2d9773b0a68 30090->30093 30092 2d9773b0019 30094 2d9773b0a84 30093->30094 30096 2d9773b0b0a 30094->30096 30097 2d9773b0768 30094->30097 30096->30092 30100 2d9773b0778 30097->30100 30099 2d9773b0771 30099->30096 30101 2d9773b07a8 30100->30101 30103 2d9773b088a 30101->30103 30104 2d9773b0508 30101->30104 30103->30099 30107 2d9773b052c 30104->30107 30105 2d9773b061d LoadLibraryA 30106 2d9773b06fa 30105->30106 30105->30107 30106->30103 30107->30105 30107->30106 30108 2d9773b06c1 GetProcAddressForCaller 30107->30108 30108->30106 30108->30107 30109 1800205a0 30114 18001c0f0 30109->30114 30111 1800205cf CreateFileW 30112 180020608 memset lstrlenA DeviceIoControl CloseHandle 30111->30112 30113 180020669 30111->30113 30112->30113 30115 18001c116 30114->30115 30115->30111 30116 180027fa0 PeekNamedPipe 30117 18002807d GetLastError 30116->30117 30118 180027fdd 30116->30118 30118->30117 30119 180027fe9 VirtualAlloc 30118->30119 30120 18002805b GetLastError 30119->30120 30121 18002800a ReadFile 30119->30121 30122 18002803c VirtualFree FlushFileBuffers 30121->30122 30123 18002802e 30121->30123 30122->30120 30124 18002806e 30122->30124 30123->30122 30125 180027e20 CreateNamedPipeW 30126 180027e6b GetLastError 30125->30126 30127 180027e7c ConnectNamedPipe 30125->30127 30126->30127 30128 180027e9b 30127->30128 30129 180027e8b GetLastError 30127->30129 30129->30128 30130 1800201a0 GetCurrentProcess OpenProcessToken 30131 180020223 GetLastError 30130->30131 30132 18002022e DuplicateTokenEx 30130->30132 30139 18002033b 30131->30139 30132->30131 30133 18002025b SetTokenInformation 30132->30133 30133->30131 30134 180020277 CreateEnvironmentBlock 30133->30134 30134->30131 30135 18002028c CreateProcessAsUserW 30134->30135 30136 1800202d4 CreateProcessAsUserW 30135->30136 30137 180020321 30135->30137 30136->30131 30136->30137 30140 18001f9e0 VirtualAllocEx 30137->30140 30141 18001fa4a VirtualAllocEx 30140->30141 30142 18001fa3f GetLastError 30140->30142 30143 18001fa99 GetLastError 30141->30143 30144 18001fa79 WriteProcessMemory 30141->30144 30156 18001fcdb 30142->30156 30143->30156 30144->30143 30145 18001faa4 VirtualAllocEx 30144->30145 30146 18001fcd3 GetLastError 30145->30146 30147 18001fad7 WriteProcessMemory 30145->30147 30146->30156 30147->30146 30148 18001fafc 30147->30148 30158 18001f560 30148->30158 30150 18001fb04 WriteProcessMemory 30150->30146 30152 18001fc02 VirtualProtectEx VirtualProtectEx 30150->30152 30153 18001fc88 30152->30153 30154 18001fc4d memset GetThreadContext SetThreadContext 30152->30154 30153->30156 30157 18001fc8d memset Wow64GetThreadContext Wow64SetThreadContext 30153->30157 30155 18001fcc6 ResumeThread 30154->30155 30155->30146 30155->30156 30156->30139 30157->30155 30159 18001f6f1 30158->30159 30160 18001f574 30158->30160 30159->30150 30160->30159 30161 18001f584 VirtualAlloc 30160->30161 30162 18001f5b0 memcpy 30161->30162 30163 18001f6ba 30161->30163 30164 18001f5c4 30162->30164 30163->30150 30165 18001f6d9 VirtualFree 30164->30165 30166 18001f69a 30164->30166 30165->30163 30167 18001f6cf VirtualFree 30166->30167 30168 18001f6af VirtualFree 30166->30168 30167->30163 30168->30163 30169 180013180 30170 18001319a 30169->30170 30171 1800131c3 ceil VirtualAlloc 30170->30171 30175 1800131ba memcpy 30170->30175 30173 180013271 30171->30173 30174 180013200 30171->30174 30174->30175 30176 180013218 memcpy 30174->30176 30177 18001323c VirtualFree 30174->30177 30175->30173 30176->30175 30176->30177 30177->30175 30178 180012fc0 30179 180012fd5 30178->30179 30180 180012fde ceil 30178->30180 30179->30180 30181 180013002 30179->30181 30180->30181 30182 18001300f VirtualAlloc 30180->30182 30183 180013045 30182->30183 30184 180013030 30182->30184 30185 180013052 30183->30185 30186 18001306e VirtualFree 30183->30186 30187 18001305d memcpy 30183->30187 30185->30186 30187->30186 30188 1800194c0 30189 180013330 51 API calls 30188->30189 30190 180019510 CreateToolhelp32Snapshot 30189->30190 30191 180019564 30190->30191 30192 180019535 GetProcessHeap HeapAlloc 30190->30192 30195 18001957a 30191->30195 30196 18001956d WTSGetActiveConsoleSessionId 30191->30196 30193 1800196c8 Process32FirstW 30192->30193 30194 18001955e CloseHandle 30192->30194 30197 18001970a GetProcessHeap HeapFree CloseHandle 30193->30197 30198 1800196db 30193->30198 30194->30191 30223 180016bc0 IsBadReadPtr 30195->30223 30196->30195 30197->30191 30200 18001972f ProcessIdToSessionId 30197->30200 30199 1800196e0 lstrcmpiW 30198->30199 30201 1800196f5 Process32NextW 30199->30201 30202 180019705 30199->30202 30200->30195 30201->30199 30201->30202 30202->30197 30204 1800195a2 WaitForSingleObject 30205 18001965e 30204->30205 30220 1800195bc 30204->30220 30207 180019685 VirtualFree 30205->30207 30208 18001969a 30205->30208 30206 1800195c0 CreateToolhelp32Snapshot 30210 1800195d7 GetProcessHeap HeapAlloc 30206->30210 30206->30220 30207->30208 30209 1800196ac VirtualFree 30208->30209 30211 180026f00 6 API calls 30208->30211 30212 180019744 Process32FirstW 30210->30212 30213 180019600 CloseHandle 30210->30213 30215 1800196a8 30211->30215 30216 18001978a GetProcessHeap HeapFree CloseHandle 30212->30216 30212->30220 30213->30220 30214 18001960f WTSGetActiveConsoleSessionId 30214->30220 30215->30209 30217 1800197af ProcessIdToSessionId 30216->30217 30216->30220 30217->30220 30218 180019760 lstrcmpiW 30219 180019775 Process32NextW 30218->30219 30218->30220 30219->30218 30219->30220 30220->30206 30220->30214 30220->30216 30220->30218 30221 180016bc0 4 API calls 30220->30221 30222 180019644 WaitForSingleObject 30221->30222 30222->30205 30222->30206 30224 180016c5b 30223->30224 30225 180016bed 30223->30225 30224->30204 30225->30224 30226 180016bf2 EnterCriticalSection 30225->30226 30227 180016c0c 30226->30227 30228 180016c1e LeaveCriticalSection 30226->30228 30227->30228 30230 180016c3e LeaveCriticalSection 30227->30230 30229 180016c27 30228->30229 30229->30204 30230->30229 30231 180012140 30312 18002b990 VirtualAlloc 30231->30312 30233 180012156 30319 18002d340 GetModuleHandleW 30233->30319 30235 18001215b WSAStartup 30236 180012175 30235->30236 30271 18001236b 30235->30271 30329 18002d7d0 CoInitializeEx 30236->30329 30238 18001219a GetCommandLineW CommandLineToArgvW 30339 18001afc0 VirtualAlloc 30238->30339 30241 1800121f4 VirtualAlloc 30243 18001221a InitializeCriticalSection 30241->30243 30244 18001222b memset GetCurrentProcessId 30241->30244 30242 1800121e3 InitializeCriticalSection 30242->30241 30243->30244 30245 18002c950 5 API calls 30244->30245 30246 180012256 lstrcmpiW 30245->30246 30247 180012273 lstrcmpiW 30246->30247 30248 18001226e 30246->30248 30249 180012297 lstrcmpiW 30247->30249 30250 180012289 30247->30250 30248->30247 30251 1800122be lstrcmpiW 30249->30251 30252 1800122ad GetCurrentProcess TerminateProcess 30249->30252 30359 180012830 GetModuleHandleW GetModuleHandleW GetModuleHandleW VirtualProtect VirtualProtect 30250->30359 30254 1800122d8 30251->30254 30255 1800123e0 30251->30255 30252->30251 30350 18002d140 OpenSCManagerW 30254->30350 30258 1800125c7 lstrcmpiW 30255->30258 30259 1800123ed memset GetModuleFileNameW wcsstr 30255->30259 30256 18001228e ExitThread 30263 180012697 30258->30263 30264 1800125e0 30258->30264 30261 180012473 memset GetModuleFileNameW IsUserAnAdmin 30259->30261 30262 18001242f GetNativeSystemInfo 30259->30262 30270 1800124b7 30261->30270 30301 1800124a6 30261->30301 30268 180012642 30262->30268 30269 18001245b 30262->30269 30369 180012000 103 API calls 30263->30369 30264->30271 30272 1800125ed lstrcmpiW 30264->30272 30266 1800123a1 CreateThread 30266->30266 30274 1800123c7 WaitForSingleObject CloseHandle 30266->30274 30267 1800122f4 30360 18002ca60 10 API calls 30267->30360 30275 18002d140 10 API calls 30268->30275 30269->30268 30277 180012465 30269->30277 30363 180020e40 16 API calls 30270->30363 30272->30263 30279 180012606 GetNativeSystemInfo 30272->30279 30274->30266 30282 18001264e 30275->30282 30362 1800126b0 84 API calls 30277->30362 30279->30268 30281 18001262e 30279->30281 30280 1800124c3 30364 180020fa0 41 API calls 30280->30364 30281->30268 30286 180012634 30281->30286 30287 180012654 30282->30287 30288 18001267c 30282->30288 30283 180012300 30289 180012304 OpenProcess 30283->30289 30290 180012330 30283->30290 30367 1800126b0 84 API calls 30286->30367 30295 180020680 73 API calls 30287->30295 30368 1800126b0 84 API calls 30288->30368 30289->30290 30296 18001231c TerminateProcess CloseHandle 30289->30296 30303 180012394 Sleep 30290->30303 30304 18001233d WaitForSingleObject GetExitCodeProcess 30290->30304 30361 1800126b0 84 API calls 30290->30361 30291 18001246a ExitProcess 30292 180012681 GetCurrentProcess TerminateProcess 30292->30271 30293 1800124d6 30365 18002d2a0 8 API calls 30293->30365 30295->30301 30296->30290 30300 180012639 ExitProcess 30301->30292 30302 1800124e2 memset wsprintfW 30366 180001070 30302->30366 30303->30290 30304->30271 30304->30290 30313 18002b9cf memcpy 30312->30313 30314 18002bc0e 30312->30314 30313->30314 30315 18002b9fa VirtualAlloc 30313->30315 30314->30233 30315->30314 30316 18002ba1e memcpy memcpy 30315->30316 30317 18002ba90 30316->30317 30317->30317 30318 18002baff memset ExpandEnvironmentStringsW memset 30317->30318 30318->30233 30320 18002d371 GetCurrentProcess K32GetModuleInformation memset GetSystemDirectoryW 30319->30320 30321 18002d590 30319->30321 30322 18002d3c5 lstrcatW CreateFileW 30320->30322 30323 18002d57d 30320->30323 30321->30235 30324 18002d415 CreateFileMappingW 30322->30324 30326 18002d538 30322->30326 30323->30235 30325 18002d43c MapViewOfFile 30324->30325 30324->30326 30325->30326 30327 18002d469 30325->30327 30326->30235 30327->30326 30328 18002d4d5 VirtualProtect memcpy VirtualProtect 30327->30328 30328->30327 30330 18002d8c5 30329->30330 30331 18002d82e CoCreateInstance 30329->30331 30330->30238 30332 18002d84f 30331->30332 30333 18002d86e CoUninitialize 30331->30333 30334 18002d864 30332->30334 30335 18002d87a SysAllocString 30332->30335 30333->30238 30334->30333 30336 18002d89d SysFreeString 30335->30336 30337 18002d8b0 CoUninitialize 30336->30337 30337->30330 30340 18001afe9 CreateEventW VirtualAlloc 30339->30340 30341 1800121c2 VirtualAlloc 30339->30341 30342 18001b094 InitializeCriticalSection 30340->30342 30343 18001b0a5 VirtualAlloc 30340->30343 30341->30241 30341->30242 30342->30343 30344 18001b0dc VirtualAlloc 30343->30344 30345 18001b0cb InitializeCriticalSection 30343->30345 30346 18001b102 InitializeCriticalSection 30344->30346 30347 18001b113 VirtualAlloc 30344->30347 30345->30344 30346->30347 30348 18001b14a 30347->30348 30349 18001b139 InitializeCriticalSection 30347->30349 30348->30341 30349->30348 30351 18002d177 EnumServicesStatusExW malloc 30350->30351 30355 1800122e4 GetCurrentProcessId 30350->30355 30352 18002d1d4 memset EnumServicesStatusExW 30351->30352 30351->30355 30353 18002d228 CloseServiceHandle free 30352->30353 30354 18002d24d CloseServiceHandle 30352->30354 30353->30355 30354->30355 30356 18002d25e 30354->30356 30355->30266 30355->30267 30356->30355 30357 18002d260 lstrcmpiW 30356->30357 30357->30356 30358 18002d286 free 30357->30358 30358->30355 30359->30256 30360->30283 30361->30290 30362->30291 30363->30280 30364->30293 30365->30302 30367->30300 30368->30292 30370 180011ae0 CreateEventW VirtualAlloc 30371 180020680 73 API calls 30370->30371 30374 180011b37 30371->30374 30372 180011b45 WaitForSingleObject 30373 180011b5a NtQuerySystemInformation 30372->30373 30372->30374 30373->30374 30374->30372 30375 180011b7e VirtualFree VirtualAlloc 30374->30375 30376 180011bb1 memset NtQuerySystemInformation 30374->30376 30377 180011bec lstrcmpiW 30374->30377 30378 180011c3b WaitForSingleObject 30374->30378 30375->30374 30376->30374 30377->30374 30378->30374 30379 180011c54 CloseHandle 30378->30379 30379->30374

                                                                                                                                          Executed Functions

                                                                                                                                          Function 0000000180020680 Relevance: 130.0, APIs: 73, Strings: 1, Instructions: 492memoryCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 0 180020680-1800206a3 VirtualAlloc 1 180020d9b-180020da0 0->1 2 1800206a9-1800206e1 GetCurrentProcess OpenProcessToken 0->2 3 1800206e3-18002072f LookupPrivilegeValueW AdjustTokenPrivileges GetLastError 2->3 4 180020741-18002075e VirtualAlloc 2->4 3->4 5 180020731-180020739 3->5 6 180020771-180020785 IsBadReadPtr 4->6 7 180020760-18002076d InitializeCriticalSection 4->7 5->4 10 18002073b CloseHandle 5->10 8 180020787-18002078a 6->8 9 1800207dc-1800207f0 IsBadReadPtr 6->9 7->6 8->9 11 18002078c-1800207b0 EnterCriticalSection VirtualAlloc 8->11 12 1800207f2-1800207f5 9->12 13 180020847-18002085b IsBadReadPtr 9->13 10->4 14 1800207d2-1800207d6 LeaveCriticalSection 11->14 15 1800207b2-1800207cf 11->15 12->13 16 1800207f7-18002081b EnterCriticalSection VirtualAlloc 12->16 17 1800208b2-1800208c6 IsBadReadPtr 13->17 18 18002085d-180020860 13->18 14->9 15->14 19 18002083d-180020841 LeaveCriticalSection 16->19 20 18002081d-18002083a 16->20 22 1800208c8-1800208cb 17->22 23 18002091d-180020931 IsBadReadPtr 17->23 18->17 21 180020862-180020886 EnterCriticalSection VirtualAlloc 18->21 19->13 20->19 27 1800208a8-1800208ac LeaveCriticalSection 21->27 28 180020888-1800208a5 21->28 22->23 24 1800208cd-1800208f1 EnterCriticalSection VirtualAlloc 22->24 25 180020933-180020936 23->25 26 180020988-18002099c IsBadReadPtr 23->26 29 180020913-180020917 LeaveCriticalSection 24->29 30 1800208f3-180020910 24->30 25->26 31 180020938-18002095c EnterCriticalSection VirtualAlloc 25->31 32 1800209f3-180020a07 IsBadReadPtr 26->32 33 18002099e-1800209a1 26->33 27->17 28->27 29->23 30->29 34 18002097e-180020982 LeaveCriticalSection 31->34 35 18002095e-18002097b 31->35 37 180020a09-180020a0c 32->37 38 180020a5e-180020a72 IsBadReadPtr 32->38 33->32 36 1800209a3-1800209c7 EnterCriticalSection VirtualAlloc 33->36 34->26 35->34 41 1800209e9-1800209ed LeaveCriticalSection 36->41 42 1800209c9-1800209e6 36->42 37->38 43 180020a0e-180020a32 EnterCriticalSection VirtualAlloc 37->43 39 180020a74-180020a77 38->39 40 180020ac9-180020add IsBadReadPtr 38->40 39->40 46 180020a79-180020a9d EnterCriticalSection VirtualAlloc 39->46 47 180020b1c 40->47 48 180020adf-180020ae2 40->48 41->32 42->41 44 180020a54-180020a58 LeaveCriticalSection 43->44 45 180020a34-180020a51 43->45 44->38 45->44 49 180020abf-180020ac3 LeaveCriticalSection 46->49 50 180020a9f-180020abc 46->50 52 180020b1f-180020b36 IsBadReadPtr 47->52 48->47 51 180020ae4-180020af7 EnterCriticalSection 48->51 49->40 50->49 55 180020b13-180020b16 LeaveCriticalSection 51->55 56 180020af9 51->56 53 180020b38-180020b3b 52->53 54 180020b6e 52->54 53->54 57 180020b3d-180020b50 EnterCriticalSection 53->57 58 180020b71-180020b89 IsBadReadPtr 54->58 55->47 59 180020b00-180020b04 56->59 60 180020b52-180020b56 57->60 61 180020b65-180020b68 LeaveCriticalSection 57->61 62 180020bc1 58->62 63 180020b8b-180020b8e 58->63 64 180020da1-180020dae LeaveCriticalSection 59->64 65 180020b0a-180020b11 59->65 66 180020db3-180020dc0 LeaveCriticalSection 60->66 67 180020b5c-180020b63 60->67 61->54 69 180020bc4-180020bdc IsBadReadPtr 62->69 63->62 68 180020b90-180020ba3 EnterCriticalSection 63->68 64->52 65->55 65->59 66->58 67->60 67->61 70 180020bb8-180020bbb LeaveCriticalSection 68->70 71 180020ba5-180020ba9 68->71 72 180020c1c 69->72 73 180020bde-180020be1 69->73 70->62 75 180020dc5-180020dd2 LeaveCriticalSection 71->75 76 180020baf-180020bb6 71->76 74 180020c1f-180020c37 IsBadReadPtr 72->74 73->72 77 180020be3-180020bf6 EnterCriticalSection 73->77 80 180020c39-180020c3c 74->80 81 180020c6f 74->81 75->69 76->70 76->71 78 180020c13-180020c16 LeaveCriticalSection 77->78 79 180020bf8 77->79 78->72 82 180020c00-180020c04 79->82 80->81 83 180020c3e-180020c51 EnterCriticalSection 80->83 84 180020c72-180020c8a IsBadReadPtr 81->84 85 180020dd7-180020de4 LeaveCriticalSection 82->85 86 180020c0a-180020c11 82->86 87 180020c53-180020c57 83->87 88 180020c66-180020c69 LeaveCriticalSection 83->88 89 180020cc2 84->89 90 180020c8c-180020c8f 84->90 85->74 86->78 86->82 92 180020de9-180020df6 LeaveCriticalSection 87->92 93 180020c5d-180020c64 87->93 88->81 91 180020cc5-180020cdd IsBadReadPtr 89->91 90->89 94 180020c91-180020ca4 EnterCriticalSection 90->94 95 180020d1c 91->95 96 180020cdf-180020ce2 91->96 92->84 93->87 93->88 97 180020ca6-180020caa 94->97 98 180020cb9-180020cbc LeaveCriticalSection 94->98 102 180020d1f-180020d37 IsBadReadPtr 95->102 96->95 101 180020ce4-180020cf7 EnterCriticalSection 96->101 99 180020dfb-180020e08 LeaveCriticalSection 97->99 100 180020cb0-180020cb7 97->100 98->89 99->91 100->97 100->98 103 180020d13-180020d16 LeaveCriticalSection 101->103 104 180020cf9 101->104 105 180020d39-180020d3c 102->105 106 180020d6f-180020d96 102->106 103->95 107 180020d00-180020d04 104->107 105->106 108 180020d3e-180020d51 EnterCriticalSection 105->108 106->1 109 180020d0a-180020d11 107->109 110 180020e0d-180020e1a LeaveCriticalSection 107->110 111 180020d53-180020d57 108->111 112 180020d66-180020d69 LeaveCriticalSection 108->112 109->103 109->107 110->102 113 180020e1f-180020e2c LeaveCriticalSection 111->113 114 180020d5d-180020d64 111->114 112->106 113->106 114->111 114->112
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CriticalSection$Leave$EnterRead$AllocVirtual$ProcessToken$AdjustCloseCurrentErrorHandleInitializeLastLookupOpenPrivilegePrivilegesValue
                                                                                                                                          • String ID: SeDebugPrivilege
                                                                                                                                          • API String ID: 3221255601-2896544425
                                                                                                                                          • Opcode ID: 79b32153c8a47bce9488e86581e1df08a4a5845b2d426890eb6905a67430a941
                                                                                                                                          • Instruction ID: 8182a6c1e6bb2c399cdab592ca016c8a5b7603f4b1f61c7e89913c231e199cb3
                                                                                                                                          • Opcode Fuzzy Hash: 79b32153c8a47bce9488e86581e1df08a4a5845b2d426890eb6905a67430a941
                                                                                                                                          • Instruction Fuzzy Hash: 03320C35301F4986EB9B8F11EA543A97366FB48BC0F64C515EA6A43B95EF38D66CC300
                                                                                                                                          Function 00000001800224E0 Relevance: 124.9, APIs: 54, Strings: 17, Instructions: 614registrymemorylibraryCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 115 1800224e0-18002266d memset * 3 118 180022677-18002267e 115->118 119 18002266f-180022675 115->119 120 180022681-1800226d8 118->120 119->120 123 1800226e0-180022731 120->123 123->123 124 180022733-180022790 memset gethostname gethostbyname inet_ntoa wsprintfW 123->124 125 180022792-180022799 124->125 126 18002279b-1800227a4 124->126 127 1800227ad-1800227c1 lstrcatW GetForegroundWindow 125->127 126->127 128 1800227a6 126->128 129 1800227c3-1800227d3 GetWindowTextW 127->129 130 1800227d9-1800227f6 VirtualAlloc 127->130 128->127 129->130 131 1800228ab-18002292e GetComputerNameW GetCurrentProcess IsWow64Process RegOpenKeyExW 130->131 132 1800227fc-180022812 GetModuleHandleW 130->132 133 1800229af-180022a30 GlobalMemoryStatusEx wsprintfW VirtualAlloc * 2 131->133 134 180022930-180022967 RegQueryValueExW 131->134 132->131 135 180022818-18002282b GetProcAddress 132->135 138 180022a93-180022ac7 memset GetWindowsDirectoryW 133->138 139 180022a32-180022a35 133->139 136 180022971-1800229a9 RegCloseKey GetSystemInfo wsprintfW 134->136 137 180022969-18002296f RegCloseKey 134->137 140 180022832-18002285d GetModuleHandleW 135->140 141 18002282d 135->141 136->133 137->133 143 180022adc-180022ae1 138->143 144 180022ac9-180022ad1 GetLastError 138->144 139->138 142 180022a37-180022a8d GetUserNameW GetCurrentProcessId call 18002c950 wsprintfW VirtualFree * 2 139->142 145 18002288b-1800228a5 call 18002bdc0 VirtualFree 140->145 146 18002285f-180022872 GetProcAddress 140->146 141->140 142->138 151 180022ae8-180022bd3 GetVolumeInformationW wsprintfA * 2 wsprintfW CoInitializeEx 143->151 144->143 149 180022ad3-180022ada 144->149 145->131 146->145 150 180022874-180022882 146->150 149->151 150->145 152 180022ce8-180022ec0 GetCurrentProcess IsWow64Process call 180013330 call 1800223b0 call 180013330 151->152 153 180022bd9-180022c03 CoCreateInstance 151->153 201 180022ec2-180022ed4 VirtualFree 152->201 202 180022ed7-180022ede 152->202 153->152 156 180022c09-180022c1f 153->156 158 180022c25-180022c27 156->158 158->152 159 180022c2d-180022c3e 158->159 163 180022c40-180022c5d 159->163 163->152 167 180022c63-180022c8a 163->167 170 180022ccb-180022cd8 167->170 171 180022c8c-180022cb0 167->171 177 180022ce2 CoUninitialize 170->177 178 180022cda-180022cdc 170->178 175 180022cb2-180022cb8 SysFreeString 171->175 176 180022cbe-180022cc5 171->176 175->176 176->170 177->152 178->163 178->177 201->202 203 180022ee9-180022f00 VirtualFree 202->203 204 180022ee0-180022ee5 call 180026f00 202->204 206 180022f02-180022f14 VirtualFree 203->206 207 180022f17-180022f1e 203->207 204->203 206->207 209 180022f29-180022f5e VirtualFree 207->209 210 180022f20-180022f25 call 180026f00 207->210 216 180022f75-180022f7c 209->216 217 180022f60-180022f72 VirtualFree 209->217 210->209 218 180022f87-180022fad VirtualFree 216->218 219 180022f7e-180022f83 call 180026f00 216->219 217->216 219->218
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$Alloc$wsprintf$CriticalSection$Processmemset$CurrentEnterRead$AddressCloseHandleInitializeLeaveModuleNameProcWindowWow64$ComputerCreateDirectoryErrorForegroundGlobalInfoInformationInstanceLastMemoryOpenQueryStatusStringSystemTextUninitializeUserValueVolumeWindowsgethostbynamegethostnameinet_ntoalstrcat
                                                                                                                                          • String ID: %08X$%X%X%hs$%d*%dMHz$%dMB$%hs$1216$:$FriendlyName$HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0$HTTP$RtlGetNtVersionNumbers$RtlGetVersion$TCP$UDP$[U]:%s | [P]:%s$ntdll.dll$~MHZ
                                                                                                                                          • API String ID: 1654958678-2219617641
                                                                                                                                          • Opcode ID: 568594e8bc2c5765bfc1ae6a0361cb2a71fe365cdb98b8f02094b72811b38f6b
                                                                                                                                          • Instruction ID: 85167b4e31fce27fea4a3dd865718084707bdea1bb1ad3282e4a31ddf71c6b33
                                                                                                                                          • Opcode Fuzzy Hash: 568594e8bc2c5765bfc1ae6a0361cb2a71fe365cdb98b8f02094b72811b38f6b
                                                                                                                                          • Instruction Fuzzy Hash: 6F628C36A14BC486EB62DF25DC547ED33A1FB9DB88F419215EA5947A64EF38C388C700
                                                                                                                                          Function 0000000180012140 Relevance: 107.0, APIs: 49, Strings: 12, Instructions: 293memorystringthreadCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 222 180012140-18001216f call 18002b990 call 18002d340 WSAStartup 227 180012175-1800121e1 call 18002d7d0 GetCommandLineW CommandLineToArgvW call 18001afc0 VirtualAlloc 222->227 228 18001238b-180012393 222->228 233 1800121f4-180012218 VirtualAlloc 227->233 234 1800121e3-1800121f0 InitializeCriticalSection 227->234 235 18001221a-180012227 InitializeCriticalSection 233->235 236 18001222b-18001226c memset GetCurrentProcessId call 18002c950 lstrcmpiW 233->236 234->233 235->236 239 180012273-180012287 lstrcmpiW 236->239 240 18001226e 236->240 241 180012297-1800122ab lstrcmpiW 239->241 242 180012289-180012290 call 180012830 ExitThread 239->242 240->239 243 1800122be-1800122d2 lstrcmpiW 241->243 244 1800122ad-1800122b8 GetCurrentProcess TerminateProcess 241->244 246 1800122d8-1800122ee call 18002d140 GetCurrentProcessId 243->246 247 1800123e0-1800123e7 243->247 244->243 258 1800123a1-1800123c5 CreateThread 246->258 259 1800122f4-180012302 call 18002ca60 246->259 250 1800125c7-1800125da lstrcmpiW 247->250 251 1800123ed-18001242d memset GetModuleFileNameW wcsstr 247->251 255 180012697-18001269f call 180012000 250->255 256 1800125e0-1800125e7 250->256 253 180012473-1800124a4 memset GetModuleFileNameW IsUserAnAdmin 251->253 254 18001242f-180012455 GetNativeSystemInfo 251->254 262 1800124a6-1800124b2 call 180005a00 253->262 263 1800124b7-180012554 call 180020e40 call 180020fa0 call 18002d2a0 memset wsprintfW call 180001070 OpenSCManagerW 253->263 260 180012642-180012652 call 18002d140 254->260 261 18001245b-18001245f 254->261 264 18001236b-180012383 256->264 265 1800125ed-180012600 lstrcmpiW 256->265 258->258 267 1800123c7-1800123de WaitForSingleObject CloseHandle 258->267 284 180012304-18001231a OpenProcess 259->284 285 180012330-18001233b call 1800126b0 259->285 282 180012654-18001267a call 180020680 260->282 283 18001267c call 1800126b0 260->283 261->260 270 180012465-18001246c call 1800126b0 ExitProcess 261->270 287 180012681-180012692 GetCurrentProcess TerminateProcess 262->287 304 180012561-18001259f OpenServiceW ChangeServiceConfig2W 263->304 305 180012556-18001255c GetLastError 263->305 264->228 265->255 273 180012606-18001262c GetNativeSystemInfo 265->273 267->258 273->260 275 18001262e-180012632 273->275 275->260 281 180012634-18001263b call 1800126b0 ExitProcess 275->281 282->287 283->287 284->285 291 18001231c-18001232a TerminateProcess CloseHandle 284->291 299 180012394-18001239f Sleep 285->299 300 18001233d-180012369 WaitForSingleObject GetExitCodeProcess 285->300 287->264 291->285 299->285 300->264 300->285 304->287 306 1800125a5-1800125ae GetLastError 304->306 305->287 307 1800125b9-1800125c2 CloseServiceHandle 306->307 308 1800125b0-1800125b3 CloseServiceHandle 306->308 307->287 308->307
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 000000018002B990: VirtualAlloc.KERNEL32 ref: 000000018002B9B9
                                                                                                                                            • Part of subcall function 000000018002B990: memcpy.NTDLL ref: 000000018002B9DD
                                                                                                                                            • Part of subcall function 000000018002B990: VirtualAlloc.KERNEL32 ref: 000000018002BA08
                                                                                                                                            • Part of subcall function 000000018002B990: memcpy.NTDLL ref: 000000018002BA3D
                                                                                                                                            • Part of subcall function 000000018002B990: memcpy.NTDLL ref: 000000018002BA73
                                                                                                                                            • Part of subcall function 000000018002B990: memset.NTDLL ref: 000000018002BB0C
                                                                                                                                            • Part of subcall function 000000018002B990: ExpandEnvironmentStringsW.KERNEL32 ref: 000000018002BB23
                                                                                                                                            • Part of subcall function 000000018002B990: memset.NTDLL ref: 000000018002BB38
                                                                                                                                            • Part of subcall function 000000018002D340: GetModuleHandleW.KERNEL32 ref: 000000018002D35F
                                                                                                                                            • Part of subcall function 000000018002D340: GetCurrentProcess.KERNEL32 ref: 000000018002D379
                                                                                                                                            • Part of subcall function 000000018002D340: K32GetModuleInformation.KERNEL32 ref: 000000018002D390
                                                                                                                                            • Part of subcall function 000000018002D340: memset.NTDLL ref: 000000018002D3A8
                                                                                                                                            • Part of subcall function 000000018002D340: GetSystemDirectoryW.KERNEL32 ref: 000000018002D3B7
                                                                                                                                            • Part of subcall function 000000018002D340: lstrcatW.KERNEL32 ref: 000000018002D3D9
                                                                                                                                            • Part of subcall function 000000018002D340: CreateFileW.KERNEL32 ref: 000000018002D406
                                                                                                                                            • Part of subcall function 000000018002D340: CreateFileMappingW.KERNELBASE ref: 000000018002D42D
                                                                                                                                            • Part of subcall function 000000018002D340: MapViewOfFile.KERNEL32 ref: 000000018002D457
                                                                                                                                            • Part of subcall function 000000018002D340: VirtualProtect.KERNEL32 ref: 000000018002D4F2
                                                                                                                                            • Part of subcall function 000000018002D340: memcpy.NTDLL ref: 000000018002D507
                                                                                                                                          • WSAStartup.WS2_32 ref: 0000000180012167
                                                                                                                                            • Part of subcall function 000000018002D7D0: CoInitializeEx.COMBASE ref: 000000018002D820
                                                                                                                                            • Part of subcall function 000000018002D7D0: CoCreateInstance.COMBASE ref: 000000018002D845
                                                                                                                                            • Part of subcall function 000000018002D7D0: CoUninitialize.OLE32 ref: 000000018002D86E
                                                                                                                                          • GetCommandLineW.KERNEL32 ref: 00000001800121A4
                                                                                                                                          • CommandLineToArgvW.SHELL32 ref: 00000001800121B4
                                                                                                                                            • Part of subcall function 000000018001AFC0: VirtualAlloc.KERNEL32(?,?,?,0000000180011E17), ref: 000000018001AFD7
                                                                                                                                            • Part of subcall function 000000018001AFC0: CreateEventW.KERNEL32(?,?,?,0000000180011E17), ref: 000000018001B061
                                                                                                                                            • Part of subcall function 000000018001AFC0: VirtualAlloc.KERNEL32(?,?,?,0000000180011E17), ref: 000000018001B086
                                                                                                                                            • Part of subcall function 000000018001AFC0: InitializeCriticalSection.KERNEL32(?,?,?,0000000180011E17), ref: 000000018001B098
                                                                                                                                            • Part of subcall function 000000018001AFC0: VirtualAlloc.KERNEL32(?,?,?,0000000180011E17), ref: 000000018001B0BD
                                                                                                                                            • Part of subcall function 000000018001AFC0: InitializeCriticalSection.KERNEL32(?,?,?,0000000180011E17), ref: 000000018001B0CF
                                                                                                                                            • Part of subcall function 000000018001AFC0: VirtualAlloc.KERNEL32(?,?,?,0000000180011E17), ref: 000000018001B0F4
                                                                                                                                            • Part of subcall function 000000018001AFC0: InitializeCriticalSection.KERNEL32(?,?,?,0000000180011E17), ref: 000000018001B106
                                                                                                                                            • Part of subcall function 000000018001AFC0: VirtualAlloc.KERNEL32(?,?,?,0000000180011E17), ref: 000000018001B12B
                                                                                                                                            • Part of subcall function 000000018001AFC0: InitializeCriticalSection.KERNEL32(?,?,?,0000000180011E17), ref: 000000018001B13D
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 00000001800121D5
                                                                                                                                          • InitializeCriticalSection.KERNEL32 ref: 00000001800121E7
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 000000018001220C
                                                                                                                                          • InitializeCriticalSection.KERNEL32 ref: 000000018001221E
                                                                                                                                          • memset.NTDLL ref: 000000018001223F
                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 0000000180012244
                                                                                                                                          • lstrcmpiW.KERNEL32 ref: 0000000180012264
                                                                                                                                          • lstrcmpiW.KERNEL32 ref: 000000018001227F
                                                                                                                                          • ExitThread.KERNEL32 ref: 0000000180012290
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Alloc$Initialize$CriticalSection$Creatememcpymemset$File$CommandCurrentLineModuleProcesslstrcmpi$ArgvDirectoryEnvironmentEventExitExpandHandleInformationInstanceMappingProtectStartupStringsSystemThreadUninitializeViewlstrcat
                                                                                                                                          • String ID: %s\%s$/Processid:{F8284233-48F4-4680-ADDD-F8284233}$18.166.193.8$C:\Program Files\Windows Mail$Inject Test$Microsoft Mail Update Task MachineCore$MicrosoftMailUpdateTask$ParphaCrashReport64.exe$Schedule$perfmon.exe$svchost.exe$taskmgr.exe
                                                                                                                                          • API String ID: 3540647475-76250962
                                                                                                                                          • Opcode ID: 569088badbbcdac6d42bf1008e5f6975a5e4569a9871405a7f488f6c7dbac2ae
                                                                                                                                          • Instruction ID: 2d135b880d5fe02e417b51c7c9d75e0b01d22dc8dd8ce6cea38afdafabf7ab39
                                                                                                                                          • Opcode Fuzzy Hash: 569088badbbcdac6d42bf1008e5f6975a5e4569a9871405a7f488f6c7dbac2ae
                                                                                                                                          • Instruction Fuzzy Hash: E3E15B31210F8986EBA69B21EC543D92362FB8CBC5F54C229F95A466A5FF38C75DD300
                                                                                                                                          Function 00000001800176E0 Relevance: 73.8, APIs: 26, Strings: 16, Instructions: 273memorythreadstringCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 309 1800176e0-180017722 memset GetSystemDirectoryW 310 180017724 GetLastError 309->310 311 18001772a-18001788f 309->311 310->311 312 180017890-18001789c 311->312 312->312 313 18001789e-180017918 lstrcatW IsBadReadPtr 312->313 314 18001791a-18001791d 313->314 315 18001794f-1800179a7 call 180020680 313->315 314->315 316 18001791f-180017932 EnterCriticalSection 314->316 326 180017b95-180017bbb call 180026f00 VirtualFree 315->326 327 1800179ad-1800179cc IsBadReadPtr 315->327 318 180017934-180017937 316->318 319 180017946-180017949 LeaveCriticalSection 316->319 321 180017bda-180017be8 LeaveCriticalSection 318->321 322 18001793d-180017944 318->322 319->315 321->315 323 180017bee 321->323 322->318 322->319 325 180017bc3-180017bd9 323->325 326->325 329 180017a19-180017a4f CreateThread 327->329 330 1800179ce-1800179d1 327->330 331 180017a51-180017a6f IsBadReadPtr 329->331 332 180017abe-180017b1f call 180028120 memset GetCurrentProcessId wsprintfW IsBadReadPtr 329->332 330->329 334 1800179d3-1800179f8 EnterCriticalSection VirtualAlloc 330->334 335 180017a71-180017a74 331->335 336 180017abb 331->336 345 180017b21-180017b24 332->345 346 180017b6b-180017b8d CreateThread 332->346 338 1800179fa-180017a0c 334->338 339 180017a0f-180017a13 LeaveCriticalSection 334->339 335->336 340 180017a76-180017a9a EnterCriticalSection VirtualAlloc 335->340 336->332 338->339 339->329 342 180017ab1-180017ab5 LeaveCriticalSection 340->342 343 180017a9c-180017aae 340->343 342->336 343->342 345->346 347 180017b26-180017b4a EnterCriticalSection VirtualAlloc 345->347 346->326 348 180017b61-180017b65 LeaveCriticalSection 347->348 349 180017b4c-180017b5e 347->349 348->346 349->348
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CriticalSection$Virtual$Alloc$EnterLeaveRead$Process$CreateCurrentErrorLastThreadTokenmemset$AdjustCloseDirectoryFreeHandleInitializeLookupOpenPrivilegePrivilegesSystemValuelstrcatwsprintf
                                                                                                                                          • String ID: :G:$:$A:|:$B:_:$I:N:$I:S:$R:U:$U:Y:$V:V:$\\.\Pipe\%d_pipe%d$^:$_:I:$f:^:$j:H:${:~:$~:~:
                                                                                                                                          • API String ID: 1888231936-1994672154
                                                                                                                                          • Opcode ID: d1dc49243b75cc45df72bb56242f6d83b0d0b9c438548c6c26e7b7a07f614e83
                                                                                                                                          • Instruction ID: 3889ea3ac3043fc74429e799f3028dbf4620c996b15624d143a50c7995104de0
                                                                                                                                          • Opcode Fuzzy Hash: d1dc49243b75cc45df72bb56242f6d83b0d0b9c438548c6c26e7b7a07f614e83
                                                                                                                                          • Instruction Fuzzy Hash: FCE19373604F848AE7518F31E8407EE77B5FB89B88F549215EE9907A59EF38D648CB00
                                                                                                                                          Function 0000000180015150 Relevance: 52.7, APIs: 22, Strings: 8, Instructions: 248stringfilethreadCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 350 180015150-1800151b0 memset wsprintfW 351 1800151b7-1800151ef CreateFileW 350->351 352 1800152b5-1800152bf 351->352 353 1800151f5-180015205 GetFileSize 351->353 355 1800152c0-1800152f4 SetThreadExecutionState SystemParametersInfoW * 2 352->355 353->352 354 18001520b-180015229 ReadFile 353->354 356 1800152ac-1800152af CloseHandle 354->356 357 18001522f-18001523a 354->357 358 1800152fa-18001532e lstrlenW 355->358 359 180015569-18001558b 355->359 356->352 360 180015240-180015294 357->360 361 180015334-180015343 lstrlenA 358->361 362 180015550-18001555e 358->362 360->360 363 180015296-18001529c 360->363 361->362 365 180015349-1800153b9 lstrcmpiW * 3 361->365 362->355 364 180015564 362->364 363->356 366 18001529e 363->366 364->351 365->362 367 1800153bf-180015412 call 180020680 htons call 180026f00 VirtualFree call 180014410 365->367 368 1800152a1-1800152aa 366->368 367->362 376 180015418-18001543b 367->376 368->356 368->368 379 180015441-18001545c VirtualAlloc 376->379 380 18001552d-180015543 call 180014d20 376->380 382 180015522-180015528 379->382 383 180015462-180015482 379->383 380->362 385 180015545-18001554a WaitForSingleObject 380->385 382->380 388 180015511-18001551c VirtualFree 383->388 389 180015488-1800154aa CreateThread call 180013330 383->389 385->362 388->382 391 1800154af-1800154c8 389->391 393 18001550a 391->393 394 1800154ca-1800154d0 391->394 393->388 395 1800154d2-1800154e4 VirtualFree 394->395 396 1800154e7-1800154ee 394->396 395->396 397 1800154f9-180015504 VirtualFree 396->397 398 1800154f0-1800154f5 call 180026f00 396->398 397->393 398->397
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$Filelstrcmpi$CreateInfoParametersSystemThreadlstrlen$AllocCloseExecutionHandleObjectReadSingleSizeStateWaithtonsmemsetwsprintf
                                                                                                                                          • String ID: %s\%s$18.166.193.8$C:\Program Files\Windows Mail$HTTP$PTCP$TCP$UDP$install.cfg
                                                                                                                                          • API String ID: 1274318034-1950299317
                                                                                                                                          • Opcode ID: 663568433656cea89e63caccbc2b97e320fd9943314f34955629d2a210d6f6f0
                                                                                                                                          • Instruction ID: 2f6e79b09caedb5c6ecaa2b644d67a3a665af9ed5fdace6e6c7bc957c955e5e0
                                                                                                                                          • Opcode Fuzzy Hash: 663568433656cea89e63caccbc2b97e320fd9943314f34955629d2a210d6f6f0
                                                                                                                                          • Instruction Fuzzy Hash: E3B14832611B4986EB968F22EC54BD937A6FB8DBC1F548225ED9A47750EF38C64CC700
                                                                                                                                          Function 00000001800194C0 Relevance: 50.9, APIs: 28, Strings: 1, Instructions: 182memoryprocessstringCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 401 1800194c0-180019533 call 180013330 CreateToolhelp32Snapshot 404 180019564-18001956b 401->404 405 180019535-180019558 GetProcessHeap HeapAlloc 401->405 408 18001957a-1800195b6 call 180016bc0 WaitForSingleObject 404->408 409 18001956d-180019573 WTSGetActiveConsoleSessionId 404->409 406 1800196c8-1800196d9 Process32FirstW 405->406 407 18001955e CloseHandle 405->407 410 18001970a-180019729 GetProcessHeap HeapFree CloseHandle 406->410 411 1800196db 406->411 407->404 421 1800195bc 408->421 422 18001965e-180019683 408->422 409->408 410->404 413 18001972f-18001973f ProcessIdToSessionId 410->413 412 1800196e0-1800196f3 lstrcmpiW 411->412 415 1800196f5-180019703 Process32NextW 412->415 416 180019707 412->416 413->408 415->412 417 180019705 415->417 416->410 417->410 423 1800195c0-1800195d5 CreateToolhelp32Snapshot 421->423 424 180019685-180019697 VirtualFree 422->424 425 18001969a-1800196a1 422->425 428 180019606-18001960d 423->428 429 1800195d7-1800195fa GetProcessHeap HeapAlloc 423->429 424->425 426 1800196a3-1800196a8 call 180026f00 425->426 427 1800196ac-1800196c7 VirtualFree 425->427 426->427 433 18001961c-180019658 call 180016bc0 WaitForSingleObject 428->433 434 18001960f-180019615 WTSGetActiveConsoleSessionId 428->434 431 180019744-180019755 Process32FirstW 429->431 432 180019600 CloseHandle 429->432 436 180019757 431->436 437 18001978a-1800197a9 GetProcessHeap HeapFree CloseHandle 431->437 432->428 433->422 433->423 434->433 440 180019760-180019773 lstrcmpiW 436->440 437->428 438 1800197af-1800197bf ProcessIdToSessionId 437->438 438->433 441 180019775-180019783 Process32NextW 440->441 442 180019787 440->442 441->440 443 180019785 441->443 442->437 443->437
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Heap$AllocVirtual$CriticalProcessSection$CloseFreeHandleProcess32Session$EnterRead$ActiveConsoleCreateFirstLeaveNextObjectSingleSnapshotToolhelp32Waitlstrcmpi$Initialize
                                                                                                                                          • String ID: explorer.exe
                                                                                                                                          • API String ID: 2751948232-3187896405
                                                                                                                                          • Opcode ID: b05089d6881e8808c4204a9cfe87279db86dff134d3bf9d3ac2242ebd18fc37f
                                                                                                                                          • Instruction ID: 32f2e8d2d4c86b41326691215f700daf0fb0283404abdd8ad98e089d9f1d483d
                                                                                                                                          • Opcode Fuzzy Hash: b05089d6881e8808c4204a9cfe87279db86dff134d3bf9d3ac2242ebd18fc37f
                                                                                                                                          • Instruction Fuzzy Hash: 8C815C31205B4982EB96DF62E85879973A2FB8DFD0F55C214E92A43794EF38C68DD700
                                                                                                                                          Function 000000018001F9E0 Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 201memoryinjectionCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AllocErrorLastVirtual$MemoryProcessWrite
                                                                                                                                          • String ID: @$h
                                                                                                                                          • API String ID: 1382438346-1029331998
                                                                                                                                          • Opcode ID: 68fc5231bb649cffb2ef201a26c0452fc735f8ffc7358dd3c59d4300c21df8ec
                                                                                                                                          • Instruction ID: a7a10f81cb03d2afda9468892e7ca3dc18b483b94c8c543e7091a66b8c703a11
                                                                                                                                          • Opcode Fuzzy Hash: 68fc5231bb649cffb2ef201a26c0452fc735f8ffc7358dd3c59d4300c21df8ec
                                                                                                                                          • Instruction Fuzzy Hash: F481F832218BC486E7A18B59B85479EAB51F79A7C4F448219FEC647B49DF3CC709CB40
                                                                                                                                          Function 0000000180011AE0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 103memorynativesynchronizationCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 535 180011ae0-180011b3a CreateEventW VirtualAlloc call 180020680 538 180011b40-180011b43 535->538 538->538 539 180011b45-180011b58 WaitForSingleObject 538->539 539->538 540 180011b5a-180011b77 NtQuerySystemInformation 539->540 541 180011baa 540->541 542 180011b79-180011b7c 540->542 545 180011bac-180011baf 541->545 543 180011ba6-180011ba8 542->543 544 180011b7e-180011ba3 VirtualFree VirtualAlloc 542->544 543->545 544->543 545->538 546 180011bb1-180011bda memset NtQuerySystemInformation 545->546 546->538 547 180011be0 546->547 548 180011be3-180011bea 547->548 549 180011bec-180011bfb lstrcmpiW 548->549 550 180011bfd-180011c01 548->550 549->550 551 180011c0c-180011c11 549->551 550->538 552 180011c07-180011c0a 550->552 551->538 553 180011c17-180011c35 551->553 552->548 553->538 555 180011c3b-180011c4e WaitForSingleObject 553->555 555->538 556 180011c54-180011c5f CloseHandle 555->556 556->538
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Alloc$CriticalSection$CloseEnterHandleInformationObjectProcessQueryReadSingleSystemTokenWait$AdjustCreateCurrentErrorEventFreeInitializeLastLeaveLookupOpenPrivilegePrivilegesValuelstrcmpimemset
                                                                                                                                          • String ID: taskmgr.exe
                                                                                                                                          • API String ID: 441768363-4156271273
                                                                                                                                          • Opcode ID: 0621dc44498ae919b7e903597f6a72dc258cdebb099c8e8026c95ccd3122d783
                                                                                                                                          • Instruction ID: 8c534c4529b1279cb1ee3dcd0e8a20b8e351fbbc3e98abf8b0580985b8146b18
                                                                                                                                          • Opcode Fuzzy Hash: 0621dc44498ae919b7e903597f6a72dc258cdebb099c8e8026c95ccd3122d783
                                                                                                                                          • Instruction Fuzzy Hash: BE419331309A4886E79A9F52E9547EAB752FB8CBD1F14C119FD5643A94EF38CA0CC740
                                                                                                                                          Function 0000000180011C70 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 103memorynativesynchronizationCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 557 180011c70-180011cca CreateEventW VirtualAlloc call 180020680 560 180011cd0-180011cd3 557->560 560->560 561 180011cd5-180011ce8 WaitForSingleObject 560->561 561->560 562 180011cea-180011d07 NtQuerySystemInformation 561->562 563 180011d3a 562->563 564 180011d09-180011d0c 562->564 567 180011d3c-180011d3f 563->567 565 180011d36-180011d38 564->565 566 180011d0e-180011d33 VirtualFree VirtualAlloc 564->566 565->567 566->565 567->560 568 180011d41-180011d6a memset NtQuerySystemInformation 567->568 568->560 569 180011d70 568->569 570 180011d73-180011d7a 569->570 571 180011d7c-180011d8b lstrcmpiW 570->571 572 180011d8d-180011d91 570->572 571->572 573 180011d9c-180011da1 571->573 572->560 574 180011d97-180011d9a 572->574 573->560 575 180011da7-180011dc5 573->575 574->570 575->560 577 180011dcb-180011dde WaitForSingleObject 575->577 577->560 578 180011de4-180011def CloseHandle 577->578 578->560
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Alloc$CriticalSection$CloseEnterHandleInformationObjectProcessQueryReadSingleSystemTokenWait$AdjustCreateCurrentErrorEventFreeInitializeLastLeaveLookupOpenPrivilegePrivilegesValuelstrcmpimemset
                                                                                                                                          • String ID: perfmon.exe
                                                                                                                                          • API String ID: 441768363-2343862317
                                                                                                                                          • Opcode ID: 1ff94469c56b8cc6a5d9ee662ab4a9b8b7f31cb7e0d49a88a5d64ab3ffe76320
                                                                                                                                          • Instruction ID: 1ff6f72ff0560bcc7d3ab5e25184d4435df018d7ec391edcb978b88ee9d5e7f7
                                                                                                                                          • Opcode Fuzzy Hash: 1ff94469c56b8cc6a5d9ee662ab4a9b8b7f31cb7e0d49a88a5d64ab3ffe76320
                                                                                                                                          • Instruction Fuzzy Hash: FC418231305A4C46EB9A8F56F9147EAB762FB8CBD1F14C129FD5643A94DF38C6088780
                                                                                                                                          Function 000000018001AAD0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84windowregistryCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Message$RegisterWindow$NotificationSession$ClassCreateDispatchHandleLongModuleShowTranslate
                                                                                                                                          • String ID: Session Logon
                                                                                                                                          • API String ID: 1979525249-2950959013
                                                                                                                                          • Opcode ID: 0d96d5dafa15c8008ce9f0b536f309e21048c116557f430f552321169d452b8d
                                                                                                                                          • Instruction ID: d08fdae4d4f9fdd3136886858d865e0be8124aefc151439e2e8a41504d97a45e
                                                                                                                                          • Opcode Fuzzy Hash: 0d96d5dafa15c8008ce9f0b536f309e21048c116557f430f552321169d452b8d
                                                                                                                                          • Instruction Fuzzy Hash: 26415532658B8583E751CF25F85439AB3A1FB9D784F64D225EA9942A24EF38C189CB00
                                                                                                                                          Function 0000000180013E10 Relevance: 16.8, APIs: 10, Strings: 1, Instructions: 271memoryCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 594 180013e10-180013e72 call 180013330 599 180013e78-180013e92 VirtualAlloc 594->599 600 180014129-180014147 call 180015070 594->600 602 180013e94-180013e96 599->602 603 180013e9b-180013eb2 599->603 606 180014150-18001416c 600->606 605 180013fcc-180013fd2 602->605 613 180013eb8-180013ebd 603->613 614 180013f8d-180013f9d call 180036550 603->614 608 180013fd4-180013fe6 VirtualFree 605->608 609 180013fe9-180013ff0 605->609 606->606 612 18001416e-180014177 606->612 608->609 610 180013ff2-180013ff7 call 180026f00 609->610 611 180013ffb-180014011 VirtualFree 609->611 610->611 616 180014201-18001421a 611->616 617 180014180-18001418c 612->617 613->614 619 180013ec3-180013ec7 613->619 614->605 626 180013f9f-180013fb9 VirtualAlloc 614->626 617->617 622 18001418e-1800141c5 617->622 619->614 620 180013ecd-180013ed0 619->620 624 180013ed6-180013ede 620->624 625 180013f68-180013f78 620->625 644 1800141c7-1800141d9 VirtualFree 622->644 645 1800141dc-1800141e3 622->645 627 180013ee7-180013f08 624->627 628 180013ee0-180013ee5 624->628 629 180013f80-180013f8b 625->629 631 180014016-180014056 call 180036444 call 180015070 626->631 632 180013fbb-180013fc6 VirtualFree 626->632 633 180013f10-180013f62 627->633 628->627 629->614 629->629 643 180014060-180014078 631->643 632->605 633->633 635 180013f64-180013f66 633->635 635->614 635->625 643->643 648 18001407a-18001407f 643->648 644->645 646 1800141e5-1800141ea call 180026f00 645->646 647 1800141ee 645->647 646->647 650 1800141f1-1800141ff VirtualFree 647->650 651 180014080-18001408c 648->651 650->616 651->651 653 18001408e-1800140d6 651->653 659 1800140d8-1800140ea VirtualFree 653->659 660 1800140ed-1800140f4 653->660 659->660 661 1800140f6-1800140fb call 180026f00 660->661 662 1800140ff-180014124 VirtualFree * 2 660->662 661->662 662->650
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 0000000180013E86
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 0000000180013FAD
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180013FC6
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180013FDC
                                                                                                                                          • VirtualFree.KERNELBASE ref: 00000001800140E0
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001410A
                                                                                                                                          • VirtualFree.KERNELBASE ref: 000000018001411B
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180014006
                                                                                                                                          • VirtualFree.KERNELBASE ref: 00000001800141CF
                                                                                                                                          • VirtualFree.KERNELBASE ref: 00000001800141F9
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$Alloc$CriticalSection$EnterRead$Leave$Initialize_time64randsrand
                                                                                                                                          • String ID: :
                                                                                                                                          • API String ID: 3336294232-336475711
                                                                                                                                          • Opcode ID: 320fe126eff4e4079a3c9b3cb6761e39752f23555b150b95cbf71f8c5b9ac005
                                                                                                                                          • Instruction ID: ac7c9b2bb9ed7eb79858a5ee46919171fc2b07e9708586d287d69a6b6e660aff
                                                                                                                                          • Opcode Fuzzy Hash: 320fe126eff4e4079a3c9b3cb6761e39752f23555b150b95cbf71f8c5b9ac005
                                                                                                                                          • Instruction Fuzzy Hash: CDB1C032710B8482EB568F2AE4053A9A7A1FBCEFC4F14D225EE8947755EF38C649C740
                                                                                                                                          Function 000000018002D140 Relevance: 15.1, APIs: 10, Instructions: 95servicestringCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseEnumHandleServiceServicesStatusfree$ManagerOpenlstrcmpimallocmemset
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2647132813-0
                                                                                                                                          • Opcode ID: c2b9930ff57626eae451ef52e78241fd2a7e99a3c5bb9cb5767dca943c792e03
                                                                                                                                          • Instruction ID: 7c73760ca3ebe89c16cf9c31f76af7ec992950ddbeb1bc6f2b7493007aa42a7f
                                                                                                                                          • Opcode Fuzzy Hash: c2b9930ff57626eae451ef52e78241fd2a7e99a3c5bb9cb5767dca943c792e03
                                                                                                                                          • Instruction Fuzzy Hash: 53418832205B48CAE7A58F25F84479AB7A5FB8CB94F548525EE8D43B14EF38C64DDB00
                                                                                                                                          Function 00000001800223B0 Relevance: 15.1, APIs: 10, Instructions: 74stringprocessCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Process32lstrlen$Next$CloseCreateFirstHandleSnapshotToolhelp32freemalloc
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4027670598-0
                                                                                                                                          • Opcode ID: 439f8d2e972513238416a548221f462a94073303e1c60fa0b93f47d4e757f503
                                                                                                                                          • Instruction ID: 5ce6378f21c5ee87597c9bb07d5787008eb168cc985a55d02f6761e40f426007
                                                                                                                                          • Opcode Fuzzy Hash: 439f8d2e972513238416a548221f462a94073303e1c60fa0b93f47d4e757f503
                                                                                                                                          • Instruction Fuzzy Hash: 02315A71204B5582EB919F26E85439967B1FB8CFD0F549225EE5A43B68EF3CC64DCB00
                                                                                                                                          Function 0000000180032C50 Relevance: 13.6, APIs: 9, Instructions: 90networkmemoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ErrorLastVirtual$AllocCloseCreateEventFreeHandleMultipleObjectsOverlappedRecvResultWait
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 425432780-0
                                                                                                                                          • Opcode ID: ed0ee6d2a44e02ea4b8664fa35f5b3073364424dd04f963a90776adab9f5fb3d
                                                                                                                                          • Instruction ID: 80ddba25ada4c12ba25501bbea63694672ddceb4bf4905497e17ba262c6017a4
                                                                                                                                          • Opcode Fuzzy Hash: ed0ee6d2a44e02ea4b8664fa35f5b3073364424dd04f963a90776adab9f5fb3d
                                                                                                                                          • Instruction Fuzzy Hash: 19319532314B9482E766CF11F844B9BB7A5FB8DBD0F558125EA9903B24EF78C649CB01
                                                                                                                                          Function 00000001800201A0 Relevance: 12.1, APIs: 8, Instructions: 109processCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Process$CreateToken$User$BlockCurrentDuplicateEnvironmentErrorInformationLastOpen
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2924300727-0
                                                                                                                                          • Opcode ID: 16c3d07ec9acde65d2acdc43e71b5766c09dd73d369f4e5c742e79ed460f77ea
                                                                                                                                          • Instruction ID: 13034978c3ab2fb9f9047006cc71b10522f326b05abda6e4f2bcf0c65b74da56
                                                                                                                                          • Opcode Fuzzy Hash: 16c3d07ec9acde65d2acdc43e71b5766c09dd73d369f4e5c742e79ed460f77ea
                                                                                                                                          • Instruction Fuzzy Hash: 54513C32B04B858AE791CFA1E8807DD37B5F798788F509215AE8D67B18DF38C259D740
                                                                                                                                          Function 00000001800205A0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46filestringCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseControlCreateDeviceFileHandlelstrlenmemset
                                                                                                                                          • String ID: \\.\{F8284233-48F4-4680-ADDD-F8284233}
                                                                                                                                          • API String ID: 2589617790-329358119
                                                                                                                                          • Opcode ID: a3b02f37b284e632ff8c0487233c56c7f58dd63dbc29904f1061be0df106d2bb
                                                                                                                                          • Instruction ID: 39cc20b0d125f0f5a721635b497ca12531b62917f9f5da8482c53947056ba4d5
                                                                                                                                          • Opcode Fuzzy Hash: a3b02f37b284e632ff8c0487233c56c7f58dd63dbc29904f1061be0df106d2bb
                                                                                                                                          • Instruction Fuzzy Hash: 26111F36218B8582E7A2CB54F8547CAB7A1F7CD784F548126EA8D43B58EF7DC648CB40
                                                                                                                                          Function 0000000180027E20 Relevance: 4.5, APIs: 3, Instructions: 36pipeCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: NamedPipe$ConnectCreateErrorLast
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3851520242-0
                                                                                                                                          • Opcode ID: 5202d77b4504b343c25026c585eb62c568917b05fbb34b8c84aa117687ab1fdd
                                                                                                                                          • Instruction ID: 6bb7147edad98ca35960e2d476685a951813d0cf86fdcec3da0d9f41873a4748
                                                                                                                                          • Opcode Fuzzy Hash: 5202d77b4504b343c25026c585eb62c568917b05fbb34b8c84aa117687ab1fdd
                                                                                                                                          • Instruction Fuzzy Hash: CC017172304A4482D7518B16F940399B3A6EF8C7F4F148321FA79437A4EF78C9588B00
                                                                                                                                          Function 000000018002D340 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 129filememorystringCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: File$CreateModuleProtectVirtual$CurrentDirectoryHandleInformationMappingProcessSystemViewlstrcatmemcpymemset
                                                                                                                                          • String ID: .text$\ntdll.dll$ntdll.dll
                                                                                                                                          • API String ID: 992094507-3745270394
                                                                                                                                          • Opcode ID: 69df7cb737dd3e51747fbe578d65583dad7475f3be71c5b6a57530708f646bad
                                                                                                                                          • Instruction ID: 8bd433b68c42a9f1e6cbfa5eabf8f168c2bd36ca7b2ceeebe8acacb2e18380a2
                                                                                                                                          • Opcode Fuzzy Hash: 69df7cb737dd3e51747fbe578d65583dad7475f3be71c5b6a57530708f646bad
                                                                                                                                          • Instruction Fuzzy Hash: CB51A372714B9886EBB2CF11E4487DA73A1F78DB84F548115EA9A03B58EF78D648CB00
                                                                                                                                          Function 000002D9773B0508 Relevance: 24.7, APIs: 2, Strings: 12, Instructions: 231libraryCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2976345173.000002D9773B0000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D9773B0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_2d9773b0000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AddressCallerLibraryLoadProc
                                                                                                                                          • String ID: RtlA$RtlR$ateH$eAll$eHea$eap$l.dl$l.dl$lloc$ntdl$ntdl$ocat
                                                                                                                                          • API String ID: 4215043672-3994871222
                                                                                                                                          • Opcode ID: 1e80394ff1d37946f5ee3994f364bbb739b556a1a1e79a645345825dff1cf6d4
                                                                                                                                          • Instruction ID: 6cf1561fe823055220923bf2a0633dd9977d23f243ddabc523e0b5ac39feb914
                                                                                                                                          • Opcode Fuzzy Hash: 1e80394ff1d37946f5ee3994f364bbb739b556a1a1e79a645345825dff1cf6d4
                                                                                                                                          • Instruction Fuzzy Hash: C271E570614A098FFF58DF58D84ABA9B3E1FF94710F20411AF809DB295EB35DC828B85
                                                                                                                                          Function 0000000180032930 Relevance: 18.1, APIs: 12, Instructions: 114networkCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ErrorLast$Socketgetaddrinfo
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1420131935-0
                                                                                                                                          • Opcode ID: 588b49dada4d53f0dea3a9a8b5e910038bbe1c700624a725d7562d88239a8e1e
                                                                                                                                          • Instruction ID: 97eaf826a2d0138a961afbfcea83aa305bd307fdac7432dd28095282f106e3e8
                                                                                                                                          • Opcode Fuzzy Hash: 588b49dada4d53f0dea3a9a8b5e910038bbe1c700624a725d7562d88239a8e1e
                                                                                                                                          • Instruction Fuzzy Hash: 8951AA72610B848AE721CFA1E8047ED37B5FB4C798F148225EE5923B98DF39C659DB01
                                                                                                                                          Function 0000000180011E90 Relevance: 15.1, APIs: 10, Instructions: 91threadmemoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CreateThread$CloseCriticalHandleSection$AllocEnterInfoLeaveNativeReadSystemVirtual
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3571750651-0
                                                                                                                                          • Opcode ID: 1363fd4b51c054286b4f9f0578cb1f11da93afc1d0dca13003e3c5ae9259af37
                                                                                                                                          • Instruction ID: 4cfd0974d185cad5ebef8526de560f1575828462ff0e0d72f99396545f92925d
                                                                                                                                          • Opcode Fuzzy Hash: 1363fd4b51c054286b4f9f0578cb1f11da93afc1d0dca13003e3c5ae9259af37
                                                                                                                                          • Instruction Fuzzy Hash: FF418132215F8586DBA5CF21E8043D973A5FB88BC5F55C629EE9A03754EF38C699C700
                                                                                                                                          Function 000000018002D7D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62commemoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: StringUninitialize$AllocCreateFreeInitializeInstance
                                                                                                                                          • String ID: Block All Outbound
                                                                                                                                          • API String ID: 4211003860-2946277995
                                                                                                                                          • Opcode ID: 295a4f62168f5a6f5119dea70b951de674f26a9291ccd047ab80a2b95cdfc5e8
                                                                                                                                          • Instruction ID: eff029c1c001f8c9a6eb9d0a089e59113f9457e89b19bb553c66083ed83c8d7d
                                                                                                                                          • Opcode Fuzzy Hash: 295a4f62168f5a6f5119dea70b951de674f26a9291ccd047ab80a2b95cdfc5e8
                                                                                                                                          • Instruction Fuzzy Hash: FF31E876A00B44CAEB419F35DC4439C77B0F798B88F148926EA1D47B24DF34C669CB50
                                                                                                                                          Function 000000018001F560 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 113memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$Allocmemcpy
                                                                                                                                          • String ID: M$Z
                                                                                                                                          • API String ID: 2981101286-4250246861
                                                                                                                                          • Opcode ID: ec89bfb9e9449c1fd831b7383df3345bb054ba2f3537415f9bda132d024155c3
                                                                                                                                          • Instruction ID: cf809e79dc0892ad841741375ddc97645b6d00976cb6bac53320efcc6f1ca8b7
                                                                                                                                          • Opcode Fuzzy Hash: ec89bfb9e9449c1fd831b7383df3345bb054ba2f3537415f9bda132d024155c3
                                                                                                                                          • Instruction Fuzzy Hash: 8E41E232B10FC581FBA28B3DD4103B96751A7DABD4F24C315FA96563A5EF29C6498300
                                                                                                                                          Function 0000000180032B20 Relevance: 10.6, APIs: 7, Instructions: 75networkCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ErrorLast$CloseCreateEventHandleMultipleObjectsSendWait
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 248740593-0
                                                                                                                                          • Opcode ID: 3d6319584adb544b58c2476fc8f8a49f60c538f7d4a53f43cd1c7f5bcbecd3ed
                                                                                                                                          • Instruction ID: b6522aaf7b9705b3331a087d41d1cdb7034589dd00909351bf40176251c1a654
                                                                                                                                          • Opcode Fuzzy Hash: 3d6319584adb544b58c2476fc8f8a49f60c538f7d4a53f43cd1c7f5bcbecd3ed
                                                                                                                                          • Instruction Fuzzy Hash: 6F319932618B8486E7628F64F8407DEB361FB88794F148226FB9843B54DF7CC698DB00
                                                                                                                                          Function 0000000180027FA0 Relevance: 10.6, APIs: 7, Instructions: 71memoryfilepipeCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ErrorFileLastVirtual$AllocBuffersFlushFreeNamedPeekPipeRead
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1637252459-0
                                                                                                                                          • Opcode ID: 7caf67ba2c754cc6c7e94bd91c5a8169c82a3c47d0c13808e784c8b6e6b47a5f
                                                                                                                                          • Instruction ID: 84c90537bd11c363a65bf3c1b8adbf25634bbd752cf977323eecfa1631f8ab92
                                                                                                                                          • Opcode Fuzzy Hash: 7caf67ba2c754cc6c7e94bd91c5a8169c82a3c47d0c13808e784c8b6e6b47a5f
                                                                                                                                          • Instruction Fuzzy Hash: 58215336304B5486E7A28F66F84079AB3A1FB8CBE5F048124EE5D43B54EF78D5999B00
                                                                                                                                          Function 0000000180017E90 Relevance: 10.6, APIs: 7, Instructions: 69threadCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FreeMemoryProcessSession$CreateCurrentDirectoryEnumerateErrorInformationLastQuerySessionsSystemThreadlstrcatmemset
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3188162108-0
                                                                                                                                          • Opcode ID: a0f1e4af9b35d422d03ebaa43e648843dcc74811eb2673a9a5bc5e68af15dc2a
                                                                                                                                          • Instruction ID: 1bc6d48ed340dc3225d4b568e8b82601facd276a6dbc3db6c5582e2979f78f1e
                                                                                                                                          • Opcode Fuzzy Hash: a0f1e4af9b35d422d03ebaa43e648843dcc74811eb2673a9a5bc5e68af15dc2a
                                                                                                                                          • Instruction Fuzzy Hash: FD310136218B4487E7918F65E84079E77B1F788780F54912AFB8E43B68DF38D659CB00
                                                                                                                                          Function 0000000180027EB0 Relevance: 9.1, APIs: 6, Instructions: 56fileCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CountCreateFileTick$ErrorLastSleep
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2478964991-0
                                                                                                                                          • Opcode ID: 44fd06d3c223e048c4d0489ead7cd8fe85b8e69849f9c6ee32731d4873113aa6
                                                                                                                                          • Instruction ID: 0d24daabcc90d10d39f6b18fddba5017850f092dcdace4eb30a0eea9189b84cf
                                                                                                                                          • Opcode Fuzzy Hash: 44fd06d3c223e048c4d0489ead7cd8fe85b8e69849f9c6ee32731d4873113aa6
                                                                                                                                          • Instruction Fuzzy Hash: 91216F31204B4486E3A19F20B95435A77E6F78C7F4F144725FAAA53BD8CF38CA899B41
                                                                                                                                          Function 0000000180026F00 Relevance: 9.0, APIs: 6, Instructions: 38COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CriticalSection$FreeVirtual$DeleteEnterLeaveRead
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4123369522-0
                                                                                                                                          • Opcode ID: aa19078ca0c6afd7a821f8a8ac8a84ee5709a37a32491cc2cb8c739b25d204c7
                                                                                                                                          • Instruction ID: ceee25a761f9f408724335fd3bce8a2bff4b5a7f466412d899da667b3da1218d
                                                                                                                                          • Opcode Fuzzy Hash: aa19078ca0c6afd7a821f8a8ac8a84ee5709a37a32491cc2cb8c739b25d204c7
                                                                                                                                          • Instruction Fuzzy Hash: C4014C31714B4582EBC68F12EA543996362FB8CBC5F58C124EF6A07B64EF38C2698700
                                                                                                                                          Function 0000000180013180 Relevance: 7.6, APIs: 5, Instructions: 81memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memcpy$AllocVirtualceil
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 311976409-0
                                                                                                                                          • Opcode ID: ed14ec51c383a9a13ba0ce0240a1051b4facac114c8e2550c0a0b869aba092f1
                                                                                                                                          • Instruction ID: 533183b41e036c783a1da9afa5a9cdf264f69900d761d72cd9a8306f1bb4b55c
                                                                                                                                          • Opcode Fuzzy Hash: ed14ec51c383a9a13ba0ce0240a1051b4facac114c8e2550c0a0b869aba092f1
                                                                                                                                          • Instruction Fuzzy Hash: CF31A232305A9496EB8A8F56E951399B3A0F78CBC0F10C429FB1A93B44DF38D57A8700
                                                                                                                                          Function 000000018002C950 Relevance: 7.6, APIs: 5, Instructions: 68processCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32memset
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1267121359-0
                                                                                                                                          • Opcode ID: 44c899de9843c07d997477ea65153a2f26deeedfdeec94036e1e1bc8e67b5a7d
                                                                                                                                          • Instruction ID: 873e7e7ddb6e82f6207e00a8e9629a882d6d6560c0b57f88a74779bcce2b5edf
                                                                                                                                          • Opcode Fuzzy Hash: 44c899de9843c07d997477ea65153a2f26deeedfdeec94036e1e1bc8e67b5a7d
                                                                                                                                          • Instruction Fuzzy Hash: F6315C36A08B8982E752CB28D5083AD7360F79DB98F19E315EF9902256EF34D2C8C700
                                                                                                                                          Function 0000000180012FC0 Relevance: 6.1, APIs: 4, Instructions: 69memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$AllocFreeceilmemcpy
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 941304502-0
                                                                                                                                          • Opcode ID: b42a51ca5293a3dee87d5691d064886e3cec9dc4675c393a7935541609b8591d
                                                                                                                                          • Instruction ID: bd9c6ff85a7bdc568ee300e77c50e526046de82073029a9ad3e89b39f8e5a581
                                                                                                                                          • Opcode Fuzzy Hash: b42a51ca5293a3dee87d5691d064886e3cec9dc4675c393a7935541609b8591d
                                                                                                                                          • Instruction Fuzzy Hash: FC210832714A448AEB869F3AF450399A3A1EB8CFC4F18C125FA4D83749DE38CD958B40
                                                                                                                                          Function 00000001800396EC Relevance: 4.7, APIs: 2, Strings: 1, Instructions: 167COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: malloc
                                                                                                                                          • String ID: X
                                                                                                                                          • API String ID: 2803490479-3081909835
                                                                                                                                          • Opcode ID: 954f3e60ac22a0164332870d1af20d99b01dc15cbae893ab9263c6fd20abe241
                                                                                                                                          • Instruction ID: 03aa7ddfb520b6f23ee5394375c5d4b88d09d0ef85018062d385f97ca1f5de20
                                                                                                                                          • Opcode Fuzzy Hash: 954f3e60ac22a0164332870d1af20d99b01dc15cbae893ab9263c6fd20abe241
                                                                                                                                          • Instruction Fuzzy Hash: 3671A332106B8487D7A7CF6AE44079E77E8F348B94F12852AEB9A43790DF38D559CB00
                                                                                                                                          Function 000002D9773B0345 Relevance: 1.4, APIs: 1, Instructions: 108COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2976345173.000002D9773B0000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002D9773B0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_2d9773b0000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FreeVirtual
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1263568516-0
                                                                                                                                          • Opcode ID: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
                                                                                                                                          • Instruction ID: 0af41c1d1e5879fe8c70f66feb7f63f33902ba37f79adcaa3f536e281b6807ca
                                                                                                                                          • Opcode Fuzzy Hash: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
                                                                                                                                          • Instruction Fuzzy Hash: A531A27165860487EB5CDA1CF885A68B3D0F755304B20115DF58BCB197EA2BEC438685
                                                                                                                                          Function 0000000180037CBC Relevance: 1.3, APIs: 1, Instructions: 64COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: malloc
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2803490479-0
                                                                                                                                          • Opcode ID: 980fb9e1d4df5c01db13537fe2d87ee938b67c443b914f2420d5be5b7a1b2b4d
                                                                                                                                          • Instruction ID: 73f813260b3a99a6df67f7a2f834371fb8fea02c8dcec4733d69e86dcb6db410
                                                                                                                                          • Opcode Fuzzy Hash: 980fb9e1d4df5c01db13537fe2d87ee938b67c443b914f2420d5be5b7a1b2b4d
                                                                                                                                          • Instruction Fuzzy Hash: F421B772320A4886FBF7CB15D4503AE63A4E74CBD8F26A128EA0D47796DF35CA858300
                                                                                                                                          Function 0000000180039638 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: free
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1294909896-0
                                                                                                                                          • Opcode ID: 098f93fbeb42c69fd8f32277914b2ae68ecf3252c39681ab5271f7009817d335
                                                                                                                                          • Instruction ID: 0a03297a77ecdba31d11b4f7a20f53efe35493dba5e5a446ec0584fdd327e906
                                                                                                                                          • Opcode Fuzzy Hash: 098f93fbeb42c69fd8f32277914b2ae68ecf3252c39681ab5271f7009817d335
                                                                                                                                          • Instruction Fuzzy Hash: 43213276301A0886DB65CF1AD18520EB3B1F788FD0B068122EF5D47B18DF32D9A4C340

                                                                                                                                          Non-executed Functions

                                                                                                                                          Function 0000000180029300 Relevance: 98.4, APIs: 53, Strings: 3, Instructions: 425stringprocessmemoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Process$Token$CloseHandle$Freememset$LookupOpenVirtuallstrcpy$File$AccountAdjustCreateCurrentErrorGlobalInformationLastPrivilegePrivilegesProcess32Value$AllocClassDeviceDriveEnumFirstImageInfoLogicalMemoryModulesNameNextPriorityQuerySessionSizeSnapshotStringsToolhelp32__chkstklstrcatlstrlenwcsncmp
                                                                                                                                          • String ID: H$SeDebugPrivilege$unknown
                                                                                                                                          • API String ID: 976869081-3969872153
                                                                                                                                          • Opcode ID: 6a6d9660973f71720e87b200dc9c58f4d9867713f3a693197156d62844a92ba2
                                                                                                                                          • Instruction ID: ab662803f13f216cf9587554947d7041853fde5cbf24b98bf2e2890ab3468709
                                                                                                                                          • Opcode Fuzzy Hash: 6a6d9660973f71720e87b200dc9c58f4d9867713f3a693197156d62844a92ba2
                                                                                                                                          • Instruction Fuzzy Hash: A8226232601B8586EBA2CF61EC547DD73A1FB8DBD8F508215EA5947A98EF38C749C700
                                                                                                                                          Function 0000000180027290 Relevance: 72.1, APIs: 38, Strings: 3, Instructions: 334stringnetworkmemoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Freelstrlen$memset$ProcessToken$AdjustCloseCurrentErrorExtendedHandleLastLookupOpenPrivilegePrivilegesTableValuehtonsinet_ntoalstrcpy$Alloc
                                                                                                                                          • String ID: SeDebugPrivilege$System$TCP
                                                                                                                                          • API String ID: 2139412910-32757284
                                                                                                                                          • Opcode ID: 384d3e7db38810127ba93bf50e6bd7a6e267d232edd2a4c281dac7082b692298
                                                                                                                                          • Instruction ID: 7145bea9de9cfa6b5ae00cd6a39de3e2ecb675f5dcbe9c5d5bc2232063b88fed
                                                                                                                                          • Opcode Fuzzy Hash: 384d3e7db38810127ba93bf50e6bd7a6e267d232edd2a4c281dac7082b692298
                                                                                                                                          • Instruction Fuzzy Hash: ABF19176310B8486EBA5DF25E8047DE77A1FB8DB98F508215EA5A47B58DF38C24CCB40
                                                                                                                                          Function 0000000180016630 Relevance: 72.0, APIs: 35, Strings: 6, Instructions: 267stringfileprocessCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$lstrcat$AllocCriticalFreeSection$File$CloseHandle$EnterErrorLastProcessReadmemset$CreateLeaveMovememcpy$CurrentDeleteInitializeTerminateWrite
                                                                                                                                          • String ID: .bak$18.166.193.8$C:\Program Files\Windows Mail$ParphaCrashReport64.exe$arphaDump64.dll$h
                                                                                                                                          • API String ID: 2211108363-3529859090
                                                                                                                                          • Opcode ID: f313ddb08190d7dbab8043538d75833c288af8143399ff6012ff730f18fde2a1
                                                                                                                                          • Instruction ID: 6088b806c5e49e4d302fa251c9ee534a615dc6211a463a61944008de05cf0c31
                                                                                                                                          • Opcode Fuzzy Hash: f313ddb08190d7dbab8043538d75833c288af8143399ff6012ff730f18fde2a1
                                                                                                                                          • Instruction Fuzzy Hash: 66D19332610F8686EBA2CF35DC543E92361FB8DB88F14D215EA4A57A64EF38C359C700
                                                                                                                                          Function 0000000180027870 Relevance: 66.8, APIs: 34, Strings: 4, Instructions: 324stringmemorynetworkCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$lstrlen$ProcessTokenmemset$CriticalSection$AdjustCloseCurrentErrorExtendedHandleLastLookupOpenPrivilegePrivilegesTableValue$AllocDeleteEnterLeaveReadhtonsinet_ntoalstrcpy
                                                                                                                                          • String ID: 0.0.0.0$SeDebugPrivilege$System$UDP
                                                                                                                                          • API String ID: 3759433425-459619966
                                                                                                                                          • Opcode ID: 2bc8028b07d01d9ba69e09a3802a839e12856a2c9f2d2d692c2ea6f1d234ecb0
                                                                                                                                          • Instruction ID: e6e0c968282d8882f094be4972add8fe0f252a94b0e244f875fba5a0254720a6
                                                                                                                                          • Opcode Fuzzy Hash: 2bc8028b07d01d9ba69e09a3802a839e12856a2c9f2d2d692c2ea6f1d234ecb0
                                                                                                                                          • Instruction Fuzzy Hash: 99F18C76310B8486EBA1DF22E8547DE77A1FB8DB98F508115EA5A47B58DF39C24CCB00
                                                                                                                                          Function 0000000180028880 Relevance: 63.3, APIs: 26, Strings: 10, Instructions: 311stringmemoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$CriticalSection$Alloc$Freelstrcat$Read$EnterLeave$DirectoryErrorLastmemset$InitializeSystemWindowsmemcpy
                                                                                                                                          • String ID: :$B:_:$HTTP$I:N:$R:U:$TCP$UDP$V:V:$\syswow64$f:^:
                                                                                                                                          • API String ID: 1846020110-2823427824
                                                                                                                                          • Opcode ID: e9a6c1f68d46521105151d4f1ece7a9abb65f008cd8859d4eff4fac00e1c520e
                                                                                                                                          • Instruction ID: dd258f5890ecb2e44b34d13f94b0b07d327da43a26d89795a623b7b3c6110883
                                                                                                                                          • Opcode Fuzzy Hash: e9a6c1f68d46521105151d4f1ece7a9abb65f008cd8859d4eff4fac00e1c520e
                                                                                                                                          • Instruction Fuzzy Hash: 52E1BD32711B8886EBA6CF26D8547ED63A1FB8DBC4F54C211EE4A47A54EF38D648D700
                                                                                                                                          Function 000000018001E550 Relevance: 56.3, APIs: 29, Strings: 3, Instructions: 289memorystringfileCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$Alloc$CloseErrorFileHandleLast$Createlstrcatlstrlen$DirectoryPathProcessRemoveSpecWindowsWritememsetwsprintf
                                                                                                                                          • String ID: \rar.exe$h$rar.exe a "%s" %s -m5
                                                                                                                                          • API String ID: 460989278-1571478729
                                                                                                                                          • Opcode ID: d6fa1d8524bb85152559a8366e61b1b4fff8d11480b6a2d1cb8cd4eedd6e302b
                                                                                                                                          • Instruction ID: c03e5a34a069fda9d454a07d238a75463c5969b9b5c5cf97840925747e468bcd
                                                                                                                                          • Opcode Fuzzy Hash: d6fa1d8524bb85152559a8366e61b1b4fff8d11480b6a2d1cb8cd4eedd6e302b
                                                                                                                                          • Instruction Fuzzy Hash: D5D17132310B9586EBA58F22E8587DD73A1FB8DBC4F548225EE5A47B58DF38C248C700
                                                                                                                                          Function 000000018002F890 Relevance: 50.0, APIs: 33, Instructions: 451servicestringmemoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Alloc$CriticalSection$Free$EnterReadServicelstrlenmemcpy$EnumLeaveLocalOpenServicesStatus$CloseConfig2HandleInitializeManagerQuerymemset
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1976463032-0
                                                                                                                                          • Opcode ID: e31869551b353607aec46271203f30b5e22ed9872d805ff8829a815e3cabd60d
                                                                                                                                          • Instruction ID: 07ba33366e91f24cf35d8fcc6b8bdfd4e23b1436d3e6e41a5118040a433c0547
                                                                                                                                          • Opcode Fuzzy Hash: e31869551b353607aec46271203f30b5e22ed9872d805ff8829a815e3cabd60d
                                                                                                                                          • Instruction Fuzzy Hash: 7A327F72A14BC886E752CF29D9447ED3361FB99B88F14E215EF8916A16EF35D2D8C300
                                                                                                                                          Function 0000000180018780 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 274memoryfilestringCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$CriticalSection$AllocRead$EnterFileFreeLeave$lstrcat$CloseCreateErrorHandleLastSizememset
                                                                                                                                          • String ID: @$C:\Program Files\Windows Mail$\cp.cfg
                                                                                                                                          • API String ID: 1502650097-1776503346
                                                                                                                                          • Opcode ID: 03e5816f0febf9f2516ba56efb62d54b0cca26d4fb6bcd281216f8244b78d330
                                                                                                                                          • Instruction ID: c2f19d3434467f5612aefb1ee83e3f8382223a62b74b862b437922862cafa65c
                                                                                                                                          • Opcode Fuzzy Hash: 03e5816f0febf9f2516ba56efb62d54b0cca26d4fb6bcd281216f8244b78d330
                                                                                                                                          • Instruction Fuzzy Hash: 02C19031315F8882EBA68F25D8543A963A5FF8DBC4F58C215EA5A43B94EF38C719D700
                                                                                                                                          Function 00000001800199F0 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 175stringclipboardmemoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: lstrlen$ByteCharMultiWide$ClipboardVirtual$AllocGlobal$Freememcpy$CloseDataEmptyLockOpenUnlock
                                                                                                                                          • String ID: !
                                                                                                                                          • API String ID: 17242508-2657877971
                                                                                                                                          • Opcode ID: d0d0cce1298095d55bda04961aa882279e2f81b3c830c1949f663db54f22f3fc
                                                                                                                                          • Instruction ID: 00d56fbf8c4ab3c8f09728c361f09d65826bbb1f7cba3b49fadc20700520b80c
                                                                                                                                          • Opcode Fuzzy Hash: d0d0cce1298095d55bda04961aa882279e2f81b3c830c1949f663db54f22f3fc
                                                                                                                                          • Instruction Fuzzy Hash: 77719031215B4886EB96CF66E8943D973A6FF8CBC1F448124F98B52B64DF3CC2498740
                                                                                                                                          Function 000000018001E210 Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 199stringfilesleepCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: lstrcat$CriticalFileFindSectionmemset$FreeLeaveNextVirtual$CurrentEnterFirstObjectReadSingleSleepThreadWait__chkstklstrlenwcsstr
                                                                                                                                          • String ID: *.*
                                                                                                                                          • API String ID: 491004167-438819550
                                                                                                                                          • Opcode ID: b29965504f393d0c0be59b7089e5a45caf17d60b96d961a43351eaaa3ebd01c0
                                                                                                                                          • Instruction ID: cade8498daad81a5c2802640b1cebf4252c5f7bdf05394be426f7502779f6333
                                                                                                                                          • Opcode Fuzzy Hash: b29965504f393d0c0be59b7089e5a45caf17d60b96d961a43351eaaa3ebd01c0
                                                                                                                                          • Instruction Fuzzy Hash: BC918332311F8486EBA6DF21E8547DD63A1FB8DBC4F548126EE5A47A94EF38C649C700
                                                                                                                                          Function 0000000180018230 Relevance: 40.6, APIs: 21, Strings: 2, Instructions: 320memoryfilestringCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CriticalSection$Virtual$AllocEnterFileLeaveRead$Freelstrcat$CloseCreateHandlePointerWritememset
                                                                                                                                          • String ID: C:\Program Files\Windows Mail$\cp.cfg
                                                                                                                                          • API String ID: 1370748441-3904790782
                                                                                                                                          • Opcode ID: 6ecfbc1e04c89c64a0ee336d11aee912bcb92c8e0a2a77cad56ae9ff53fce122
                                                                                                                                          • Instruction ID: 91e17fd98d71c9e8135111786d201d67e54a1e698625a548bfb59b48f32e7dc2
                                                                                                                                          • Opcode Fuzzy Hash: 6ecfbc1e04c89c64a0ee336d11aee912bcb92c8e0a2a77cad56ae9ff53fce122
                                                                                                                                          • Instruction Fuzzy Hash: 2FE1A272711F8582EBA68F29E4547AD63A1FF8ABC4F54C215EA8903B54EF38C758D700
                                                                                                                                          Function 0000000180026530 Relevance: 40.4, APIs: 19, Strings: 4, Instructions: 173filestringnetworkCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$CriticalSection$AllocFree$EnterErrorFileLastRead$CreateLeavehtonslstrcatmemset$CloseDirectoryHandleInitializeWindowsWrite
                                                                                                                                          • String ID: 18.166.193.8$\\.\{F8284233-48F4-4680-ADDD-F8284233}$\system32\drivers\tpdrivers.sys$tpdrivers
                                                                                                                                          • API String ID: 3655753775-1054416900
                                                                                                                                          • Opcode ID: db220a0706c505ffdfe986e89b00e689603627b43e6aef5444c71a3e61a513cc
                                                                                                                                          • Instruction ID: 12d95dd8c975c3e344e93b2daa028ff3376d6e0438f722d060c7a57747c014ac
                                                                                                                                          • Opcode Fuzzy Hash: db220a0706c505ffdfe986e89b00e689603627b43e6aef5444c71a3e61a513cc
                                                                                                                                          • Instruction Fuzzy Hash: 7171B731715B5482EBE2DF22F95479A63A1FB8CBC5F10C115EA9A43A64DF3CC65C8700
                                                                                                                                          Function 0000000180019190 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 195sleepmemorystringCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$AllocCriticalSection$EnterRead$Leavememcpy$CreateCurrentErrorInitializeLastMutexProcessSleepfreelstrcatmallocmemsetwsprintf
                                                                                                                                          • String ID: %s%d$:$Inject Test
                                                                                                                                          • API String ID: 3230380526-1060902658
                                                                                                                                          • Opcode ID: 8dbd244c4dc7ff5931541ce9d241f2be0e44287da5020331176b23af610f2178
                                                                                                                                          • Instruction ID: dfed7ca6f992ea8d7163875ae2deb23361ae0a0e9c0ec7415be465c0bcf352bb
                                                                                                                                          • Opcode Fuzzy Hash: 8dbd244c4dc7ff5931541ce9d241f2be0e44287da5020331176b23af610f2178
                                                                                                                                          • Instruction Fuzzy Hash: 63919131715B4882EB96CF66E8147A96361FB8DFC4F54C224EA8A43B55EF3CC2498740
                                                                                                                                          Function 000000018002B2D0 Relevance: 37.9, APIs: 25, Instructions: 372registryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$memset$CriticalSection$Alloc$Enum$EnterRead$LeaveValue$CloseInitializeOpen__chkstk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2734444383-0
                                                                                                                                          • Opcode ID: 0595414e30b50002a461e2897ac5610cd8ac295fcac56b89b3caa5011188017e
                                                                                                                                          • Instruction ID: c7a300cf86788d9b2bb3ad5c5f19a5e509c8aa24f0c3c6b9264e97b70b831d55
                                                                                                                                          • Opcode Fuzzy Hash: 0595414e30b50002a461e2897ac5610cd8ac295fcac56b89b3caa5011188017e
                                                                                                                                          • Instruction Fuzzy Hash: 02F17E32310B8086EBB5CF62D998B9E73A5FB89B85F408115DF5A47B59DF38C219CB00
                                                                                                                                          Function 000000018005B380 Relevance: 35.3, APIs: 4, Strings: 16, Instructions: 315COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: %s: %s: WAITING_DNS$ERROR reading from proxy socket$Failed to generate handshake for client$HTTP/1.$Peer hung up$cbail3$chs$cws$error sending h2 preface$http_proxy -> %u$http_proxy fail$lws_http_client_socket_service$problems parsing header$proxy conn dead$proxy read err$read failed
                                                                                                                                          • API String ID: 0-4263491741
                                                                                                                                          • Opcode ID: 78671e27a4717be73cabfba6896136bd0789db9dd6b82e4ebb3e1080ba416978
                                                                                                                                          • Instruction ID: 21a0462fd45df87ee5edc06867fd4a1a877ee659b96ff9b765cf0eaf7c443289
                                                                                                                                          • Opcode Fuzzy Hash: 78671e27a4717be73cabfba6896136bd0789db9dd6b82e4ebb3e1080ba416978
                                                                                                                                          • Instruction Fuzzy Hash: A7D1CF3120478C82FBEA9F2594413F96791AB8CBC8F58D121FE16A76D6DF3AD6498700
                                                                                                                                          Function 0000000180030810 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 186pipeprocessstringCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseHandle$CreateFreeVirtual$Pipe$InfoProcessStartupThreadlstrcatmemset
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3234776578-3916222277
                                                                                                                                          • Opcode ID: 92ec81b901bfc6f2a5663ab9ca78efc14cc9e06966c3134a046e798205adb50d
                                                                                                                                          • Instruction ID: e36704ce14db8fa55e6c3ef5371abe2a4fb0e12ac5ce8d9abe4d7c9421358c08
                                                                                                                                          • Opcode Fuzzy Hash: 92ec81b901bfc6f2a5663ab9ca78efc14cc9e06966c3134a046e798205adb50d
                                                                                                                                          • Instruction Fuzzy Hash: 0C915036601F4486EB96CF62F95039E73B5FB88B88F158115EF9A43A14DF38C2A8D744
                                                                                                                                          Function 0000000180047630 Relevance: 33.5, APIs: 10, Strings: 9, Instructions: 274networkCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: closesocketsetsockopt$ErrorLast$listensocket
                                                                                                                                          • String ID: %s: VH %s: iface %s port %d DOESN'T EXIST$%s: VH %s: iface %s port %d NOT USABLE$ERROR opening socket$Out of mem$_lws_vhost_init_server_af$listen failed with error %d$listen|%s|%s|%d$lws_create_vhost$reuseaddr failed
                                                                                                                                          • API String ID: 3630065070-1684632830
                                                                                                                                          • Opcode ID: 3b880312eee11432debff261864d0151b6d610a403db296dabe4168ddc5b799d
                                                                                                                                          • Instruction ID: 2766f3bb6dc4fce403585f370064895871a90e0ac9ff3b4998f931d318ec6775
                                                                                                                                          • Opcode Fuzzy Hash: 3b880312eee11432debff261864d0151b6d610a403db296dabe4168ddc5b799d
                                                                                                                                          • Instruction Fuzzy Hash: E7D18C72300B8886EB96CB16D4887DD33A1F78CBD8F558226EA2D477A1DF34C699C705
                                                                                                                                          Function 000000018001C850 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 244filestringCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$CriticalSection$Alloc$Find$EnterFileRead$LeaveNextlstrcatmemset$CloseFirstInitialize
                                                                                                                                          • String ID: *.*
                                                                                                                                          • API String ID: 3909642798-438819550
                                                                                                                                          • Opcode ID: 4ce18a9b90196395475cfb8a2b41f3e008fbd196779cbce07c17fbf59d62ab14
                                                                                                                                          • Instruction ID: 0c4d991779888e973b7db5cd2e96938188924a16c3f10448eab00e3ce2e85064
                                                                                                                                          • Opcode Fuzzy Hash: 4ce18a9b90196395475cfb8a2b41f3e008fbd196779cbce07c17fbf59d62ab14
                                                                                                                                          • Instruction Fuzzy Hash: 0DA19E36301B4482EBA6DF62E8587AA63A5FB8DFC8F14C024EE4A43754DF39C649D705
                                                                                                                                          Function 00000001800263C0 Relevance: 33.3, APIs: 15, Strings: 4, Instructions: 76servicestringCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Service$ErrorLast$CloseHandle$lstrcatmemset$CreateDirectoryManagerOpenStartWindows
                                                                                                                                          • String ID: FSFilter Activity Monitor$FltMgr$\system32\drivers\tpdrivers.sys$tpdrivers
                                                                                                                                          • API String ID: 4233479461-606275738
                                                                                                                                          • Opcode ID: 38649f7966a210fa7a925492f7da8da3f08e55cc04dda45abaec5e3d19128508
                                                                                                                                          • Instruction ID: be4161d35e4edffc8d18653c63b0145683f113417105ade20d90917bd565f143
                                                                                                                                          • Opcode Fuzzy Hash: 38649f7966a210fa7a925492f7da8da3f08e55cc04dda45abaec5e3d19128508
                                                                                                                                          • Instruction Fuzzy Hash: 63318F35604B8482EB928B54F8543DA73A2FB8C7D4F548125EA9E42B68EF3CC34DCB00
                                                                                                                                          Function 000000018002E4D0 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 120injectionmemorystringCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Process$CreateProcess32$AllocCloseHandleMemoryNextOpenRemoteThreadVirtualWritelstrcmpi$FirstSnapshotToolhelp32
                                                                                                                                          • String ID: @$winlogon.exe
                                                                                                                                          • API String ID: 2717908072-2705468112
                                                                                                                                          • Opcode ID: 9adab53390aa097aff988e1355229478ff467b453e21ebe2fac670c522015f7e
                                                                                                                                          • Instruction ID: 4f48c20b5f6e5e976debb9c4ef6a3f07c2835b05d0dbc98f6ef438c5d6a82c9a
                                                                                                                                          • Opcode Fuzzy Hash: 9adab53390aa097aff988e1355229478ff467b453e21ebe2fac670c522015f7e
                                                                                                                                          • Instruction Fuzzy Hash: 65517431345B8986EBE68F12B8547967395EB8EBC4F588128EA4D47754FF3CC24D8B04
                                                                                                                                          Function 000000018001A190 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 149filestringmemoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: File$AttributesCreatePointerVirtualWritelstrcat$AllocCloseCountFreeHandleTickmemset
                                                                                                                                          • String ID: C:\Program Files\Windows Mail$\temp.key
                                                                                                                                          • API String ID: 573267298-229217837
                                                                                                                                          • Opcode ID: 56780571c3b5b24d83ae8df9fa4e23bd7118c424518018f72ede47bea234dd3e
                                                                                                                                          • Instruction ID: 39fad07a16c8704c8e09e2da5d2261186e7f98d000fc3352d74f7c3f3773f4dc
                                                                                                                                          • Opcode Fuzzy Hash: 56780571c3b5b24d83ae8df9fa4e23bd7118c424518018f72ede47bea234dd3e
                                                                                                                                          • Instruction Fuzzy Hash: 9E619172614F9982EBA18F25E808BDA7761FB89BC4F50C211EA9657B54EF3CC709C700
                                                                                                                                          Function 00000001800197D0 Relevance: 28.7, APIs: 19, Instructions: 155clipboardstringmemoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Clipboard$CriticalSectionlstrlen$Global$CloseEnterLeavememcpy$AllocDataEmptyLockOpenUnlockmemcmp
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1993803941-0
                                                                                                                                          • Opcode ID: f9a916733851e6dc62f61d2f66a0daea919dc5e740a42f29a2d1ffc9bea0251b
                                                                                                                                          • Instruction ID: 58dd28c6ce58bb26b4bd6f8d61a77f28d171b14bf80a9d30c92ec28687e864cc
                                                                                                                                          • Opcode Fuzzy Hash: f9a916733851e6dc62f61d2f66a0daea919dc5e740a42f29a2d1ffc9bea0251b
                                                                                                                                          • Instruction Fuzzy Hash: 67515F31202F0985FF9A9FA699543A963A1FF4DBC0F58C425EE1A077A4EF38D6598300
                                                                                                                                          Function 000000018001F710 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 196memoryinjectionlibraryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Alloc$MemoryProcessWrite$Protect$AddressErrorFreeHandleLastModuleProcmemcpy
                                                                                                                                          • String ID: @$ZwCreateThreadEx$h$ntdll.dll
                                                                                                                                          • API String ID: 2541485474-1855171776
                                                                                                                                          • Opcode ID: 396edaa950aea8bb2834e9a8a087e273c859751424a80b509f85d4148d5affe0
                                                                                                                                          • Instruction ID: b914b1c6b4854bd9bbe5246b375c866756148f1a68b4d635330a0ff3f8bed5ac
                                                                                                                                          • Opcode Fuzzy Hash: 396edaa950aea8bb2834e9a8a087e273c859751424a80b509f85d4148d5affe0
                                                                                                                                          • Instruction Fuzzy Hash: 3881E232714B848AF766CF69A8447AD3A61F74A7C8F444319EE9957B88DF38C30AC750
                                                                                                                                          Function 0000000180033760 Relevance: 25.7, APIs: 17, Instructions: 183filememoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$AllocCriticalSection$Free$FileRead$EnterErrorLast$Leavefree$CreateInitializePointerSizemallocmemcpy
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1128571104-0
                                                                                                                                          • Opcode ID: af9bb7d1b2c8ca7110cb3b755bcb326d2b0b0e4f4ea9e483cf88b5d16ac75476
                                                                                                                                          • Instruction ID: 7e6667f5687e21de03c6395f9980a8ab6106eacff8aa6e952de2fb0cb8ce4fda
                                                                                                                                          • Opcode Fuzzy Hash: af9bb7d1b2c8ca7110cb3b755bcb326d2b0b0e4f4ea9e483cf88b5d16ac75476
                                                                                                                                          • Instruction Fuzzy Hash: 63718136305B8486EBA5CF22E95879B73A1FB8DBD4F108115EE9A43B54DF38C259DB00
                                                                                                                                          Function 000000018002E010 Relevance: 25.7, APIs: 17, Instructions: 170keyboardCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CapsDevice$BlockInput$Virtualkeybd_event
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4019288356-0
                                                                                                                                          • Opcode ID: 80f6854fd55cfec3db650c4c49a6fd06f20ce82fbc0cb067e63b0ba8c2a67ee0
                                                                                                                                          • Instruction ID: 51607d66c44d631e5514e6cc14082b91fee79f825fdabc4b9e198b8b7d56ef02
                                                                                                                                          • Opcode Fuzzy Hash: 80f6854fd55cfec3db650c4c49a6fd06f20ce82fbc0cb067e63b0ba8c2a67ee0
                                                                                                                                          • Instruction Fuzzy Hash: 8861EB326147C887E397DB31A8487AA73A5FB8E7C5F54C211FA4A03664EF39D689C700
                                                                                                                                          Function 0000000180056670 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 258stringCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: strchr
                                                                                                                                          • String ID: %s: ended on e %d$%s: malformed ip address$lws_create_vhost$lws_parse_numeric_address
                                                                                                                                          • API String ID: 2830005266-2525933588
                                                                                                                                          • Opcode ID: 70010e423fb3755efd61014bceaeae7baf17920ebf1afdbeec04516e640b8e02
                                                                                                                                          • Instruction ID: d636d15f552ec0f279111f20eb57849166517b3c99d00c477bd79e5d42a6d3a3
                                                                                                                                          • Opcode Fuzzy Hash: 70010e423fb3755efd61014bceaeae7baf17920ebf1afdbeec04516e640b8e02
                                                                                                                                          • Instruction Fuzzy Hash: 05A14632B0468C45FAE38A2894043EA7A51E74A7E8F64C311FAA7277F5CE36C74D8701
                                                                                                                                          Function 00000001800173D0 Relevance: 24.2, APIs: 16, Instructions: 212pipeCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180017423
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134EB
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800134FD
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013510
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013527
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013556
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013568
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001357B
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013592
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800135C1
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800135D3
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800135E6
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800135FD
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001362C
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 000000018001363E
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013654
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001744D
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001749D
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800174C7
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800174EF
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180017519
                                                                                                                                          • DisconnectNamedPipe.KERNEL32 ref: 0000000180017546
                                                                                                                                          • CloseHandle.KERNEL32 ref: 0000000180017555
                                                                                                                                          • DeleteCriticalSection.KERNEL32 ref: 0000000180017563
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180017574
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180017615
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001763F
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180017655
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001767F
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180017695
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013678
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013691
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800136A7
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800136CB
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800136E4
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800136FA
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013726
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 000000018001373F
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013755
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013779
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013792
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800137A8
                                                                                                                                            • Part of subcall function 0000000180016BC0: IsBadReadPtr.KERNEL32 ref: 0000000180016BE3
                                                                                                                                            • Part of subcall function 0000000180016BC0: EnterCriticalSection.KERNEL32(?,?,00000038,00000001800171A6), ref: 0000000180016BFE
                                                                                                                                            • Part of subcall function 0000000180016BC0: LeaveCriticalSection.KERNEL32(?,?,00000038,00000001800171A6), ref: 0000000180016C21
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800176BF
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CriticalSection$Virtual$Free$EnterRead$Leave$Alloc$lstrcat$CloseDeleteDisconnectHandleInitializeNamedPipememcpymemset
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4255235403-0
                                                                                                                                          • Opcode ID: 487ab0318e1d18530209ff1e23f5e332d75461c33a839119e161c17338c97bb7
                                                                                                                                          • Instruction ID: babdb363706aaf13186cd58188e906dd6551b25749ad794e3c97fd5ce7c8e0dc
                                                                                                                                          • Opcode Fuzzy Hash: 487ab0318e1d18530209ff1e23f5e332d75461c33a839119e161c17338c97bb7
                                                                                                                                          • Instruction Fuzzy Hash: 9D911836705F4486EBA6DF66E95036973A1FB8DFC0F08C114EA8A43B56DF38D2588700
                                                                                                                                          Function 0000000180021520 Relevance: 24.1, APIs: 16, Instructions: 140networkmemorythreadCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$CriticalFreeSection$AllocCreateEnterErrorLastLeaveReadThreadbindhtonlhtonsinet_addrlistenmemsetsetsockoptsocket
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1206800484-0
                                                                                                                                          • Opcode ID: 3b4ce19dcc75c1c8cdbd46baa2501b7c779ff89514a24e43775d64ba7dc00e07
                                                                                                                                          • Instruction ID: 8c37b3e26c9d2b08fb46051b3eba7674f5bc302b0b96bdb988dfcbce2372576e
                                                                                                                                          • Opcode Fuzzy Hash: 3b4ce19dcc75c1c8cdbd46baa2501b7c779ff89514a24e43775d64ba7dc00e07
                                                                                                                                          • Instruction Fuzzy Hash: 19516C36305B5486EBA68F21E8543DD73B1FB8CF85F548125EA4A43B94EF38C659DB00
                                                                                                                                          Function 00000001800486E0 Relevance: 21.5, APIs: 3, Strings: 9, Instructions: 485COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _stricmp$_atoi64
                                                                                                                                          • String ID: Basic realm="lwsws"$Unable to find plugin '%s'$close$http action CALLBACK bind$http_action HTTP$index.html$keep-alive$lws_http_action$no mount hit
                                                                                                                                          • API String ID: 3615839938-539034854
                                                                                                                                          • Opcode ID: 42451850e58ed0897b44b1e692b0d652687ccba59d4a3584232ad48d43f11056
                                                                                                                                          • Instruction ID: c85f8a637d88cc95b17b7b12485c421cb72b9085f7fd7bb2a0c8fa8c61fd7d62
                                                                                                                                          • Opcode Fuzzy Hash: 42451850e58ed0897b44b1e692b0d652687ccba59d4a3584232ad48d43f11056
                                                                                                                                          • Instruction Fuzzy Hash: DB22B472300B8996EBA69F22D4803DD27A5FB49BCCF458836EE4957799EF34C609D304
                                                                                                                                          Function 000000018001A410 Relevance: 21.3, APIs: 14, Instructions: 268COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a76960f33f7b699ea47f10996dbc376ab567cd27cc47711776d389580683e5e3
                                                                                                                                          • Instruction ID: 60423ae12fd94438baa3cf898bd68c6d21163082e13b3844440245a4f48370d1
                                                                                                                                          • Opcode Fuzzy Hash: a76960f33f7b699ea47f10996dbc376ab567cd27cc47711776d389580683e5e3
                                                                                                                                          • Instruction Fuzzy Hash: 22B1D231649A8D8AFB9BD768F9403E42391F70D7D1F91C126F49987690DE2C8B8F9306
                                                                                                                                          Function 00000001800230FE Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 150sleepCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FreeVirtual$freemalloc$GroupLocalMembersSleepUser
                                                                                                                                          • String ID: Administrators
                                                                                                                                          • API String ID: 2980277588-3395160503
                                                                                                                                          • Opcode ID: da3a28424a5a67998ed531bb1b5f40b6d27e172e32b39df16f7556483a8c1416
                                                                                                                                          • Instruction ID: 7f64238c5f2db27e2cb8eceb7629a4ddaca5bd09597119c914e0740545c426d3
                                                                                                                                          • Opcode Fuzzy Hash: da3a28424a5a67998ed531bb1b5f40b6d27e172e32b39df16f7556483a8c1416
                                                                                                                                          • Instruction Fuzzy Hash: D4517F32B00B048AEB56DF75D8543ED33A1FB8DB89F14C125EE4A56B58DE38C659C740
                                                                                                                                          Function 00000001800334F0 Relevance: 19.7, APIs: 13, Instructions: 162fileCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FileFreeVirtual$CreateErrorLastPointerSizeWritefreemalloc
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 287149550-0
                                                                                                                                          • Opcode ID: 0223230c3a5642bc6ac120d5f3bc129a0fc1910174e513a298f1f88523c3db28
                                                                                                                                          • Instruction ID: 80e45b664543585f4643f9112c24d8a843cc9f14f2b8051dce630e8d098ad42e
                                                                                                                                          • Opcode Fuzzy Hash: 0223230c3a5642bc6ac120d5f3bc129a0fc1910174e513a298f1f88523c3db28
                                                                                                                                          • Instruction Fuzzy Hash: AA618072311B8486EB65CF22E95479A73A5FB8CFD4F108215EE9A07B54DF38C259C700
                                                                                                                                          Function 000000018001C4E0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 115stringCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memset$lstrlen$DeviceDiskDriveFreeInformationQuerySpaceTypeVolume
                                                                                                                                          • String ID: :$\
                                                                                                                                          • API String ID: 2115141164-1166558509
                                                                                                                                          • Opcode ID: 2477ab74630cff7d9f10f7953b90637281b9d5ed11b09ba90bcaab8a2ec660d9
                                                                                                                                          • Instruction ID: 08b8c3128405f4ed23382147f1039dffd5c43d6198621a424984a10230734bc2
                                                                                                                                          • Opcode Fuzzy Hash: 2477ab74630cff7d9f10f7953b90637281b9d5ed11b09ba90bcaab8a2ec660d9
                                                                                                                                          • Instruction Fuzzy Hash: 76515E32214B8487EB71CF25E8447DE7761F78AB89F505111EB8A47A68EF38D74ACB00
                                                                                                                                          Function 0000000180020480 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 74memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ErrorLastProcessToken$AdjustAllocCloseCurrentHandleLookupOpenPrivilegePrivilegesValueVirtualmemcpy
                                                                                                                                          • String ID: SeDebugPrivilege
                                                                                                                                          • API String ID: 941393880-2896544425
                                                                                                                                          • Opcode ID: 13ad378ceb3cf1b95ba2275f286f3521988d44e0188879ad38e1d67537cb33ea
                                                                                                                                          • Instruction ID: ea4f92aae033d01013d5b6c73fd74f6cf41a10a7a00df61154ea5ed3773aceec
                                                                                                                                          • Opcode Fuzzy Hash: 13ad378ceb3cf1b95ba2275f286f3521988d44e0188879ad38e1d67537cb33ea
                                                                                                                                          • Instruction Fuzzy Hash: 0E318271214B4486E796DF26F84478A77A1FB8CBD4F148225BE56437A5DF3CC649CB00
                                                                                                                                          Function 0000000180026200 Relevance: 15.1, APIs: 10, Instructions: 118clipboardmemoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002624A
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180026274
                                                                                                                                          • OpenClipboard.USER32 ref: 0000000180026302
                                                                                                                                          • GlobalAlloc.KERNEL32 ref: 000000018002631A
                                                                                                                                          • GlobalLock.KERNEL32 ref: 000000018002632B
                                                                                                                                          • GlobalUnlock.KERNEL32 ref: 0000000180026349
                                                                                                                                          • SetClipboardData.USER32 ref: 0000000180026357
                                                                                                                                          • CloseClipboard.USER32 ref: 000000018002635D
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180026373
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002639D
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$AllocCriticalSection$Free$ClipboardEnterGlobalRead$Leave$CloseDataInitializeLockOpenUnlock
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1362927461-0
                                                                                                                                          • Opcode ID: 14aff5e7281eb0515db2efaaa05bc0cffdcae11165ae12660c773d397ca1b196
                                                                                                                                          • Instruction ID: d64dd42c3dc8fb4412f7557b5568284cb69eb52a1192a69af238dbfe421c115e
                                                                                                                                          • Opcode Fuzzy Hash: 14aff5e7281eb0515db2efaaa05bc0cffdcae11165ae12660c773d397ca1b196
                                                                                                                                          • Instruction Fuzzy Hash: AF416031715B4486EBA9DF22EA5436D63A1FB8DFC1F44C114EA9A43F54EF38D2698700
                                                                                                                                          Function 0000000180064130 Relevance: 15.1, APIs: 10, Instructions: 88COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ExceptionFilterPresentProcessUnhandled$CaptureContextCurrentDebuggerEntryFeatureFunctionLookupProcessorTerminateUnwindVirtualmemset
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2775880128-0
                                                                                                                                          • Opcode ID: e54aba6c139d99624c5fc929576f719923c2ee98f6e17d40784d5d8f2ef1c0b0
                                                                                                                                          • Instruction ID: 4765e8045a5846deb9287ac6894a5dec6d9a063d7bfc4cb050589aecf0a9d8b0
                                                                                                                                          • Opcode Fuzzy Hash: e54aba6c139d99624c5fc929576f719923c2ee98f6e17d40784d5d8f2ef1c0b0
                                                                                                                                          • Instruction Fuzzy Hash: D8416332A14B8586E750CF64EC503EE3371F799748F519229EB9D47A55EF78C298C700
                                                                                                                                          Function 000000018002D060 Relevance: 15.1, APIs: 10, Instructions: 61serviceCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: OpenService$CloseErrorHandleLastManager
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2659350385-0
                                                                                                                                          • Opcode ID: d1f9e974718dfdc27abd3533510aa15af3a5deb6cf2be6aac275e286971032ce
                                                                                                                                          • Instruction ID: 287740d799c7e1e53cdf3a8a1bbdcd1450047062a2d3c82c89dea545571af17d
                                                                                                                                          • Opcode Fuzzy Hash: d1f9e974718dfdc27abd3533510aa15af3a5deb6cf2be6aac275e286971032ce
                                                                                                                                          • Instruction Fuzzy Hash: A5215135714B4882FBC68B66B95436953A2EB8CFD0F149521FE1A43B15EE7CC68D9B00
                                                                                                                                          Function 000000018001D420 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 100COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • memset.NTDLL ref: 000000018001D449
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001D482
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001D4AC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001D504
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001D52E
                                                                                                                                          • ShellExecuteW.SHELL32 ref: 000000018001D55A
                                                                                                                                          • ShellExecuteW.SHELL32 ref: 000000018001D589
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$ExecuteLeaveShell$Initializememset
                                                                                                                                          • String ID: open
                                                                                                                                          • API String ID: 3986399138-2758837156
                                                                                                                                          • Opcode ID: df41ce004a0aaed4cbd927262bd2ebd9c58ead5be3ffc2416f51e3800e93ca49
                                                                                                                                          • Instruction ID: 1b8a6c642bf93aa42689e3d3a50d3f6becf4bfffa3bac452e60f994c4d2ec9e9
                                                                                                                                          • Opcode Fuzzy Hash: df41ce004a0aaed4cbd927262bd2ebd9c58ead5be3ffc2416f51e3800e93ca49
                                                                                                                                          • Instruction Fuzzy Hash: 7D418032304B4886EBA5DF62E59479A73A1FB8CBC4F448115EB8A43F54DF39D259CB00
                                                                                                                                          Function 000000018002A7F0 Relevance: 13.7, APIs: 9, Instructions: 171COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FreeVirtual
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1263568516-0
                                                                                                                                          • Opcode ID: 7fc2db687d2db18f914aee26642cc12e023eef4ef06861d8de73db2aff1532c5
                                                                                                                                          • Instruction ID: aea3e42844f27a4b6fcd00041571d0e8665cba4bdf9a2ae2b4636f6f6e3ab17e
                                                                                                                                          • Opcode Fuzzy Hash: 7fc2db687d2db18f914aee26642cc12e023eef4ef06861d8de73db2aff1532c5
                                                                                                                                          • Instruction Fuzzy Hash: AA513E36305B0487EB96DF26EA547A96361FB8DBC1F048025EF4A47B54DF38D2AA9700
                                                                                                                                          Function 0000000180026810 Relevance: 13.7, APIs: 9, Instructions: 162stringCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • NetUserEnum.NETAPI32 ref: 000000018002688C
                                                                                                                                          • lstrlenW.KERNEL32 ref: 00000001800268CE
                                                                                                                                          • NetApiBufferFree.NETAPI32 ref: 0000000180026929
                                                                                                                                          • malloc.MSVCRT ref: 0000000180026945
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800269F7
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180026A21
                                                                                                                                          • free.MSVCRT ref: 0000000180026A2A
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180026A54
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180026A7E
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$CriticalSection$AllocFree$EnterRead$Leave$BufferEnumInitializeUserfreelstrlenmalloc
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1638303497-0
                                                                                                                                          • Opcode ID: 65d04138dd441912b688736d00cc8846464790f10e23658900d22c822e7612d9
                                                                                                                                          • Instruction ID: 9d01f30fdecdfa47eab4b76daec8ef7d272a8d152d8755b9856a203f9184ed57
                                                                                                                                          • Opcode Fuzzy Hash: 65d04138dd441912b688736d00cc8846464790f10e23658900d22c822e7612d9
                                                                                                                                          • Instruction Fuzzy Hash: 62616032711B8486DBA5CF22E45439E73A4FB8DF85F148115EE8A43B64DF38C588C700
                                                                                                                                          Function 0000000180060770 Relevance: 13.6, APIs: 9, Instructions: 72COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 313767242-0
                                                                                                                                          • Opcode ID: fced86a50b5f4d5d3129ffe2981d026b2ee8365b80e06c9babcd097b05baaf7f
                                                                                                                                          • Instruction ID: 0ffb4c5fbcd34b747e6f469b42c1a821251671632104904ca667225ffb1171b8
                                                                                                                                          • Opcode Fuzzy Hash: fced86a50b5f4d5d3129ffe2981d026b2ee8365b80e06c9babcd097b05baaf7f
                                                                                                                                          • Instruction Fuzzy Hash: EB315272205B8489EBA18F60E8503EE7365F748784F54852AEB9D47B94EF38C64CC710
                                                                                                                                          Function 0000000180030180 Relevance: 13.6, APIs: 9, Instructions: 60serviceCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ErrorFreeLastOpenServiceVirtual$CloseHandleManager
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3563172158-0
                                                                                                                                          • Opcode ID: ce12c43ad3cf74fd47867ee24130c725be5bd76402bb544879ce041abdb63390
                                                                                                                                          • Instruction ID: d853d0b98551e1dd37f12d62e368e99fc344b7ef29ec276600ea8822682d95be
                                                                                                                                          • Opcode Fuzzy Hash: ce12c43ad3cf74fd47867ee24130c725be5bd76402bb544879ce041abdb63390
                                                                                                                                          • Instruction Fuzzy Hash: D6217234755B4942FBD69B63AC243AA53A2AF4CFD0F148424AE1B43B55EE3CC64D9700
                                                                                                                                          Function 000000018004A830 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 56networkCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: socket$bindgetsocknamehtonl
                                                                                                                                          • String ID: %s: failed$lws_plat_pipe_create
                                                                                                                                          • API String ID: 858234250-3012564250
                                                                                                                                          • Opcode ID: 3e06797931bfed255cca20481481bcc32daeca8df7cbd3f6bce5922f777b38ac
                                                                                                                                          • Instruction ID: 171ef0a4507c028552a7e679f9d6c5b90a4d9efde4cac8bac7dc40c3e90f5e81
                                                                                                                                          • Opcode Fuzzy Hash: 3e06797931bfed255cca20481481bcc32daeca8df7cbd3f6bce5922f777b38ac
                                                                                                                                          • Instruction Fuzzy Hash: 5B219532714B9492E7818F24E8443DA3361EB49BE8F585335EA79473E8DF34CA89C745
                                                                                                                                          Function 0000000180032660 Relevance: 12.2, APIs: 8, Instructions: 180commemoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Free$InitializeStringVirtual$AllocCreateInitInstanceSecurityVariant
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1458724981-0
                                                                                                                                          • Opcode ID: a98515b45f30c999fd584888f1fb30ce494dfbb6bf43997bf48997d6c69b94f9
                                                                                                                                          • Instruction ID: 549c418005b411b6b48b9dc52a4b3670d67e6df93f8f4fd9b1b4d3b19c29d487
                                                                                                                                          • Opcode Fuzzy Hash: a98515b45f30c999fd584888f1fb30ce494dfbb6bf43997bf48997d6c69b94f9
                                                                                                                                          • Instruction Fuzzy Hash: 06816D32614B9486EB52CF66E84879E77B5FB8CF94F118216EE4947B58DF38C249CB00
                                                                                                                                          Function 000000018002F1B0 Relevance: 12.1, APIs: 8, Instructions: 68clipboardsleepmemoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ClipboardGlobal$AllocCloseDataErrorLastLockOpenSleepUnlock
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3499886738-0
                                                                                                                                          • Opcode ID: 4b723c17ec104936dfe9111a579a009fbd450c761b1b8f465c76b1695d4f4b3d
                                                                                                                                          • Instruction ID: 80f6778766f7b10afb52bff45b6d567137dcc008b4616613c89e7630be8ac35f
                                                                                                                                          • Opcode Fuzzy Hash: 4b723c17ec104936dfe9111a579a009fbd450c761b1b8f465c76b1695d4f4b3d
                                                                                                                                          • Instruction Fuzzy Hash: BC21A136324A5483DAA69B61F88436D63A1FB8DFC0F549124FA5743B58EF38C9998B00
                                                                                                                                          Function 0000000180063770 Relevance: 10.6, APIs: 7, Instructions: 149pipeCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: File_errno$ErrorHandleInformationLastNamedPeekPipeType_getdrive
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3135900542-0
                                                                                                                                          • Opcode ID: 3dc6ecccb6be3afdbef7dbbd49be3c0297514fd0acc6620c2216f9eee7634cd3
                                                                                                                                          • Instruction ID: 6f05e2a8eb8dd371f599fb736fa6b55fafaf9b36043a0ea6e0bc6e624f6d7854
                                                                                                                                          • Opcode Fuzzy Hash: 3dc6ecccb6be3afdbef7dbbd49be3c0297514fd0acc6620c2216f9eee7634cd3
                                                                                                                                          • Instruction Fuzzy Hash: 9D51D4726147488AEBE18F24D8527ED73A2E798BC8F30C115F66947785DF78C648CB90
                                                                                                                                          Function 00000001800244B0 Relevance: 10.2, APIs: 8, Instructions: 151memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180024504
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002452E
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 0000000180024545
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002463C
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180024666
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002468B
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800246B5
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800246DA
                                                                                                                                            • Part of subcall function 0000000180014D20: CloseHandle.KERNEL32 ref: 0000000180014D3D
                                                                                                                                            • Part of subcall function 0000000180014D20: CloseHandle.KERNEL32 ref: 0000000180014D50
                                                                                                                                            • Part of subcall function 0000000180014D20: CloseHandle.KERNEL32 ref: 0000000180014D66
                                                                                                                                            • Part of subcall function 0000000180014D20: DeleteCriticalSection.KERNEL32 ref: 0000000180014D8D
                                                                                                                                            • Part of subcall function 0000000180014D20: VirtualFree.KERNEL32 ref: 0000000180014DBA
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 948184506-0
                                                                                                                                          • Opcode ID: 596298e50b01ed8f643993e2f4d92b6ac2ecaa8b621bb896cb70dc7b0923128e
                                                                                                                                          • Instruction ID: 64ae41a8cee7ab66ca288a66ccfc0691979ea804a72ad088179f8830a55565e0
                                                                                                                                          • Opcode Fuzzy Hash: 596298e50b01ed8f643993e2f4d92b6ac2ecaa8b621bb896cb70dc7b0923128e
                                                                                                                                          • Instruction Fuzzy Hash: 7C612D36601F4486EBA6DF62E85479A73A5FB4CB80F55C125EE8A43B24EF38D258C740
                                                                                                                                          Function 00000001800257C0 Relevance: 10.2, APIs: 8, Instructions: 151memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180025814
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002583E
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 0000000180025855
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002594C
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180025976
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002599B
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800259C5
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800259EA
                                                                                                                                            • Part of subcall function 0000000180014D20: CloseHandle.KERNEL32 ref: 0000000180014D3D
                                                                                                                                            • Part of subcall function 0000000180014D20: CloseHandle.KERNEL32 ref: 0000000180014D50
                                                                                                                                            • Part of subcall function 0000000180014D20: CloseHandle.KERNEL32 ref: 0000000180014D66
                                                                                                                                            • Part of subcall function 0000000180014D20: DeleteCriticalSection.KERNEL32 ref: 0000000180014D8D
                                                                                                                                            • Part of subcall function 0000000180014D20: VirtualFree.KERNEL32 ref: 0000000180014DBA
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 948184506-0
                                                                                                                                          • Opcode ID: 2398d3e56b10dcafaaf99b981a30711067a2213169235feba3d334b158cf1ca3
                                                                                                                                          • Instruction ID: 52c6f64c64522746488a48a2738a721751fb02ae6e97e406a9f0e7fa2333df47
                                                                                                                                          • Opcode Fuzzy Hash: 2398d3e56b10dcafaaf99b981a30711067a2213169235feba3d334b158cf1ca3
                                                                                                                                          • Instruction Fuzzy Hash: 79614E32601F4486EBA6DF22F45479A73A5FB8CB81F55C125EE8A43B24EF38D258C744
                                                                                                                                          Function 0000000180025340 Relevance: 10.1, APIs: 8, Instructions: 149memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180025394
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800253BE
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 00000001800253D5
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800254C1
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800254EB
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180025510
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002553A
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002555F
                                                                                                                                            • Part of subcall function 0000000180014D20: CloseHandle.KERNEL32 ref: 0000000180014D3D
                                                                                                                                            • Part of subcall function 0000000180014D20: CloseHandle.KERNEL32 ref: 0000000180014D50
                                                                                                                                            • Part of subcall function 0000000180014D20: CloseHandle.KERNEL32 ref: 0000000180014D66
                                                                                                                                            • Part of subcall function 0000000180014D20: DeleteCriticalSection.KERNEL32 ref: 0000000180014D8D
                                                                                                                                            • Part of subcall function 0000000180014D20: VirtualFree.KERNEL32 ref: 0000000180014DBA
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 948184506-0
                                                                                                                                          • Opcode ID: a2f3d28db6f5c7a542f089183b464a35e1dffb07d7f729c69724856baa88be71
                                                                                                                                          • Instruction ID: e1ed2f7b30fdbbafaf83607e2b920250547d7d04a51b70330a41ad624c924d4a
                                                                                                                                          • Opcode Fuzzy Hash: a2f3d28db6f5c7a542f089183b464a35e1dffb07d7f729c69724856baa88be71
                                                                                                                                          • Instruction Fuzzy Hash: D6614E36601F4486EBA6DF22E85479A73A5FB8CB81F44C125EE8A43B14EF38D258D744
                                                                                                                                          Function 0000000180025590 Relevance: 10.1, APIs: 8, Instructions: 145memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800255E4
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002560E
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 0000000180025625
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800256FB
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180025725
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002574A
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180025774
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180025799
                                                                                                                                            • Part of subcall function 0000000180014D20: CloseHandle.KERNEL32 ref: 0000000180014D3D
                                                                                                                                            • Part of subcall function 0000000180014D20: CloseHandle.KERNEL32 ref: 0000000180014D50
                                                                                                                                            • Part of subcall function 0000000180014D20: CloseHandle.KERNEL32 ref: 0000000180014D66
                                                                                                                                            • Part of subcall function 0000000180014D20: DeleteCriticalSection.KERNEL32 ref: 0000000180014D8D
                                                                                                                                            • Part of subcall function 0000000180014D20: VirtualFree.KERNEL32 ref: 0000000180014DBA
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 948184506-0
                                                                                                                                          • Opcode ID: c4c301c77432ef5703f60f68f188faa43b288a4f8a8c10df986e60a82f244a90
                                                                                                                                          • Instruction ID: a098d769e738cf4516be0d4c0e9b8bb2eaeea588b20fa9ae2b6ee3b858d7c8c5
                                                                                                                                          • Opcode Fuzzy Hash: c4c301c77432ef5703f60f68f188faa43b288a4f8a8c10df986e60a82f244a90
                                                                                                                                          • Instruction Fuzzy Hash: EB514F36711F4486EBA6CF22E85479A73A5FB8CB81F44C125EE8A43B14DF38D2588744
                                                                                                                                          Function 0000000180024700 Relevance: 10.1, APIs: 8, Instructions: 145memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180024754
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002477E
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 0000000180024795
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002486B
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180024895
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800248BA
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800248E4
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180024909
                                                                                                                                            • Part of subcall function 0000000180014D20: CloseHandle.KERNEL32 ref: 0000000180014D3D
                                                                                                                                            • Part of subcall function 0000000180014D20: CloseHandle.KERNEL32 ref: 0000000180014D50
                                                                                                                                            • Part of subcall function 0000000180014D20: CloseHandle.KERNEL32 ref: 0000000180014D66
                                                                                                                                            • Part of subcall function 0000000180014D20: DeleteCriticalSection.KERNEL32 ref: 0000000180014D8D
                                                                                                                                            • Part of subcall function 0000000180014D20: VirtualFree.KERNEL32 ref: 0000000180014DBA
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 948184506-0
                                                                                                                                          • Opcode ID: 80f34942a8f8c4bc9a5d5aa5a2718efda92b851cc4559cc26846c331e5552837
                                                                                                                                          • Instruction ID: 72a2896740c9137efb1b418fa442e73962727cb62168e6376ed2afb5ae8d32a4
                                                                                                                                          • Opcode Fuzzy Hash: 80f34942a8f8c4bc9a5d5aa5a2718efda92b851cc4559cc26846c331e5552837
                                                                                                                                          • Instruction Fuzzy Hash: 6C516E36711F4486EBA6CF62E85479A73A5FB8CB80F45C124EE8A43B14DF38D258C740
                                                                                                                                          Function 0000000180024930 Relevance: 10.1, APIs: 8, Instructions: 143memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180024984
                                                                                                                                            • Part of subcall function 0000000180014D20: CloseHandle.KERNEL32 ref: 0000000180014D3D
                                                                                                                                            • Part of subcall function 0000000180014D20: CloseHandle.KERNEL32 ref: 0000000180014D50
                                                                                                                                            • Part of subcall function 0000000180014D20: CloseHandle.KERNEL32 ref: 0000000180014D66
                                                                                                                                            • Part of subcall function 0000000180014D20: DeleteCriticalSection.KERNEL32 ref: 0000000180014D8D
                                                                                                                                            • Part of subcall function 0000000180014D20: VirtualFree.KERNEL32 ref: 0000000180014DBA
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800249AE
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 00000001800249C5
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180024A90
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180024ABA
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180024ADF
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180024B09
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180024B2E
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 948184506-0
                                                                                                                                          • Opcode ID: d577543977fa0da55da5beeaf9c154f68529e181afdaea789ff489f112afd6f9
                                                                                                                                          • Instruction ID: cae2041a7490879f6122b9c6866ac4f26f8c704f9ffb2fa0f11d788942084910
                                                                                                                                          • Opcode Fuzzy Hash: d577543977fa0da55da5beeaf9c154f68529e181afdaea789ff489f112afd6f9
                                                                                                                                          • Instruction Fuzzy Hash: 73514E32701B4486EBA6DF22E85479A73A5FB8CBC0F05C125EE8A43B14DF38D2588744
                                                                                                                                          Function 0000000180012830 Relevance: 7.6, APIs: 5, Instructions: 53memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: HandleModule$ProtectVirtual
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3544755384-0
                                                                                                                                          • Opcode ID: f336a93fce01c34d2cdd8dc85c5afcd615c05bd6414b2de0b853565f956b5444
                                                                                                                                          • Instruction ID: a2d771934d000c58fcc9031eaded12856c90504e436152513d678f0d3ac56f1b
                                                                                                                                          • Opcode Fuzzy Hash: f336a93fce01c34d2cdd8dc85c5afcd615c05bd6414b2de0b853565f956b5444
                                                                                                                                          • Instruction Fuzzy Hash: 29216D32612B4886EB968F15F85439973A0FB4CBD5F548126FA5A03794EF38C6A9C740
                                                                                                                                          Function 0000000180062327 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 306COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: wctomb_s
                                                                                                                                          • String ID: 0
                                                                                                                                          • API String ID: 2215178078-4108050209
                                                                                                                                          • Opcode ID: 1492f7c15eab4061bc7f6a32edb82fc2110c3162b8146593b7aa99b753d1092c
                                                                                                                                          • Instruction ID: b78a43dfde99f40485895c579130c87ca7fca1f2de56ca6245298c2957896ae2
                                                                                                                                          • Opcode Fuzzy Hash: 1492f7c15eab4061bc7f6a32edb82fc2110c3162b8146593b7aa99b753d1092c
                                                                                                                                          • Instruction Fuzzy Hash: 76D1B372204F8886DBA68F28C84079C77A2F349BD8F749215EF6947798DF35CA89C750
                                                                                                                                          Function 00000001800642E0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 239COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _errno
                                                                                                                                          • String ID: gfffffff
                                                                                                                                          • API String ID: 2918714741-1523873471
                                                                                                                                          • Opcode ID: 50460a0e52648f72767fa19e63171c8a82114c62844ae90395d0efa7ecbc3a04
                                                                                                                                          • Instruction ID: d8f414e0bef8b82fe1a4a168c370e8312f43b1049c0ea29667bfe1c97a47490c
                                                                                                                                          • Opcode Fuzzy Hash: 50460a0e52648f72767fa19e63171c8a82114c62844ae90395d0efa7ecbc3a04
                                                                                                                                          • Instruction Fuzzy Hash: D39115B37057C986EBA28F29E9513EA7792A7657C0F148022EB994B7C1DF3CC259C701
                                                                                                                                          Function 00000001800367B8 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 410COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: header crc mismatch$unknown compression method$unknown header flags set
                                                                                                                                          • API String ID: 0-1578397619
                                                                                                                                          • Opcode ID: e25e35bceeda68fd401eb5c3d57224b9677d2a7e1ffcce3a57853ce86f0d9926
                                                                                                                                          • Instruction ID: 5fbcd8546d4c2baf4d7c5694415ebe309d501ad50e67c97bd790a69d028e859a
                                                                                                                                          • Opcode Fuzzy Hash: e25e35bceeda68fd401eb5c3d57224b9677d2a7e1ffcce3a57853ce86f0d9926
                                                                                                                                          • Instruction Fuzzy Hash: 0D028172A006588BE7AB8F25C5443AE7BB0F308788F16C519EF5957BA0DF74D668CB40
                                                                                                                                          Function 000000018004C410 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _readmemmove
                                                                                                                                          • String ID: #
                                                                                                                                          • API String ID: 2793665766-1885708031
                                                                                                                                          • Opcode ID: 987fd676393602e5fbf9a4f4c9d3c45c4ce8d85387bfab112573a77dbf0a2f81
                                                                                                                                          • Instruction ID: 204fe7763e42409cfe4ae1be45cc68f9e315ee3c51830df5655797995f9cd38c
                                                                                                                                          • Opcode Fuzzy Hash: 987fd676393602e5fbf9a4f4c9d3c45c4ce8d85387bfab112573a77dbf0a2f81
                                                                                                                                          • Instruction Fuzzy Hash: CB411C33224F9895FBF28A65A580BFEA691F3C87C8F069111FE4903684DF74D68C8B45
                                                                                                                                          Function 00000001800138D0 Relevance: 5.2, APIs: 4, Instructions: 215memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$AllocFree
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2087232378-0
                                                                                                                                          • Opcode ID: 04065c5e2a1c05127fb750dc6d994f61d80097cc70ac26d1f1ef4872fede59b7
                                                                                                                                          • Instruction ID: 5b382ee37adfeb0f04d4f502de3e1eb60bf9a47383fd2d17446f52300043a7dc
                                                                                                                                          • Opcode Fuzzy Hash: 04065c5e2a1c05127fb750dc6d994f61d80097cc70ac26d1f1ef4872fede59b7
                                                                                                                                          • Instruction Fuzzy Hash: 6081C332714F8442EB568B3695857AE6351FBDABC0F109615EF8A53B50EF38D2598700
                                                                                                                                          Function 0000000180023464 Relevance: 5.1, APIs: 4, Instructions: 105memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180014410: VirtualAlloc.KERNEL32 ref: 000000018001442D
                                                                                                                                            • Part of subcall function 0000000180014410: VirtualAlloc.KERNEL32 ref: 000000018001445F
                                                                                                                                            • Part of subcall function 0000000180014410: InitializeCriticalSection.KERNEL32 ref: 0000000180014474
                                                                                                                                            • Part of subcall function 0000000180014410: IsBadReadPtr.KERNEL32 ref: 0000000180014490
                                                                                                                                            • Part of subcall function 0000000180014410: EnterCriticalSection.KERNEL32 ref: 00000001800144A3
                                                                                                                                            • Part of subcall function 0000000180014410: VirtualAlloc.KERNEL32 ref: 00000001800144BA
                                                                                                                                            • Part of subcall function 0000000180014410: LeaveCriticalSection.KERNEL32 ref: 00000001800144E9
                                                                                                                                            • Part of subcall function 0000000180014410: IsBadReadPtr.KERNEL32 ref: 00000001800144FE
                                                                                                                                            • Part of subcall function 0000000180014410: EnterCriticalSection.KERNEL32 ref: 0000000180014511
                                                                                                                                            • Part of subcall function 0000000180014410: VirtualAlloc.KERNEL32 ref: 0000000180014528
                                                                                                                                            • Part of subcall function 0000000180014410: LeaveCriticalSection.KERNEL32 ref: 0000000180014557
                                                                                                                                            • Part of subcall function 0000000180014410: IsBadReadPtr.KERNEL32 ref: 000000018001456C
                                                                                                                                            • Part of subcall function 0000000180014410: EnterCriticalSection.KERNEL32 ref: 000000018001457F
                                                                                                                                            • Part of subcall function 0000000180014410: VirtualAlloc.KERNEL32 ref: 0000000180014596
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 0000000180023503
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180023548
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002357E
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002358F
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$CriticalSection$Alloc$EnterRead$Leave$Free$Initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4189992183-0
                                                                                                                                          • Opcode ID: a25cbe2398620dd5aade8412fca36b0dba362fd9746facf50c7945402be94b72
                                                                                                                                          • Instruction ID: b7787bbd8a325aeebdcde614afb160aa7d11d0e3a8624fbc1606faf4384ac525
                                                                                                                                          • Opcode Fuzzy Hash: a25cbe2398620dd5aade8412fca36b0dba362fd9746facf50c7945402be94b72
                                                                                                                                          • Instruction Fuzzy Hash: 6931C572301B8486EB878F26E95439977A1BF4DFD4F08C125EE5A87B45DF28C569C700
                                                                                                                                          Function 0000000180013330 Relevance: 64.1, APIs: 51, Instructions: 358memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CriticalSection$Leave$EnterRead$AllocVirtual$Initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3051317124-0
                                                                                                                                          • Opcode ID: 6ebc8dea4b0ea736fefb6cc6a4b904e09ee724be14cbd8c2d79b4aff0744f4dc
                                                                                                                                          • Instruction ID: 8d79aea406c2d95edea1836f54f9f7be0f00163c332968c48641294727d518e6
                                                                                                                                          • Opcode Fuzzy Hash: 6ebc8dea4b0ea736fefb6cc6a4b904e09ee724be14cbd8c2d79b4aff0744f4dc
                                                                                                                                          • Instruction Fuzzy Hash: 9AF1F972200F4986EB9A8F21E8153A973A5FB5CFC4F58C525EE5A477A4EF38D658C300
                                                                                                                                          Function 000000018004C060 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 109COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _unlink$_close_open$_write$Sleeprename
                                                                                                                                          • String ID: # Netscape HTTP Cookie File$%s.LCK$%s.tmp$nsc_regen
                                                                                                                                          • API String ID: 3831667237-754349171
                                                                                                                                          • Opcode ID: 5ad480a65cf6fe72315309d2af5a2d32d7a8d9a5e723e02816f8326c51347cc7
                                                                                                                                          • Instruction ID: 3a75f7037613c534b31f398f9f7e10cfc46e488a0411f9bffbb7e4ffe011920f
                                                                                                                                          • Opcode Fuzzy Hash: 5ad480a65cf6fe72315309d2af5a2d32d7a8d9a5e723e02816f8326c51347cc7
                                                                                                                                          • Instruction Fuzzy Hash: 8D41C632204B4882F792EF21E8907D97361F7897C8F658026FA994B696CF79CA09C740
                                                                                                                                          Function 000000018003D3D0 Relevance: 27.5, APIs: 1, Strings: 17, Instructions: 460COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Startupmemset
                                                                                                                                          • String ID: Failed to create default vhost$Failed to init cookiejar$NSC$OOM$OOM allocating %d fds$context$fds table$info->ka_interval can't be 0 if ka_time used$lws_create_context$lws_free$mux$prot_init$system$unknown$wsi$wsicli$wsisrv
                                                                                                                                          • API String ID: 1873301828-3289243303
                                                                                                                                          • Opcode ID: 16ff8c9513e61e8d05d3a42471cc09235c13313f4bf578ebfff565fe686a6f90
                                                                                                                                          • Instruction ID: 3b559553d32f2118d47c1827e12155a903dd1219b53e8335ef171119bd7a8236
                                                                                                                                          • Opcode Fuzzy Hash: 16ff8c9513e61e8d05d3a42471cc09235c13313f4bf578ebfff565fe686a6f90
                                                                                                                                          • Instruction Fuzzy Hash: 29325F36605B8985EB96CF21F8803EA73A5F748B88F458136EE9D47394EF38D258C750
                                                                                                                                          Function 000000018002D5A0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 124memorycomCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: String$AllocFree$CreateInstanceUninitialize$Initialize
                                                                                                                                          • String ID: Block All Outbound$Block all outbound traffic$BlockAllGroup$i33L
                                                                                                                                          • API String ID: 2562062002-1644180588
                                                                                                                                          • Opcode ID: 8deb0ea224b165b1f84c5336fa06fe8aa485b50349956e7146a47af700a7992b
                                                                                                                                          • Instruction ID: 24ee4ad5e576ebab54034bfc9a1020dbb273c5f654aeecea88066f1c8707723b
                                                                                                                                          • Opcode Fuzzy Hash: 8deb0ea224b165b1f84c5336fa06fe8aa485b50349956e7146a47af700a7992b
                                                                                                                                          • Instruction Fuzzy Hash: 9951D276600B448AEB41DF76D84439C37B1F788B88F208526EE5E57B28DF38C659C741
                                                                                                                                          Function 00000001800236D0 Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 69synchronizationCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Process$Current$Terminate$memsetwsprintf$ObjectSessionSingleWait
                                                                                                                                          • String ID: \\.\Pipe\%d_Local_%d$\\.\Pipe\%d_pipe%d
                                                                                                                                          • API String ID: 1631145905-82101934
                                                                                                                                          • Opcode ID: ab10d55d452ab6b41233c7c6c5d6ad339ec73cd5f29839cb69e3900e23e60465
                                                                                                                                          • Instruction ID: 2ca27b65026b01a0e2614ebc2938c806b5a8a65987fe76e9e7616e4d15ed07f3
                                                                                                                                          • Opcode Fuzzy Hash: ab10d55d452ab6b41233c7c6c5d6ad339ec73cd5f29839cb69e3900e23e60465
                                                                                                                                          • Instruction Fuzzy Hash: 4B318675304B8982EBA29B21EC543DA63A2FB8CFC5F14C115E95A43664EE3CC74DD710
                                                                                                                                          Function 0000000180021760 Relevance: 25.7, APIs: 17, Instructions: 151networkmemorysleepCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CriticalSectionVirtual$Alloc$EnterReadsetsockopt$Leave$accept$CancelCreateFreeInitializeIoctlSleepThreadclosesocket
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 241427152-0
                                                                                                                                          • Opcode ID: 8054d77f63a71bffb60c6de152fa376652fa5a9bac917f7a9e8e23a3707f0d6a
                                                                                                                                          • Instruction ID: db9d5a1902b2427f2b8aa5890d40cac3057804daef993d423312326c5f4ee3cf
                                                                                                                                          • Opcode Fuzzy Hash: 8054d77f63a71bffb60c6de152fa376652fa5a9bac917f7a9e8e23a3707f0d6a
                                                                                                                                          • Instruction Fuzzy Hash: 3D61A072204B8586EBA58F11E8147DA77A5FB8CB85F148229EF8A07B54DF3DC65DCB00
                                                                                                                                          Function 0000000180048110 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 338stringCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _stricmp$atoistrchrstrncmpstrstr
                                                                                                                                          • String ID: %s: assert: NULL ah$%s: assert: len %ld$%s: bad wsi role 0x%x$h2c$h2n$lws_handshake_server$websocket
                                                                                                                                          • API String ID: 772635384-2030653601
                                                                                                                                          • Opcode ID: 3e545e06de1398776efe2b32ebf9aaed83d313d5bc47e434b252dda6cce64d6b
                                                                                                                                          • Instruction ID: d49f17e4c13066866941a8c03b63ad3af1a2a4addf82eecd73d35d4d049f7a5d
                                                                                                                                          • Opcode Fuzzy Hash: 3e545e06de1398776efe2b32ebf9aaed83d313d5bc47e434b252dda6cce64d6b
                                                                                                                                          • Instruction Fuzzy Hash: 74E1B131304B8951FAE69B269A803EE6352AB8D7C8F46C421FE1947792EF38C659D304
                                                                                                                                          Function 000000018002F3F0 Relevance: 24.1, APIs: 16, Instructions: 95keyboardsynchronizationCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Object$DeleteFreeVirtual$CloseHandleSelect$BlockEventInputReleaseSingleWait
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3967251967-0
                                                                                                                                          • Opcode ID: 3a07132e1f9d7ba23aabf59264424579120ae970d8e9deebab850e7ccb55037e
                                                                                                                                          • Instruction ID: 294975e9c67eb738fc8a76c6dfbd6f8425bfb77a95e6eb5f1d41b0cb1a161822
                                                                                                                                          • Opcode Fuzzy Hash: 3a07132e1f9d7ba23aabf59264424579120ae970d8e9deebab850e7ccb55037e
                                                                                                                                          • Instruction Fuzzy Hash: 8E414836201F5481EB96DF62E9503A93366FF88FC4F18C125EE5A47B58DF38C65A8301
                                                                                                                                          Function 0000000180017240 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 96synchronizationpipeCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • IsBadReadPtr.KERNEL32 ref: 000000018001725A
                                                                                                                                            • Part of subcall function 0000000180028120: VirtualAlloc.KERNEL32(?,?,00000000,0000000180026D58), ref: 0000000180028137
                                                                                                                                            • Part of subcall function 0000000180028120: InitializeCriticalSection.KERNEL32(?,?,00000000,0000000180026D58), ref: 0000000180028165
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • memset.NTDLL ref: 0000000180017295
                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 000000018001729A
                                                                                                                                          • wsprintfW.USER32 ref: 00000001800172B6
                                                                                                                                          • WaitForSingleObject.KERNEL32 ref: 00000001800172D3
                                                                                                                                          • WaitForSingleObject.KERNEL32 ref: 000000018001731B
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001733A
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180017364
                                                                                                                                          • DisconnectNamedPipe.KERNEL32 ref: 000000018001737B
                                                                                                                                          • CloseHandle.KERNEL32 ref: 000000018001738A
                                                                                                                                          • DeleteCriticalSection.KERNEL32 ref: 0000000180017398
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800173A9
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$CriticalSection$Alloc$Read$EnterFree$InitializeLeaveObjectSingleWait$CloseCurrentDeleteDisconnectHandleNamedPipeProcessmemsetwsprintf
                                                                                                                                          • String ID: \\.\Pipe\%d_Local_%d
                                                                                                                                          • API String ID: 2297721380-251893267
                                                                                                                                          • Opcode ID: 36990aca3978a3dea961cae16a781325bd347a7ac9c8a3c5f6a009e8abbcbd45
                                                                                                                                          • Instruction ID: df745b0456b80d04bc256779a35986cf992e6c2ed35c23266841cb860a50cde9
                                                                                                                                          • Opcode Fuzzy Hash: 36990aca3978a3dea961cae16a781325bd347a7ac9c8a3c5f6a009e8abbcbd45
                                                                                                                                          • Instruction Fuzzy Hash: 10415E35300A4582EBA69B62E8543AE63A1FF8CFC4F54C121EE6A47A95DF3CC7499700
                                                                                                                                          Function 0000000180040950 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 96networkCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ErrorLast$setsockopt$Ioctlgetprotobynameioctlsocket
                                                                                                                                          • String ID: TCP$WSAIoctl SIO_KEEPALIVE_VALS 1 %lu %lu failed with error %d$ioctlsocket FIONBIO 1 failed with error %d$setsockopt SO_KEEPALIVE 1 failed with error %d
                                                                                                                                          • API String ID: 689193069-3784515845
                                                                                                                                          • Opcode ID: 8a574de51de2f7b9e0da6b50ddb537149f76536c045387673f248ec90f46c37e
                                                                                                                                          • Instruction ID: d85322c19fa9419ce3c0f24e89c20480943d0ad7818c6f72330d3572df486373
                                                                                                                                          • Opcode Fuzzy Hash: 8a574de51de2f7b9e0da6b50ddb537149f76536c045387673f248ec90f46c37e
                                                                                                                                          • Instruction Fuzzy Hash: C641B132604B8486E750CF11E8847D9B7A1F78CBC8F688126EA5843754DF3DCA8DCB40
                                                                                                                                          Function 000000018005032B Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 215stringCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _atoi64_stricmpstrncmp
                                                                                                                                          • String ID: Banning service on CLOSED_REMOTE$Illegal transfer-encoding$LWS_H2S_IDLE$Pseudoheader checks$client done$dyntable resize last in headers$hpack incomplete$trailers
                                                                                                                                          • API String ID: 3622546912-2715351296
                                                                                                                                          • Opcode ID: 850a7d48c15578104734be1d17ab6fe13f68133994dd60894492c7c8482764ff
                                                                                                                                          • Instruction ID: 2738031c5a13f8d2a9113236ef16879ec5afd259850b3dca8db5443b4f1c11f3
                                                                                                                                          • Opcode Fuzzy Hash: 850a7d48c15578104734be1d17ab6fe13f68133994dd60894492c7c8482764ff
                                                                                                                                          • Instruction Fuzzy Hash: DDA15031205A88C9FBE29B25C4953ED2791E788BC8F29C431FE4D5B396DF26C74A8711
                                                                                                                                          Function 0000000180015070 Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 46COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _time64randsrand
                                                                                                                                          • String ID: !"#$$%&'$()*+$,-./$0123$4567$89:;$<=>?
                                                                                                                                          • API String ID: 1363323005-2655883160
                                                                                                                                          • Opcode ID: 495eb2bc3968464ad3b4467f9e3bb0dc08ae24cb2b23406463a58bd7f9b74657
                                                                                                                                          • Instruction ID: c51e40b0117ec8def28ddec8a1b2912ad07eefb3fc6356cac202c9ea0a687b5c
                                                                                                                                          • Opcode Fuzzy Hash: 495eb2bc3968464ad3b4467f9e3bb0dc08ae24cb2b23406463a58bd7f9b74657
                                                                                                                                          • Instruction Fuzzy Hash: 4A118476B107908EE705CF61A88429D7BB0F308B88F944628DE5A27B0CCB34D241CF51
                                                                                                                                          Function 000000018003E480 Relevance: 18.3, APIs: 8, Strings: 4, Instructions: 336COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memcpy
                                                                                                                                          • String ID: ($client stash$free$lws_client_connect_via_info
                                                                                                                                          • API String ID: 3510742995-2507652003
                                                                                                                                          • Opcode ID: 9fb5c97349f956897b386c71c7d51adbd1a5d1a1ce7cacacf1f16eb9e8c103cd
                                                                                                                                          • Instruction ID: fece761c7d5914db26e48d005023e2e74e12c3d64d436247abcb8b77079efcde
                                                                                                                                          • Opcode Fuzzy Hash: 9fb5c97349f956897b386c71c7d51adbd1a5d1a1ce7cacacf1f16eb9e8c103cd
                                                                                                                                          • Instruction Fuzzy Hash: 12D1A472A04B9846EB978B2599403AA2790F75ABF4F599321EE7E037D1DF38C5968300
                                                                                                                                          Function 000000018005C7B0 Relevance: 18.2, APIs: 4, Strings: 8, Instructions: 211COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memcpy$memchr
                                                                                                                                          • String ID: %.*s%s%.*s%s%llu%.*s%.*s$%s: OOM$%s: can't parse date %.*s$%s: malformed c$FALSE$TRUE$lws_cookie_write_nsc$lws_free
                                                                                                                                          • API String ID: 1523488950-4097611029
                                                                                                                                          • Opcode ID: a1c06f8486ea18e7f7bfbb723cf4af0ea40f4458e0c81876f8efe29b7c23c13a
                                                                                                                                          • Instruction ID: 8df87e5d74b452ca54b599032c2b60c22e5bfa1acf36d0dd6c3964ed66178607
                                                                                                                                          • Opcode Fuzzy Hash: a1c06f8486ea18e7f7bfbb723cf4af0ea40f4458e0c81876f8efe29b7c23c13a
                                                                                                                                          • Instruction Fuzzy Hash: 63918A72301B489AEAA6CF15E5807EA27A0F74CBC8F488126EF4D57B51DF39D269C341
                                                                                                                                          Function 0000000180016430 Relevance: 18.1, APIs: 10, Strings: 2, Instructions: 126COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$CriticalSection$Alloc$EnterRead$FreeLeavefreemallocmemcpymemset$Initialize
                                                                                                                                          • String ID: 1216$18.166.193.8
                                                                                                                                          • API String ID: 532055762-2156589267
                                                                                                                                          • Opcode ID: 4ce7d3970b924012d0fbf1c1f527a2620021745c6c51cf997aeaa958acbe5b0c
                                                                                                                                          • Instruction ID: 582e9a51cf9fe368b1d6b2089614ae23831cbc2162aea492bb2fd5e535a51b7f
                                                                                                                                          • Opcode Fuzzy Hash: 4ce7d3970b924012d0fbf1c1f527a2620021745c6c51cf997aeaa958acbe5b0c
                                                                                                                                          • Instruction Fuzzy Hash: DC517431A14B4486E7A29B26E9443E973A1FF9DBC4F14D214EE9A43B55EF38D3898700
                                                                                                                                          Function 0000000180014220 Relevance: 18.1, APIs: 12, Instructions: 93sleepsynchronizationCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CriticalSection$EventLeave$CloseEnterHandleObjectReadSingleSleepWait
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1497552152-0
                                                                                                                                          • Opcode ID: 3e701f299464fa1840a3c59915c173aa47d40fd4326d99a42f10eb8f84c94787
                                                                                                                                          • Instruction ID: b6fb680b84b29870d8408f0db8a669e560a49f39b75c397a2ccc2e4b14d49071
                                                                                                                                          • Opcode Fuzzy Hash: 3e701f299464fa1840a3c59915c173aa47d40fd4326d99a42f10eb8f84c94787
                                                                                                                                          • Instruction Fuzzy Hash: 95410D32305F45C6EB9A9F22D8503A823A0FB4CFC4F588520FE5A4B764DF38C6998300
                                                                                                                                          Function 000000018002B990 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 137memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memcpy$AllocVirtualmemset$EnvironmentExpandStrings
                                                                                                                                          • String ID: 18.166.193.8$C:\Program Files\Windows Mail
                                                                                                                                          • API String ID: 791498746-1411162985
                                                                                                                                          • Opcode ID: 2b26ddc07f84ee4290e8d8fcb28feba32ce194d0abf94b4343b1801c1ea13578
                                                                                                                                          • Instruction ID: d94bfe5a405dcc6a00cd158cabac0fcb932bbc383ae311747216a2a74efef833
                                                                                                                                          • Opcode Fuzzy Hash: 2b26ddc07f84ee4290e8d8fcb28feba32ce194d0abf94b4343b1801c1ea13578
                                                                                                                                          • Instruction Fuzzy Hash: A971B332A15B8987E752CB28E9517E83760FB9DBC8F14D315EE8953612EF389399C700
                                                                                                                                          Function 0000000180023920 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 78stringthreadCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Processlstrcmpi$CreateCurrentSessionThreadmemset
                                                                                                                                          • String ID: HTTP$TCP$UDP
                                                                                                                                          • API String ID: 1333632082-3864057669
                                                                                                                                          • Opcode ID: 79ca34c42b3aab9032cd5f6da8ec8d408d609f69abcf2edea33bd93b63b32bf1
                                                                                                                                          • Instruction ID: f284a5f0d6b5b17f234fedd842583cf4595dc16da8c51406b2e8c17d34ccde1e
                                                                                                                                          • Opcode Fuzzy Hash: 79ca34c42b3aab9032cd5f6da8ec8d408d609f69abcf2edea33bd93b63b32bf1
                                                                                                                                          • Instruction Fuzzy Hash: 11319631624B8896E791CF21FC543DA73A5FB8CBC4F548226E98A42654EF38C789CB41
                                                                                                                                          Function 0000000180030260 Relevance: 16.6, APIs: 11, Instructions: 101servicesleepCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Service$CloseDatabaseFreeHandleOpenVirtual$ChangeConfigLockManagerQuerySleepStatusUnlock
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3731607402-0
                                                                                                                                          • Opcode ID: a9eb4e77f0189a9487206b475b1535da776a34eb102c6930cb2e8e0098df8897
                                                                                                                                          • Instruction ID: 5d8b5e5c2509a2156ec9f6ed001428137373d39bb2af93de72171ddb575701ec
                                                                                                                                          • Opcode Fuzzy Hash: a9eb4e77f0189a9487206b475b1535da776a34eb102c6930cb2e8e0098df8897
                                                                                                                                          • Instruction Fuzzy Hash: 52418235301B4482E7AADF12A824B9A73A9FB8DFD0F65C114EE5603714DF39C649D740
                                                                                                                                          Function 000000018002F590 Relevance: 16.6, APIs: 11, Instructions: 55threadstringCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Desktop$Thread$CloseInformationObjectUsermemset$CurrentInputOpenlstrcmpi
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2480204736-0
                                                                                                                                          • Opcode ID: a7e5f87c476b32af149d3a23a836e4c12a9df15ddd786ef6baeaf1639c8a2ace
                                                                                                                                          • Instruction ID: eb276260ccc1891881afc150e594b9866f0886d6e094768467674585afdc8472
                                                                                                                                          • Opcode Fuzzy Hash: a7e5f87c476b32af149d3a23a836e4c12a9df15ddd786ef6baeaf1639c8a2ace
                                                                                                                                          • Instruction Fuzzy Hash: B4215E35314B8496EB65DB11F8587DA73A2FB8CB84F949226EA5A43B54EF3CC309C740
                                                                                                                                          Function 000000018004C5F0 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 282COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: getaddrinfo
                                                                                                                                          • String ID: DNS NXDOMAIN$GET$MQTT$POST$PUT$UDP$YZ[\X]^_RAW$client_connect2
                                                                                                                                          • API String ID: 300660673-2214405465
                                                                                                                                          • Opcode ID: 0880df214e9cd3c2f1cf25e5b96380e1b1ca444558782d537dd0fee6feb36dbb
                                                                                                                                          • Instruction ID: 68e36fe551a056b0132e3184e2ed47a50fea2595561cf4aa0b5d9e6023a6a639
                                                                                                                                          • Opcode Fuzzy Hash: 0880df214e9cd3c2f1cf25e5b96380e1b1ca444558782d537dd0fee6feb36dbb
                                                                                                                                          • Instruction Fuzzy Hash: C5C1D532214ACC86EBE38B1194907F83790F34ABCCF8AD136FB4646685DF249649C71A
                                                                                                                                          Function 000000018005C4C0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 143COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _mktime64atoi
                                                                                                                                          • String ID: VUUU$anfebmaraprnayjunjulaugsepoctnovdec
                                                                                                                                          • API String ID: 4184807649-2104782412
                                                                                                                                          • Opcode ID: 1c10f032e27ea18b77686cd2d84d617b20476ae09abb30765c8792ea9fbc2fa6
                                                                                                                                          • Instruction ID: c2613ff36e010a457e46afe763ee94a76d49c71e9ebcce3f3232a4706abe0a77
                                                                                                                                          • Opcode Fuzzy Hash: 1c10f032e27ea18b77686cd2d84d617b20476ae09abb30765c8792ea9fbc2fa6
                                                                                                                                          • Instruction Fuzzy Hash: 9C5139726086488FE7A6DB209540BED77D1E35D7D0F549722F69A821C1EF26CB9CCB02
                                                                                                                                          Function 0000000180034090 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 138timeCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: malloc$free$Timetime
                                                                                                                                          • String ID: <$d$d
                                                                                                                                          • API String ID: 3424428123-2034941416
                                                                                                                                          • Opcode ID: 67633af4dfc8252cf45609dabaea5b26b53f42197f8e2474752b99a928027a60
                                                                                                                                          • Instruction ID: 466f5aad14050bf64cc8956bdc065fa340445efa7d208640b60abaa076653a21
                                                                                                                                          • Opcode Fuzzy Hash: 67633af4dfc8252cf45609dabaea5b26b53f42197f8e2474752b99a928027a60
                                                                                                                                          • Instruction Fuzzy Hash: F6713E72102B84C6EB96CF21D58439E37E8F748B88F59C528DB982B764DF74C5A8D720
                                                                                                                                          Function 00000001800639F0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 93COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _wcsicmp$wcsrchr
                                                                                                                                          • String ID: .bat$.cmd$.com$.exe
                                                                                                                                          • API String ID: 2496260227-4019086052
                                                                                                                                          • Opcode ID: aaf78908e6856ded87bf450d59c28f7bfc91e0aa7a4343ebb231347f647f7836
                                                                                                                                          • Instruction ID: f9354b7791fc2c725eb93ba74bec30147ee32d18ff5a6900e61ec3ccaf05cefc
                                                                                                                                          • Opcode Fuzzy Hash: aaf78908e6856ded87bf450d59c28f7bfc91e0aa7a4343ebb231347f647f7836
                                                                                                                                          • Instruction Fuzzy Hash: 2B31EF34A1030E85FAE7625589623F712D2D7497D4F68D021E9E2872C0EE5DC78CA382
                                                                                                                                          Function 000000018002E392 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 77processstringCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseHandle$CreateDirectoryProcessSystemlstrcatmemset
                                                                                                                                          • String ID: WinSta0\Winlogon$\cmd.exe$h
                                                                                                                                          • API String ID: 3110162951-1128999311
                                                                                                                                          • Opcode ID: 377d92c3c3f7588309b3223c4e866e91415498e2d0b57ba55e9f7e9773e501a6
                                                                                                                                          • Instruction ID: 8a8f30963343f0c1642ff8c9ad02eeefcd5bb9c44978aec2e11ef53a48a7f9e7
                                                                                                                                          • Opcode Fuzzy Hash: 377d92c3c3f7588309b3223c4e866e91415498e2d0b57ba55e9f7e9773e501a6
                                                                                                                                          • Instruction Fuzzy Hash: DB319233958BC582E762CB50E8543DA77A0F7DA784F54C226A6C942A65EF78C298CB00
                                                                                                                                          Function 00000001800353E0 Relevance: 15.1, APIs: 10, Instructions: 145networksynchronizationCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Event$EventsWait$Multiplememset$CloseCreateEnumNetworkObjectSelectSingle
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4111286588-0
                                                                                                                                          • Opcode ID: cb05e26348fc5fa680f74ac7f4703aa7f24feaffb504ccfcfa995c813edf2173
                                                                                                                                          • Instruction ID: 546d487ed4a885a0f1727a2aab1a2d449dd24cc8967c8d5c63f42d9527891ca4
                                                                                                                                          • Opcode Fuzzy Hash: cb05e26348fc5fa680f74ac7f4703aa7f24feaffb504ccfcfa995c813edf2173
                                                                                                                                          • Instruction Fuzzy Hash: 43618F32201B848AE7A2CF25D8407DE73A5F7497D8F558215EA9D47BA8DF34C759CB00
                                                                                                                                          Function 00000001800592A0 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 137COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _strnicmp
                                                                                                                                          • String ID: %s: malformatted protocol list$%s: malformed or absent conn hdr$%s: pcol name too long$%s: protocol list too long$NULL protocol at lws_read$lws_process_ws_upgrade$upgrade$ws upg pcol$ws upgrade default pcol
                                                                                                                                          • API String ID: 2635805826-3436673557
                                                                                                                                          • Opcode ID: 4ff8d91c8aa0005156a51a5dfb16b6fc1044c44ad5f8a3d9a3d1f04027fe3cda
                                                                                                                                          • Instruction ID: 20cb35c50caca3f10adfcea1c45ea1a57c874502099cf0df93d652b848d7663d
                                                                                                                                          • Opcode Fuzzy Hash: 4ff8d91c8aa0005156a51a5dfb16b6fc1044c44ad5f8a3d9a3d1f04027fe3cda
                                                                                                                                          • Instruction Fuzzy Hash: 35517172301A8881FBA79B55F4503D96350F78C7C8F848126FA485B6A6EF6ECB5DCB40
                                                                                                                                          Function 00000001800345A0 Relevance: 15.1, APIs: 10, Instructions: 100memorytimethreadCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CriticalReadSectionVirtual$AllocEnterErrorExitFreeLastLeaveThreadTimesendtime
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3122330297-0
                                                                                                                                          • Opcode ID: 51404108585b7ff1db373e89b646bf7e8d42d759f0de1be0177d3c4d76274544
                                                                                                                                          • Instruction ID: f7eac1dd2de70b53d53e3eab7ec8ea87249c30c15c0ef925b5336bb8e0fd8ac6
                                                                                                                                          • Opcode Fuzzy Hash: 51404108585b7ff1db373e89b646bf7e8d42d759f0de1be0177d3c4d76274544
                                                                                                                                          • Instruction Fuzzy Hash: C7418032300A4487E7968F26E95439E73A1FB49FC4F14C129EB5A8B754DF38DA59CB01
                                                                                                                                          Function 00000001800360B0 Relevance: 15.1, APIs: 10, Instructions: 94stringthreadwindowCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memset$Windowlstrlen$Process32$ClassCloseCreateFirstHandleNameNextProcessSnapshotTextThreadToolhelp32Visible
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4082481662-0
                                                                                                                                          • Opcode ID: f3f6308184de1336c682d88350a7a94f45cac4e12ff12976c06c3bffbcc68aeb
                                                                                                                                          • Instruction ID: d0f507396e64800563df14b166d5fa831775ab325477c94ed690f18abff4640a
                                                                                                                                          • Opcode Fuzzy Hash: f3f6308184de1336c682d88350a7a94f45cac4e12ff12976c06c3bffbcc68aeb
                                                                                                                                          • Instruction Fuzzy Hash: 05411776310A849ADB71DF26DD447EA2361FB89B99F409111DE0E8BE58EF39C358CB00
                                                                                                                                          Function 00000001800303E0 Relevance: 15.1, APIs: 10, Instructions: 74servicesleepCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Service$Control$CloseHandleOpen$ManagerQuerySleepStartStatus
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2453229493-0
                                                                                                                                          • Opcode ID: 2273a004fea410f7597165bb23289446dcc16b9a87cf60cf92e4a93607a0279b
                                                                                                                                          • Instruction ID: a827f19ee3d39340aa7ff37006d083c65898c79fdd008705067775172c250e71
                                                                                                                                          • Opcode Fuzzy Hash: 2273a004fea410f7597165bb23289446dcc16b9a87cf60cf92e4a93607a0279b
                                                                                                                                          • Instruction Fuzzy Hash: C431A77160574482E6E68B56A92839B73A1FB8CBD1F25C521EA4A03754EE7CC74C8B00
                                                                                                                                          Function 000000018002B8E0 Relevance: 15.0, APIs: 5, Strings: 5, Instructions: 40stringCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: lstrcmpi
                                                                                                                                          • String ID: HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS
                                                                                                                                          • API String ID: 1586166983-3507829934
                                                                                                                                          • Opcode ID: 92d67e1772ed5d27b35ffe2b6b4ab96e07dede8ed643a73d65189ae7ffbca217
                                                                                                                                          • Instruction ID: c5102dafba556a099cf21811f283ae19e0cd38949c6be2cc2dbabf3547937893
                                                                                                                                          • Opcode Fuzzy Hash: 92d67e1772ed5d27b35ffe2b6b4ab96e07dede8ed643a73d65189ae7ffbca217
                                                                                                                                          • Instruction Fuzzy Hash: DF010920340B4855FA859B36AD993A17252AF4CBF0F94D324B93B837E8EF68C2489305
                                                                                                                                          Function 0000000180032180 Relevance: 13.8, APIs: 9, Instructions: 260COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitVariant
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1927566239-0
                                                                                                                                          • Opcode ID: 948343c06ea8565a1ec3a8f72c563dc0c748cdd4bbb0149151ad3a0c17d1f3f7
                                                                                                                                          • Instruction ID: df31702713cfb229a575d7950fa945f7c7faf68abf407ff6d34f975fbd772260
                                                                                                                                          • Opcode Fuzzy Hash: 948343c06ea8565a1ec3a8f72c563dc0c748cdd4bbb0149151ad3a0c17d1f3f7
                                                                                                                                          • Instruction Fuzzy Hash: B3C10576701B448AEB62CF79D4847AD23B1FB88B98F118516EE0E57B28DF38C649C740
                                                                                                                                          Function 0000000180065020 Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 248COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: 0$localeconv
                                                                                                                                          • API String ID: 0-1694054256
                                                                                                                                          • Opcode ID: 62c991d504baceb27228d7619c59d8f6b300d3d360e6c3cc75c69b9d69c5f280
                                                                                                                                          • Instruction ID: e29cbc192d5b5fa776c4183e2a42224c504630d66b273c1672e9d2f84518f776
                                                                                                                                          • Opcode Fuzzy Hash: 62c991d504baceb27228d7619c59d8f6b300d3d360e6c3cc75c69b9d69c5f280
                                                                                                                                          • Instruction Fuzzy Hash: F6C1A172205B8486E7A18F25E85039C37A6F709FD5F248219EBED07B95DF39C6A9C700
                                                                                                                                          Function 0000000180012000 Relevance: 13.6, APIs: 9, Instructions: 73memorysynchronizationthreadCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 0000000180012020
                                                                                                                                          • ProcessIdToSessionId.KERNEL32 ref: 0000000180012030
                                                                                                                                            • Part of subcall function 0000000180026CA0: VirtualAlloc.KERNEL32 ref: 0000000180026CBE
                                                                                                                                            • Part of subcall function 0000000180026CA0: GetCurrentProcessId.KERNEL32 ref: 0000000180026D39
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 0000000180012096
                                                                                                                                          • InitializeCriticalSection.KERNEL32 ref: 00000001800120A8
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 00000001800120CD
                                                                                                                                          • InitializeCriticalSection.KERNEL32 ref: 00000001800120DF
                                                                                                                                          • CreateThread.KERNEL32 ref: 0000000180012117
                                                                                                                                          • WaitForSingleObject.KERNEL32 ref: 000000018001212D
                                                                                                                                          • CloseHandle.KERNEL32 ref: 0000000180012136
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AllocCriticalSectionVirtual$EnterInitializeProcessRead$CurrentLeave$CloseCreateHandleObjectSessionSingleThreadWait
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1571644542-0
                                                                                                                                          • Opcode ID: dcf58f8bd94f4b4f5eefa7d45e8e40f62b7c11d8478bf447f9b59908b2d98ac2
                                                                                                                                          • Instruction ID: c803f1937374879516fc36001848ea71169e9560d2ca95881579869001e17f0a
                                                                                                                                          • Opcode Fuzzy Hash: dcf58f8bd94f4b4f5eefa7d45e8e40f62b7c11d8478bf447f9b59908b2d98ac2
                                                                                                                                          • Instruction Fuzzy Hash: 11313D32215B8482E796DF21F814399B7A5FB8CBD0F548219FA9647B94EF38C658CB40
                                                                                                                                          Function 0000000180028630 Relevance: 12.6, APIs: 10, Instructions: 130memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 0000000180028683
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 00000001800286CF
                                                                                                                                          • IsBadReadPtr.KERNEL32 ref: 0000000180028711
                                                                                                                                          • EnterCriticalSection.KERNEL32 ref: 0000000180028729
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 0000000180028740
                                                                                                                                          • LeaveCriticalSection.KERNEL32 ref: 0000000180028764
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180028789
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800287B3
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800287C9
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800287F3
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1953590826-0
                                                                                                                                          • Opcode ID: 46fff95910c23406eb469c503979ea30ae88de5af3fad95f670b18fa206ae6df
                                                                                                                                          • Instruction ID: d0ad719fa565a145eaef6b7726f9e7cff3c3b88db48e1dcf6b865918ce14aec4
                                                                                                                                          • Opcode Fuzzy Hash: 46fff95910c23406eb469c503979ea30ae88de5af3fad95f670b18fa206ae6df
                                                                                                                                          • Instruction Fuzzy Hash: 51517C35315B4482EB9A9F26E9543AA63A1FF8CFC1F54C024EF8A43B54DF38D6198700
                                                                                                                                          Function 0000000180059930 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114networkCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ErrorLast$closesocket$acceptselectsetsockopt
                                                                                                                                          • String ID: accept: errno %d
                                                                                                                                          • API String ID: 202107160-3139583270
                                                                                                                                          • Opcode ID: c3f00e874f1ac731178f54c9e58ecc05abcf660705855fa9d8f8be190f44be0b
                                                                                                                                          • Instruction ID: d344d24f1f520dc8d36f83eb6c9f7fde8187a9fa3a5f2ba2036925cdfc61fb5c
                                                                                                                                          • Opcode Fuzzy Hash: c3f00e874f1ac731178f54c9e58ecc05abcf660705855fa9d8f8be190f44be0b
                                                                                                                                          • Instruction Fuzzy Hash: 6451BE32606BC882F7A1CF51E9483E96361F788B94F199216FE9913794DF39DAC9C300
                                                                                                                                          Function 000000018002C760 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96stringCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FreeMemory$EnumerateInformationQuerySessionSessionslstrlen
                                                                                                                                          • String ID: system
                                                                                                                                          • API String ID: 3618899143-3377271179
                                                                                                                                          • Opcode ID: b32c9ff873edc57c0f6f3c7361fb97fa384e6bee228724bcac05ea03c1df1bf5
                                                                                                                                          • Instruction ID: 5004bf5ab9f511ae30339ed98b93da59ddf5133012d5f48a47ed23bc630cf909
                                                                                                                                          • Opcode Fuzzy Hash: b32c9ff873edc57c0f6f3c7361fb97fa384e6bee228724bcac05ea03c1df1bf5
                                                                                                                                          • Instruction Fuzzy Hash: 144167B6B10A608AEB51CF65E8847DD37B4F748B88F509516EF0A43B58DF35C698CB00
                                                                                                                                          Function 00000001800222F0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 39stringfileCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: lstrcat$DeleteErrorFileLastmemset
                                                                                                                                          • String ID: C:\Program Files\Windows Mail$\temp.key
                                                                                                                                          • API String ID: 3002015462-229217837
                                                                                                                                          • Opcode ID: 75718442f7fc29e2b7bc083eea7b4b405c17fcc48b4aa1abb5b1d73d3bcafe19
                                                                                                                                          • Instruction ID: 418552250ced0e4a5d951a15a9e44788c617947f6cb3901df8409ae19f2d7500
                                                                                                                                          • Opcode Fuzzy Hash: 75718442f7fc29e2b7bc083eea7b4b405c17fcc48b4aa1abb5b1d73d3bcafe19
                                                                                                                                          • Instruction Fuzzy Hash: 8D113D32608B89D6D7618F55F84439AB3A5FBDD7C4F508216F69A42A68EF7CC24CCB00
                                                                                                                                          Function 0000000180034900 Relevance: 12.1, APIs: 8, Instructions: 108memorytimenetworkCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$AllocErrorFreeLastTimesendsockettime
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 675528727-0
                                                                                                                                          • Opcode ID: ffa402f768c8f16eaddf7cabb92685b8e3fc598e86ccd357d1f3be0cf34130b3
                                                                                                                                          • Instruction ID: 7d09a61f6278589bbabcc35533cf6e2b87e2baaa12461d56da63d21fb922d4c8
                                                                                                                                          • Opcode Fuzzy Hash: ffa402f768c8f16eaddf7cabb92685b8e3fc598e86ccd357d1f3be0cf34130b3
                                                                                                                                          • Instruction Fuzzy Hash: B641A436310B4442EB96CF26E90479B67A1FB8DBC0F19C025EF5A8BB94DF39D6598700
                                                                                                                                          Function 000000018006248C Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 225stringCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: strnlenwcsnlen
                                                                                                                                          • String ID: (null)$(null)$0
                                                                                                                                          • API String ID: 3725369605-212571832
                                                                                                                                          • Opcode ID: 67498eb6120f9a87af12e93a27b0a3bfdbad7a3d9dcff1efb83aa52a075b076c
                                                                                                                                          • Instruction ID: 66fce8290cce2b71c14474b78f598dfd8bd286b4286ac5328ae3c4fc44f0a64c
                                                                                                                                          • Opcode Fuzzy Hash: 67498eb6120f9a87af12e93a27b0a3bfdbad7a3d9dcff1efb83aa52a075b076c
                                                                                                                                          • Instruction Fuzzy Hash: AAA1D372214F4885EBA68F28D8407EC77A2F359BD8F749105FE6947684DF35CA8AC740
                                                                                                                                          Function 000000018005C120 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 177COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memchrmemcpy
                                                                                                                                          • String ID: %s: failed to get c '%s'$%s:no cookiejar$lws_cookie_attach_cookies
                                                                                                                                          • API String ID: 3039221550-101748955
                                                                                                                                          • Opcode ID: 2240d8001afbd33d5b716c548b6dd03b428f2b485bf9da117c7a8488b072aaa3
                                                                                                                                          • Instruction ID: 78b98571fa2367f6c2707e6fa4df3d7cfaf4dd4838afe4a07a99c5f21938646c
                                                                                                                                          • Opcode Fuzzy Hash: 2240d8001afbd33d5b716c548b6dd03b428f2b485bf9da117c7a8488b072aaa3
                                                                                                                                          • Instruction Fuzzy Hash: B771D132604B8889FBA28B65D450BE927A0FB5D7D8F48D216FE58277D5DF39C289C301
                                                                                                                                          Function 0000000180064750 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 142stringCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memmove$_errnostrcpy_s
                                                                                                                                          • String ID: e+000$gfff
                                                                                                                                          • API String ID: 2254902591-3030954782
                                                                                                                                          • Opcode ID: e6ad066e48c9a8430003dcdfd77ad5ec9309e1d8e4c1c01db61fe6eef5906141
                                                                                                                                          • Instruction ID: 6cba9cfaa347f7440b6c2f7b1d52b6e9a4fa326de3a75132d8f99ee068a4b5b2
                                                                                                                                          • Opcode Fuzzy Hash: e6ad066e48c9a8430003dcdfd77ad5ec9309e1d8e4c1c01db61fe6eef5906141
                                                                                                                                          • Instruction Fuzzy Hash: 085137777187D885E7A68E25AC0039EAB92F348BC4F58C111EBA44BAD5CF7DC649C700
                                                                                                                                          Function 0000000180045740 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 128COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: closesocket
                                                                                                                                          • String ID: __lws_close_free_wsi_final$client_reset$failed to get ah$free$lws_free
                                                                                                                                          • API String ID: 2781271927-1207365477
                                                                                                                                          • Opcode ID: 25f6bb898b64ce15532d64514156a68591c670a9a80de1def1c087238b177e9a
                                                                                                                                          • Instruction ID: b11989734cbcc3ef02deb52aac5978c09b8d5929b6a9c59948ee33c9b6b24a02
                                                                                                                                          • Opcode Fuzzy Hash: 25f6bb898b64ce15532d64514156a68591c670a9a80de1def1c087238b177e9a
                                                                                                                                          • Instruction Fuzzy Hash: A8518332300B8891EA9ADB25D6803ED63A5F789BE4F558316BB78077D2DF34D6698304
                                                                                                                                          Function 000000018001E010 Relevance: 10.6, APIs: 7, Instructions: 123COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • __chkstk.NTDLL ref: 000000018001E01D
                                                                                                                                          • memset.NTDLL ref: 000000018001E048
                                                                                                                                          • memset.NTDLL ref: 000000018001E05A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001E09B
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001E0C5
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001E197
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001E1C1
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$Leavememset$Initialize__chkstk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2598321309-0
                                                                                                                                          • Opcode ID: 19803d78e17f30e281bc56e6a6dc2545e298c1294dfc20e4aef617dcccde76fa
                                                                                                                                          • Instruction ID: 0923d7b35471971d6684b23f2a4c2e262b1c464dcb08f8d5d554864809a20f42
                                                                                                                                          • Opcode Fuzzy Hash: 19803d78e17f30e281bc56e6a6dc2545e298c1294dfc20e4aef617dcccde76fa
                                                                                                                                          • Instruction Fuzzy Hash: 5C518F32318A9492EBB5DF22E6443AE7361FBCABC0F448115EB8A43F44DF38D1598B04
                                                                                                                                          Function 000000018001D6F0 Relevance: 10.6, APIs: 7, Instructions: 103memorythreadCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001D790
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001D7BA
                                                                                                                                          • CreateThread.KERNEL32 ref: 000000018001D7E8
                                                                                                                                          • IsBadReadPtr.KERNEL32 ref: 000000018001D80C
                                                                                                                                          • EnterCriticalSection.KERNEL32 ref: 000000018001D81F
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 000000018001D836
                                                                                                                                          • LeaveCriticalSection.KERNEL32 ref: 000000018001D85A
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CriticalSectionVirtual$Alloc$EnterRead$Leave$Free$CreateInitializeThread
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1508740679-0
                                                                                                                                          • Opcode ID: 1b3e0e81731cd236f1cdf85c7afb2c4caa27aaabd1b84022f2bb5430b119c807
                                                                                                                                          • Instruction ID: 47bfe805559daebc681f189077da3042b76b9ee6a1aecc8a2dd6721ab6eacd7f
                                                                                                                                          • Opcode Fuzzy Hash: 1b3e0e81731cd236f1cdf85c7afb2c4caa27aaabd1b84022f2bb5430b119c807
                                                                                                                                          • Instruction Fuzzy Hash: A041A332211B848AEB95CF22E95439EB7A5FB8CBD4F148125EF4A43B54DF38C569CB00
                                                                                                                                          Function 0000000180023119 Relevance: 10.6, APIs: 7, Instructions: 102memorystringCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$Alloc$InfoUserlstrcmpi
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2840552451-0
                                                                                                                                          • Opcode ID: 60893066e3bbf6b45f4eeb8daf225cdee7bfb0fcc925a5af3644fbef4d97a442
                                                                                                                                          • Instruction ID: c1d67c104191be5984c5444be8733811377b2fe01a978be8abee619fd7df6acf
                                                                                                                                          • Opcode Fuzzy Hash: 60893066e3bbf6b45f4eeb8daf225cdee7bfb0fcc925a5af3644fbef4d97a442
                                                                                                                                          • Instruction Fuzzy Hash: 31413131715A4486EBB6CF26E84479EA3A1FB8DBC4F048118EE8A43B54DF3DD64D8B00
                                                                                                                                          Function 00000001800635F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101fileCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseCreateFileHandle__doserrno_errno
                                                                                                                                          • String ID: :
                                                                                                                                          • API String ID: 3226408381-336475711
                                                                                                                                          • Opcode ID: d8f6f999a0288e3d3718b893e4e6263fed8d78bffeb59cf0f3621bcd21b7dd4a
                                                                                                                                          • Instruction ID: 41fd35c3217f5f7fbe6db79c11ede0f5e5b19f733a9a86a3fa6781e28d94cc8d
                                                                                                                                          • Opcode Fuzzy Hash: d8f6f999a0288e3d3718b893e4e6263fed8d78bffeb59cf0f3621bcd21b7dd4a
                                                                                                                                          • Instruction Fuzzy Hash: B141B1B2A0878486E7A29F2599013DD6362F7597E4F24C315F7B443AC2EF74D6E88780
                                                                                                                                          Function 0000000180024080 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 95librarymemoryloaderCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Library$AddressAllocFreeLoadProcVirtual
                                                                                                                                          • String ID: SetProcessDPIAware$user32.dll
                                                                                                                                          • API String ID: 3041263384-1137607222
                                                                                                                                          • Opcode ID: 2d5c190feabc2370d29f15f15ffb36fb6660cf0171777757c6844a959bed01c6
                                                                                                                                          • Instruction ID: 9723d36197fd1670b71a0407276ede353324b63a1e3ef1b57012246c70083299
                                                                                                                                          • Opcode Fuzzy Hash: 2d5c190feabc2370d29f15f15ffb36fb6660cf0171777757c6844a959bed01c6
                                                                                                                                          • Instruction Fuzzy Hash: 4E513835252F8895EB939F20E8953D933A9FB0DB84F948636E94D06364EF78825DC350
                                                                                                                                          Function 000000018001D5B0 Relevance: 10.6, APIs: 7, Instructions: 76COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FreeVirtualmemcpymemset$FileOperation
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 467530429-0
                                                                                                                                          • Opcode ID: 14cb9642c533215b7a2e2bfcfdb6d7d7cadd70b785f3dc976475013d93c55a53
                                                                                                                                          • Instruction ID: 44e6a9c3418865c4a63161637f115ce8dfda5ddef16edb2867b74c34f4f1e956
                                                                                                                                          • Opcode Fuzzy Hash: 14cb9642c533215b7a2e2bfcfdb6d7d7cadd70b785f3dc976475013d93c55a53
                                                                                                                                          • Instruction Fuzzy Hash: C8316F32214B8586DB61CF12F58078FB7A5FB89B84F148515EB9D03B59DF39D22ACB00
                                                                                                                                          Function 0000000180020360 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66processthreadinjectionCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseHandle$CreateErrorLastProcessSuspendThreadTokenWith
                                                                                                                                          • String ID: h
                                                                                                                                          • API String ID: 1678065097-2439710439
                                                                                                                                          • Opcode ID: 34fa300228c636eaa0f0248c957d63175a617a8d2a4f03bc85cdcff5c74062eb
                                                                                                                                          • Instruction ID: 0b407ff62ca030b67dc5b43d4f4e9c4a1a1ed4b4a811e6081f2b678ded490bba
                                                                                                                                          • Opcode Fuzzy Hash: 34fa300228c636eaa0f0248c957d63175a617a8d2a4f03bc85cdcff5c74062eb
                                                                                                                                          • Instruction Fuzzy Hash: 24313A72A18B8482E751CB51E88439AB3A5FB98BD0F219225EA9943B15DFB9C5D48B00
                                                                                                                                          Function 000000018002D2A0 Relevance: 10.5, APIs: 7, Instructions: 44serviceCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: OpenService$CloseErrorHandleLastManager
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2659350385-0
                                                                                                                                          • Opcode ID: be0d97674b5d01ddbad740662ad065086e858ccad381bdd0b1a3b9729ee50c89
                                                                                                                                          • Instruction ID: f5b59a7219b1aa454e630b03aab21a206dfaa257efd4a395db7c560de30d249d
                                                                                                                                          • Opcode Fuzzy Hash: be0d97674b5d01ddbad740662ad065086e858ccad381bdd0b1a3b9729ee50c89
                                                                                                                                          • Instruction Fuzzy Hash: BE018035754B4982FBC68B66B9543A81392AF4CBD0F188534AE2A06711FE7CC68C9B00
                                                                                                                                          Function 00000001800126B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 34stringCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: DirectoryErrorFreeLastSystemVirtuallstrcatmemset
                                                                                                                                          • String ID: \svchost.exe -k netsvcs
                                                                                                                                          • API String ID: 1196864501-2993138014
                                                                                                                                          • Opcode ID: 4899bdc5faaa1a50a6070bd62f2c10f6be7ce4c39736347503a2d79e50c34c7c
                                                                                                                                          • Instruction ID: bf08d159dd9659f3a19140611c4c7124a30601a6af789706eab7547f6c6d8f60
                                                                                                                                          • Opcode Fuzzy Hash: 4899bdc5faaa1a50a6070bd62f2c10f6be7ce4c39736347503a2d79e50c34c7c
                                                                                                                                          • Instruction Fuzzy Hash: 13014031210A4981EBA1DF25E8687DA6361FB88B95F008315EAAD436E9EF3CC34DC740
                                                                                                                                          Function 000000018001F2E0 Relevance: 10.1, APIs: 8, Instructions: 133memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Alloc$CriticalFreeInitializeSection
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2852478515-0
                                                                                                                                          • Opcode ID: 2ca86a1fc827d6d4b782268000abc3b1b2f9c80ad164c5e90495c9a43af317c5
                                                                                                                                          • Instruction ID: dd16bfbde7feb7ae91535c2faddd39ebd3f018d23720757d002fea19e12ee229
                                                                                                                                          • Opcode Fuzzy Hash: 2ca86a1fc827d6d4b782268000abc3b1b2f9c80ad164c5e90495c9a43af317c5
                                                                                                                                          • Instruction Fuzzy Hash: FE61E835201F4895EB96CF25E8807D933A9FB0CB84F94853AEA9D07764EF38C669C350
                                                                                                                                          Function 000000018004E160 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 225COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: %s: wsi not bound to vhost$<html><head><meta charset=utf-8 http-equiv="Content-Language" content="en"/><link rel="stylesheet" type="text/css" href="/error.css"/></head><body><h1>%u</h1>%s</body></html>$lws_return_http_status$pending status body$text/html
                                                                                                                                          • API String ID: 0-3335276413
                                                                                                                                          • Opcode ID: e762419415749a66cd9e4173b8542a7493df9f9a23a6f186c0f9cf70f49c93aa
                                                                                                                                          • Instruction ID: fe26ec063cbc48624dde9099db830e2e49edf84b6a2075d819abc6d1f601589e
                                                                                                                                          • Opcode Fuzzy Hash: e762419415749a66cd9e4173b8542a7493df9f9a23a6f186c0f9cf70f49c93aa
                                                                                                                                          • Instruction Fuzzy Hash: D3A18132204BC885EBB68B21E4807EA67A4F7497C8F558125FF9947786DF38C789C708
                                                                                                                                          Function 0000000180043210 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 192COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memset
                                                                                                                                          • String ID: default$lws_free$lws_protocol_init_vhost$protocol %s failed init$raw
                                                                                                                                          • API String ID: 2221118986-224536676
                                                                                                                                          • Opcode ID: 3ca2b0dda705691ad3dfa99d16c899407311fd09951ce103c95fd508c95c4fdf
                                                                                                                                          • Instruction ID: bb88fd17a4a82a0250628e9086b80fc0fd5949db7b3dec8f3339b0b26ad1c6ff
                                                                                                                                          • Opcode Fuzzy Hash: 3ca2b0dda705691ad3dfa99d16c899407311fd09951ce103c95fd508c95c4fdf
                                                                                                                                          • Instruction Fuzzy Hash: 94919C72200FC881EBAA8F11D4857E977A0F78ABC9F56901AEF9903744DF34D619C744
                                                                                                                                          Function 0000000180057630 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 170COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memcpy
                                                                                                                                          • String ID: %s: unsized dyn table$Dropping header content before limit!$free$hpack dyn$lws_dynamic_token_insert
                                                                                                                                          • API String ID: 3510742995-1106822923
                                                                                                                                          • Opcode ID: 38f18722d6c724cb663955093bc12d04a2b663f3068941b29b270f5aa37d76bc
                                                                                                                                          • Instruction ID: bb91e4a8d91757a7ccfd4bf5a3e3487ec1026b5a65b1bcbcf4cd1204f063ae3c
                                                                                                                                          • Opcode Fuzzy Hash: 38f18722d6c724cb663955093bc12d04a2b663f3068941b29b270f5aa37d76bc
                                                                                                                                          • Instruction Fuzzy Hash: 7A71AE36320A8881D795DF2AE4407BD73A6FB88FD8F018026BE4943759EF36C989D340
                                                                                                                                          Function 00000001800419D0 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 146COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: $%02X $%04X: $(hexdump: NULL ptr)$(hexdump: zero length)
                                                                                                                                          • API String ID: 0-30795012
                                                                                                                                          • Opcode ID: 5294b12cb6ddfd132a68633f4a1d4391e7470ebcbf1e631c227f11d59742df34
                                                                                                                                          • Instruction ID: 43df9c9a12c68a9ee2a03ce89bcc6a566d398c83124265cf5cac2a872b56d33c
                                                                                                                                          • Opcode Fuzzy Hash: 5294b12cb6ddfd132a68633f4a1d4391e7470ebcbf1e631c227f11d59742df34
                                                                                                                                          • Instruction Fuzzy Hash: 52519136308FC885D7A19B10F8803EA77A5F78DBC8F158526EA8E43B45DF38C2598744
                                                                                                                                          Function 0000000180012910 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 143stringCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: lstrcmpi
                                                                                                                                          • String ID: U:I:$V:R:$V:_:$^:V:$_:B:
                                                                                                                                          • API String ID: 1586166983-194391922
                                                                                                                                          • Opcode ID: c37ba9e02582e707534a94e5af5016ab63ae1cbaf134c547084023abedeaea09
                                                                                                                                          • Instruction ID: 1ff7c6536d8abac613530718bfa32f49261bcc4d6c4cfbb660ea38e54c558f83
                                                                                                                                          • Opcode Fuzzy Hash: c37ba9e02582e707534a94e5af5016ab63ae1cbaf134c547084023abedeaea09
                                                                                                                                          • Instruction Fuzzy Hash: D2617A33B08BC4CEF3528FB5C4007DD3BB1E799788F159619EE8466A49EB789669C340
                                                                                                                                          Function 000000018002F2B0 Relevance: 9.1, APIs: 6, Instructions: 86memorystringCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$AllocFree$InfoUserlstrcmpi
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4244901044-0
                                                                                                                                          • Opcode ID: 4bb39a4d54623631dae1162540759efd2fad283e37046eba1ed0997ae9d8ff27
                                                                                                                                          • Instruction ID: 50fc7e5707614e6f3dac0ce4ac0a634bc86221c2fd229e1be9eb41f0f341c50a
                                                                                                                                          • Opcode Fuzzy Hash: 4bb39a4d54623631dae1162540759efd2fad283e37046eba1ed0997ae9d8ff27
                                                                                                                                          • Instruction Fuzzy Hash: 0A31747131074842EB66CF26E8447AAA7A1AB4DFD1F148038ED4A47798DF7CC64DCB00
                                                                                                                                          Function 0000000180035670 Relevance: 9.1, APIs: 6, Instructions: 82synchronizationCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ObjectSingleWaitmemcpy$Eventmemset
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2578485326-0
                                                                                                                                          • Opcode ID: 4b7ccff7cc8b725b09c582a996c9dbd6aeb28199792e257624d1a1754784ee10
                                                                                                                                          • Instruction ID: 56f86bbc58855b6075aee45e924c73265a62f824d3d0b1669c699fedc53ac016
                                                                                                                                          • Opcode Fuzzy Hash: 4b7ccff7cc8b725b09c582a996c9dbd6aeb28199792e257624d1a1754784ee10
                                                                                                                                          • Instruction Fuzzy Hash: B431E931304A0882E6A3D776F8807DB6360EB8C7D5F558411FFDA836A5EE78C6899300
                                                                                                                                          Function 000000018002E790 Relevance: 9.1, APIs: 6, Instructions: 72memorywindowCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AllocBitmapBitsCompatibleCreateDeleteObjectReleaseVirtual
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1942853633-0
                                                                                                                                          • Opcode ID: d610f2210541b487ea599f3beb68992543fe9b84b09e2f87d6652d28e22b4989
                                                                                                                                          • Instruction ID: 154b444a9052197c30472ddb0950f5df774e67bb782f6541f27271536040a933
                                                                                                                                          • Opcode Fuzzy Hash: d610f2210541b487ea599f3beb68992543fe9b84b09e2f87d6652d28e22b4989
                                                                                                                                          • Instruction Fuzzy Hash: 7A21E0B221078487EB489F26B81435DBAE5FB89BD0F55812DEE8A57B60EF3CC1458B04
                                                                                                                                          Function 0000000180010320 Relevance: 8.9, APIs: 7, Instructions: 132COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: free
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1294909896-0
                                                                                                                                          • Opcode ID: 086ef2399a2b39805725e1e66e9ffec4bc1c65bc9c079221ec383ecf087ce0d7
                                                                                                                                          • Instruction ID: 4532e7ad88e92783144c61f4f6d2900ac89e9450762ef15b38e3950c58b5259e
                                                                                                                                          • Opcode Fuzzy Hash: 086ef2399a2b39805725e1e66e9ffec4bc1c65bc9c079221ec383ecf087ce0d7
                                                                                                                                          • Instruction Fuzzy Hash: 6551D576202F4881EB828B59E5803987365F74CFD4F68D426EA9D03764DFB5C6AAC320
                                                                                                                                          Function 000000018001D990 Relevance: 8.9, APIs: 7, Instructions: 113memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 000000018001D9B9
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001DA86
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001DAB0
                                                                                                                                          • CloseHandle.KERNEL32 ref: 000000018001DAC5
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001DAF8
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001DB22
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001DB37
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                            • Part of subcall function 0000000180014410: VirtualAlloc.KERNEL32 ref: 000000018001442D
                                                                                                                                            • Part of subcall function 0000000180014410: VirtualAlloc.KERNEL32 ref: 000000018001445F
                                                                                                                                            • Part of subcall function 0000000180014410: InitializeCriticalSection.KERNEL32 ref: 0000000180014474
                                                                                                                                            • Part of subcall function 0000000180014410: IsBadReadPtr.KERNEL32 ref: 0000000180014490
                                                                                                                                            • Part of subcall function 0000000180014410: EnterCriticalSection.KERNEL32 ref: 00000001800144A3
                                                                                                                                            • Part of subcall function 0000000180014410: VirtualAlloc.KERNEL32 ref: 00000001800144BA
                                                                                                                                            • Part of subcall function 0000000180014410: LeaveCriticalSection.KERNEL32 ref: 00000001800144E9
                                                                                                                                            • Part of subcall function 0000000180014410: IsBadReadPtr.KERNEL32 ref: 00000001800144FE
                                                                                                                                            • Part of subcall function 0000000180014410: EnterCriticalSection.KERNEL32 ref: 0000000180014511
                                                                                                                                            • Part of subcall function 0000000180014410: VirtualAlloc.KERNEL32 ref: 0000000180014528
                                                                                                                                            • Part of subcall function 0000000180014410: LeaveCriticalSection.KERNEL32 ref: 0000000180014557
                                                                                                                                            • Part of subcall function 0000000180014410: IsBadReadPtr.KERNEL32 ref: 000000018001456C
                                                                                                                                            • Part of subcall function 0000000180014410: EnterCriticalSection.KERNEL32 ref: 000000018001457F
                                                                                                                                            • Part of subcall function 0000000180014410: VirtualAlloc.KERNEL32 ref: 0000000180014596
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$CriticalSection$Alloc$EnterRead$Free$Leave$Initialize$CloseHandle
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1803526796-0
                                                                                                                                          • Opcode ID: 2389004f1622c871db37be869d3889ec8ed68640e4297f82caa4ce24a07498eb
                                                                                                                                          • Instruction ID: c17be55b43cc83db0705f22952b8438aac0476cc1b520d5412a9e584b97bd12d
                                                                                                                                          • Opcode Fuzzy Hash: 2389004f1622c871db37be869d3889ec8ed68640e4297f82caa4ce24a07498eb
                                                                                                                                          • Instruction Fuzzy Hash: C8510C36201F4486EBA6CF12F49439A73A9FF4CBD0F058225EA9A03B64DF38D658C341
                                                                                                                                          Function 0000000180015973 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 0000000180015973
                                                                                                                                            • Part of subcall function 000000018002CC60: CreateToolhelp32Snapshot.KERNEL32 ref: 000000018002CC76
                                                                                                                                            • Part of subcall function 000000018002CC60: malloc.MSVCRT ref: 000000018002CC84
                                                                                                                                            • Part of subcall function 000000018002CC60: Process32FirstW.KERNEL32 ref: 000000018002CCA2
                                                                                                                                            • Part of subcall function 000000018002CC60: free.MSVCRT ref: 000000018002CCB7
                                                                                                                                            • Part of subcall function 000000018002CC60: CloseHandle.KERNEL32(?,?,00000000,0000000180026D46), ref: 000000018002CCC5
                                                                                                                                            • Part of subcall function 000000018002D140: OpenSCManagerW.SECHOST(?,?,?,?,?,00000000,00001000,00000000,?,000000018001264E), ref: 000000018002D165
                                                                                                                                            • Part of subcall function 000000018002D140: EnumServicesStatusExW.ADVAPI32 ref: 000000018002D1B1
                                                                                                                                            • Part of subcall function 000000018002D140: malloc.MSVCRT ref: 000000018002D1C6
                                                                                                                                            • Part of subcall function 000000018002D140: memset.NTDLL ref: 000000018002D1DC
                                                                                                                                            • Part of subcall function 000000018002D140: EnumServicesStatusExW.ADVAPI32 ref: 000000018002D21B
                                                                                                                                            • Part of subcall function 000000018002D140: CloseServiceHandle.ADVAPI32(?,?,?,?,?,00000000,00001000,00000000,?,000000018001264E), ref: 000000018002D228
                                                                                                                                            • Part of subcall function 000000018002D140: free.MSVCRT ref: 000000018002D231
                                                                                                                                          • ExitProcess.KERNEL32 ref: 0000000180015998
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180015BA8
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180015BD2
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseEnumFreeHandleProcessServicesStatusVirtualfreemalloc$CreateCurrentExitFirstManagerOpenProcess32ServiceSnapshotToolhelp32memset
                                                                                                                                          • String ID: Schedule
                                                                                                                                          • API String ID: 2593299425-2739827629
                                                                                                                                          • Opcode ID: d2ede1c26b53fc35dc056e9d6b3441cc13192b8f0a26bde5ec17dc0c8f87d235
                                                                                                                                          • Instruction ID: 5fc08f357157a39be1610c2a0e98af4c5ea75a7c59211da2ad713407d599061b
                                                                                                                                          • Opcode Fuzzy Hash: d2ede1c26b53fc35dc056e9d6b3441cc13192b8f0a26bde5ec17dc0c8f87d235
                                                                                                                                          • Instruction Fuzzy Hash: 01016235301F0881FBE79F61E9903E95295AF8CBD2F14C026FADA46691EE7CC28D5705
                                                                                                                                          Function 0000000180063400 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26libraryloaderCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                                                                          • API String ID: 4061214504-1276376045
                                                                                                                                          • Opcode ID: e678b758875d27a0bf091b5624fc88a162c43534257f2b693664699c7e9877e8
                                                                                                                                          • Instruction ID: 8b8ca0ed71f779e7386428d5087bdfdb25684bd4f02d6e02136788054c443d58
                                                                                                                                          • Opcode Fuzzy Hash: e678b758875d27a0bf091b5624fc88a162c43534257f2b693664699c7e9877e8
                                                                                                                                          • Instruction Fuzzy Hash: D4F03031201B0881EB968B28A8453996362AB8DBE1F649715E57A456E4DF3DC28DD740
                                                                                                                                          Function 0000000180010720 Relevance: 7.7, APIs: 6, Instructions: 168COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memcpy
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3510742995-0
                                                                                                                                          • Opcode ID: b36940c9134db9debb5434aae0f74bffe43cbb9a5314d30aa24a6dee75e394a3
                                                                                                                                          • Instruction ID: 46dd7e174bbb0176d8158cd44d0f918e6d490295a3558a5e7a1ed015a6db4e3d
                                                                                                                                          • Opcode Fuzzy Hash: b36940c9134db9debb5434aae0f74bffe43cbb9a5314d30aa24a6dee75e394a3
                                                                                                                                          • Instruction Fuzzy Hash: DE619C32205B888AEBA2CF25E84479973A4FB4CBD4F69C425EE8D43794EF74C649C740
                                                                                                                                          Function 00000001800242A0 Relevance: 7.6, APIs: 6, Instructions: 126memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800242F3
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002431D
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 0000000180024334
                                                                                                                                          • InitializeCriticalSection.KERNEL32 ref: 00000001800243BE
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180024443
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002446D
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$InitializeLeave
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2124124174-0
                                                                                                                                          • Opcode ID: ce30a7c37a809ab6b36126a6c5df061884de53dfa42c463ff1a9a8109802fa83
                                                                                                                                          • Instruction ID: 1a4552423636e67eab2c1520faff09b05bbcc1213573510507159075cfaa0eb2
                                                                                                                                          • Opcode Fuzzy Hash: ce30a7c37a809ab6b36126a6c5df061884de53dfa42c463ff1a9a8109802fa83
                                                                                                                                          • Instruction Fuzzy Hash: 5F513C32611F4486EBA5DF12F85879A73A9FB8CB84F558125EE8E43B14DF38D258C740
                                                                                                                                          Function 0000000180064930 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 112COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memmove$fegetenvmemsetstrcpy_s
                                                                                                                                          • String ID: -
                                                                                                                                          • API String ID: 4000792587-2547889144
                                                                                                                                          • Opcode ID: 9e9281c9cf7e8c916e0e8b9d00e2d6f619eb730164d884b4f4418d54a07b2f2c
                                                                                                                                          • Instruction ID: 8d79f530962e9fe932928b95569a29ece8adb93464e72faaa2e1ae5f2cf6693e
                                                                                                                                          • Opcode Fuzzy Hash: 9e9281c9cf7e8c916e0e8b9d00e2d6f619eb730164d884b4f4418d54a07b2f2c
                                                                                                                                          • Instruction Fuzzy Hash: DD41E73375878C82E7929F21984039A7792F749FC4F64D211FAAA5BB89DF38D609C701
                                                                                                                                          Function 0000000180056140 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 84stringCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: strchr
                                                                                                                                          • String ID: http://$http_proxy needs to be ads:port$lws_set_proxy$proxy auth too long
                                                                                                                                          • API String ID: 2830005266-175238664
                                                                                                                                          • Opcode ID: d1ab9b85537000d759f710dae04c861439685c4e7ab67b200bb48c131c9f798f
                                                                                                                                          • Instruction ID: 252963013e37880a5f6833a7ab8bea35b96ab233e80dd34d852d668b7bae1ba6
                                                                                                                                          • Opcode Fuzzy Hash: d1ab9b85537000d759f710dae04c861439685c4e7ab67b200bb48c131c9f798f
                                                                                                                                          • Instruction Fuzzy Hash: 7331F631704B8885EBA6DB21E5403EA6351A74ABC4F54C121FE5D17B9BEF29C31EC345
                                                                                                                                          Function 000000018001573B Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 81COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800157CB
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800157F5
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180015BA8
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180015BD2
                                                                                                                                            • Part of subcall function 000000018002BC20: memcpy.NTDLL ref: 000000018002BC45
                                                                                                                                            • Part of subcall function 000000018002BC20: memset.NTDLL ref: 000000018002BCDA
                                                                                                                                            • Part of subcall function 000000018002BC20: wsprintfW.USER32 ref: 000000018002BCF9
                                                                                                                                            • Part of subcall function 000000018002BC20: SetFileAttributesW.KERNEL32 ref: 000000018002BD09
                                                                                                                                            • Part of subcall function 000000018002BC20: DeleteFileW.KERNEL32 ref: 000000018002BD14
                                                                                                                                            • Part of subcall function 000000018002BC20: CreateFileW.KERNEL32 ref: 000000018002BD44
                                                                                                                                            • Part of subcall function 000000018002BC20: GetLastError.KERNEL32 ref: 000000018002BD53
                                                                                                                                            • Part of subcall function 000000018002BC20: SetFileAttributesW.KERNEL32 ref: 000000018002BDA0
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$CriticalSection$Alloc$FileFree$EnterRead$AttributesLeave$CreateDeleteErrorInitializeLastmemcpymemsetwsprintf
                                                                                                                                          • String ID: 18.166.193.8
                                                                                                                                          • API String ID: 3047218378-2949878557
                                                                                                                                          • Opcode ID: 4748c9799fc4aab539902931fc7cd806f5684b6e31aa09dd6eb953e43b6e7f72
                                                                                                                                          • Instruction ID: d95adf5c098e6eb48693c859dd85d07415d347a82ec0fb1ec3a4f0ada00637cd
                                                                                                                                          • Opcode Fuzzy Hash: 4748c9799fc4aab539902931fc7cd806f5684b6e31aa09dd6eb953e43b6e7f72
                                                                                                                                          • Instruction Fuzzy Hash: BC318432715F4482EBA6DF22E8547AE63A5FF8DBC1F11C115EE8A07A54DF38C2898700
                                                                                                                                          Function 0000000180015668 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 78COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180015706
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180015730
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180015BA8
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180015BD2
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$Leave$Initialize
                                                                                                                                          • String ID: 18.166.193.8
                                                                                                                                          • API String ID: 696443088-2949878557
                                                                                                                                          • Opcode ID: 7078d51f2a842d056aef008d8b9e0584b22a38109fb0f17c7c38043e1d6e8ae5
                                                                                                                                          • Instruction ID: 5cda13590cf398a7562659c65d185bc26be6142773128daa7fa494d5a847475a
                                                                                                                                          • Opcode Fuzzy Hash: 7078d51f2a842d056aef008d8b9e0584b22a38109fb0f17c7c38043e1d6e8ae5
                                                                                                                                          • Instruction Fuzzy Hash: 93316F36705B4082EBA5DF12E55875AA3A5FB89BC1F11C115EF8607BA4DF39C289DB00
                                                                                                                                          Function 000000018001D880 Relevance: 7.6, APIs: 5, Instructions: 76memorythreadCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • CreateThread.KERNEL32 ref: 000000018001D907
                                                                                                                                          • IsBadReadPtr.KERNEL32 ref: 000000018001D928
                                                                                                                                          • EnterCriticalSection.KERNEL32 ref: 000000018001D93B
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 000000018001D952
                                                                                                                                          • LeaveCriticalSection.KERNEL32 ref: 000000018001D976
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CriticalSection$AllocVirtual$EnterRead$Leave$CreateInitializeThread
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 986707815-0
                                                                                                                                          • Opcode ID: 13fe9d48963e991135e2c963f540b907288d56d1b03b0de4579185a6b58a6942
                                                                                                                                          • Instruction ID: d8726ccc53e9578ca535d2c4e20fec2d7434b428871098f507a6a2abd5c54b50
                                                                                                                                          • Opcode Fuzzy Hash: 13fe9d48963e991135e2c963f540b907288d56d1b03b0de4579185a6b58a6942
                                                                                                                                          • Instruction Fuzzy Hash: E7314F76310B4486EB559F22E814399B7A5FB8CFD4F488125EE8A47B54EF38C659CB00
                                                                                                                                          Function 000000018004E5B0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 65COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memcpy
                                                                                                                                          • String ID: %s: OOM$%s: buflist reached sanity limit$%s: corrupt list points to self$lws_buflist_append_segment
                                                                                                                                          • API String ID: 3510742995-575834517
                                                                                                                                          • Opcode ID: 79284cf2320dce2018f6e97d572864547c67ef809e1d40b3a32f6d216f6ca7e6
                                                                                                                                          • Instruction ID: 4b9f86e74c2c964e6e36c752caefe5a3740dee5ce4422127799d0d10c5e21769
                                                                                                                                          • Opcode Fuzzy Hash: 79284cf2320dce2018f6e97d572864547c67ef809e1d40b3a32f6d216f6ca7e6
                                                                                                                                          • Instruction Fuzzy Hash: 2521A132204F8881FAA68B15E8803E977A1F74DBD8F568116FA5D077A6DF38C68DC344
                                                                                                                                          Function 00000001800613E0 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _errno
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2918714741-0
                                                                                                                                          • Opcode ID: 867c813408c47003856487d9d7ddf2f299c27c866921b7c00dbaf6564a6c8a9b
                                                                                                                                          • Instruction ID: 2552c33322c8c3ba54c5fd4790869664e60f7750ed47400c7edee610d249c408
                                                                                                                                          • Opcode Fuzzy Hash: 867c813408c47003856487d9d7ddf2f299c27c866921b7c00dbaf6564a6c8a9b
                                                                                                                                          • Instruction Fuzzy Hash: D211363260478480EAD1AB25B5403DE5392E3887D8F29A224FBBA0B7C5CF38C5C78704
                                                                                                                                          Function 0000000180023810 Relevance: 7.5, APIs: 5, Instructions: 28synchronizationthreadCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Process$CloseCreateCurrentHandleObjectSingleTerminateThreadWait
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 603326088-0
                                                                                                                                          • Opcode ID: 7c3f9b570a8332205efd3d9421a3c14b2d654208f283a85a9c5ac44cbca20012
                                                                                                                                          • Instruction ID: 8f792a8b8adbeacd3d34b8155bdf4c4e009a9f7f6f238e385d1c4a564218f734
                                                                                                                                          • Opcode Fuzzy Hash: 7c3f9b570a8332205efd3d9421a3c14b2d654208f283a85a9c5ac44cbca20012
                                                                                                                                          • Instruction Fuzzy Hash: 70F05471711B0542EB958B72AC043952392AF8CB94F188625AD2A86350FE3CC1499704
                                                                                                                                          Function 0000000180054310 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 195COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: %s: WSAPoll failed: count %d, err %d: %d$_lws_plat_service_tsi
                                                                                                                                          • API String ID: 0-2420814896
                                                                                                                                          • Opcode ID: 74adf9df8c06806404fa061e618759ccf63e20c0546f0dd375249f3605fd535d
                                                                                                                                          • Instruction ID: b55d5f2b5d4eff2fa94cd21e447625c3e30541992c22a958acd5a53cfe757ead
                                                                                                                                          • Opcode Fuzzy Hash: 74adf9df8c06806404fa061e618759ccf63e20c0546f0dd375249f3605fd535d
                                                                                                                                          • Instruction Fuzzy Hash: 6581F073200A8883EBA68B15A4403EE7295F74C7C8F55C125FF595B795EF39D646CB00
                                                                                                                                          Function 00000001800427A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 176COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memset$_unlink
                                                                                                                                          • String ID: lws_free
                                                                                                                                          • API String ID: 1884818752-2419506585
                                                                                                                                          • Opcode ID: f671c1c9dc5f9f1ecd93fd6c90e8a55de8e0b5723c060ba0bceb813fd88c5dd0
                                                                                                                                          • Instruction ID: edff01616a4ec42ddeaebd2ea6e8f158b2aeec0c450080a6a2b70cf555a3a1c5
                                                                                                                                          • Opcode Fuzzy Hash: f671c1c9dc5f9f1ecd93fd6c90e8a55de8e0b5723c060ba0bceb813fd88c5dd0
                                                                                                                                          • Instruction Fuzzy Hash: 95811B32302F8985EB968F15D4943ED23A0FB88B88F998436EE4D1B395DF38C659C314
                                                                                                                                          Function 0000000180046000 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _time64memset
                                                                                                                                          • String ID: %s: calling service$__lws_header_table_reset
                                                                                                                                          • API String ID: 899224009-1639372703
                                                                                                                                          • Opcode ID: a9f15bdc1dc03cd649ae2c0efe04c1451751ae562199952308a362106ea05dd7
                                                                                                                                          • Instruction ID: 5e82bdfe920b9ab013f9826534e472695fa2a594b32c4a3153a1c9bd49f4ed2a
                                                                                                                                          • Opcode Fuzzy Hash: a9f15bdc1dc03cd649ae2c0efe04c1451751ae562199952308a362106ea05dd7
                                                                                                                                          • Instruction Fuzzy Hash: F631A132A04BC482E796CF21D5803ED6764F799F88F199236AF581B269EF30D3A5C314
                                                                                                                                          Function 000000018004B8B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _open$_close_unlink$Sleep
                                                                                                                                          • String ID: %s.LCK$lws_cache_nscookiejar_get
                                                                                                                                          • API String ID: 356877787-304041560
                                                                                                                                          • Opcode ID: b1e3df4582b37e7dde39b4fa126397fa21afb4d055b57bb552a81beab581970c
                                                                                                                                          • Instruction ID: 0e1a78b773a8576f51197be4f1b4fe07d40e9a723c09fba01995f84b77e9cf2f
                                                                                                                                          • Opcode Fuzzy Hash: b1e3df4582b37e7dde39b4fa126397fa21afb4d055b57bb552a81beab581970c
                                                                                                                                          • Instruction Fuzzy Hash: 9E21AF32204F8882E7A18B11F4807CAB3A8F78C7C4F558126FB8883B59CF79CA19C740
                                                                                                                                          Function 000000018004B740 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _open$_close_unlink$Sleep
                                                                                                                                          • String ID: %s.LCK$lws_cache_nscookiejar_lookup
                                                                                                                                          • API String ID: 356877787-2679908804
                                                                                                                                          • Opcode ID: 465c451c24f9ada9f804976cb20c197d3705dce7109b0904ed9b8404b6572737
                                                                                                                                          • Instruction ID: 07452c2cd75102b3e7bf713fc4565c5959315d14a178c7364d5e03bed58855c7
                                                                                                                                          • Opcode Fuzzy Hash: 465c451c24f9ada9f804976cb20c197d3705dce7109b0904ed9b8404b6572737
                                                                                                                                          • Instruction Fuzzy Hash: 00117536204F4881E7519B25B4803DA73A5F78C7E4F558322FAA9477D9CF38C649C740
                                                                                                                                          Function 0000000180065850 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                          • String ID: AddDllDirectory$kernel32
                                                                                                                                          • API String ID: 1646373207-3758863895
                                                                                                                                          • Opcode ID: bef0785b2c8924bfbec88b289f6832a9af4e4c3d9dcee81fd5aeb069f45e08fe
                                                                                                                                          • Instruction ID: 6a439ee3dd2f551b152c436993547d8ce955f4df82582785ea2ae01e4f1208fa
                                                                                                                                          • Opcode Fuzzy Hash: bef0785b2c8924bfbec88b289f6832a9af4e4c3d9dcee81fd5aeb069f45e08fe
                                                                                                                                          • Instruction Fuzzy Hash: 10F01530A12B8885FAC6CB24AC503D123A1FB6D780FA8D615E84912360EFAD93D89300
                                                                                                                                          Function 000000018005C3AF Relevance: 6.4, APIs: 5, Instructions: 113COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memcpy
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3510742995-0
                                                                                                                                          • Opcode ID: d42d265467519c93c7dd951c29be45eba968ee9a7fe8673b8b37004fd25c35d6
                                                                                                                                          • Instruction ID: d4dacb9b5bf7a5b83de5f42d58e9740fdd28e5af92b2877f69c7988f04a7870b
                                                                                                                                          • Opcode Fuzzy Hash: d42d265467519c93c7dd951c29be45eba968ee9a7fe8673b8b37004fd25c35d6
                                                                                                                                          • Instruction Fuzzy Hash: 2141C13261478886EB96CF218450BEA27A0FB5DBC8F44D112FE4967685EF39C749C302
                                                                                                                                          Function 000000018001B460 Relevance: 6.3, APIs: 5, Instructions: 83COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001B4AB
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001B4D5
                                                                                                                                          • memset.NTDLL ref: 000000018001B4F6
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001B546
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001B570
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$Leave$Initializememset
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3460648485-0
                                                                                                                                          • Opcode ID: 3c6ebeff4e04c1c6b57bce02760e90bbf3a7ae38a370be6e0e926dec6ce5aaa2
                                                                                                                                          • Instruction ID: 87dde599cd748b8c32ebc84dd2c552ad12c09ebbabe043a8493efcfea12d56ee
                                                                                                                                          • Opcode Fuzzy Hash: 3c6ebeff4e04c1c6b57bce02760e90bbf3a7ae38a370be6e0e926dec6ce5aaa2
                                                                                                                                          • Instruction Fuzzy Hash: 9E315E32311E9486EB65DF67E9543AAA361FB8DBC1F448024DF8A47F54DF38C2598B00
                                                                                                                                          Function 0000000180043620 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 172stringCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: strcmp
                                                                                                                                          • String ID: can't find role '%s'$lws_role_call_adoption_bind$raw-proxy
                                                                                                                                          • API String ID: 1004003707-2670016624
                                                                                                                                          • Opcode ID: ddc2dee7fed4307f6de14917132bf2b0f3b232720b966688f40a1457e8129b7c
                                                                                                                                          • Instruction ID: 856c33a7f91d113fa80138d5a6edae469c5f059fe421a065bee95859f9defa15
                                                                                                                                          • Opcode Fuzzy Hash: ddc2dee7fed4307f6de14917132bf2b0f3b232720b966688f40a1457e8129b7c
                                                                                                                                          • Instruction Fuzzy Hash: 06614671304B8D41EEA68B1698917E97BA1F749FC8F19D029FE8947395DE38C20AD344
                                                                                                                                          Function 000000018003F4C0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: atoi
                                                                                                                                          • String ID: http$https$wss
                                                                                                                                          • API String ID: 657269090-1519134247
                                                                                                                                          • Opcode ID: 701d953922a376634be604cd511beec6f9bc88c6d0ba1ed9f7566711d4f08381
                                                                                                                                          • Instruction ID: be4ecfb893a0eccff37447a91141d411b24d30939406da6c691932dec41fcb09
                                                                                                                                          • Opcode Fuzzy Hash: 701d953922a376634be604cd511beec6f9bc88c6d0ba1ed9f7566711d4f08381
                                                                                                                                          • Instruction Fuzzy Hash: FC519072508ACC44EBF34F2494113FA3BE1A31ABC8F5AC052E7D5463D6DE6A865E8311
                                                                                                                                          Function 0000000180057330 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 125stringCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memcpystrncmptolower
                                                                                                                                          • String ID: transfer-encoding
                                                                                                                                          • API String ID: 1825611792-1470906230
                                                                                                                                          • Opcode ID: c539f7db85004bbdaa11fa9888ce0fed88215ddef03d4659c1c778ac67b775c8
                                                                                                                                          • Instruction ID: b97529d15c7033a20ce9e5b24556692f0e3a2daee8d10b7a8aa24fb646eaf914
                                                                                                                                          • Opcode Fuzzy Hash: c539f7db85004bbdaa11fa9888ce0fed88215ddef03d4659c1c778ac67b775c8
                                                                                                                                          • Instruction Fuzzy Hash: 6B41A072304A8885EB568E26E4503A93BA1E359BD4F14C111FF4E5738ADF3EC259A701
                                                                                                                                          Function 000000018006163E Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _errno$__pctype_funcfree
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2006978261-0
                                                                                                                                          • Opcode ID: 33940d6e5fc8a6375603b3a7ba23e2abfb58298483cfd1f6bf6a832e02cc6377
                                                                                                                                          • Instruction ID: b4b0e41c05156b32ca972ba8fb8b71cd992a7ca077e43592f321546519cbf2a4
                                                                                                                                          • Opcode Fuzzy Hash: 33940d6e5fc8a6375603b3a7ba23e2abfb58298483cfd1f6bf6a832e02cc6377
                                                                                                                                          • Instruction Fuzzy Hash: 93412F761087D48DE6A3CB54D8903EE77A6E7497C6F388005FBA607795CE38C649DB10
                                                                                                                                          Function 0000000180060FF8 Relevance: 6.1, APIs: 4, Instructions: 106stringCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _errno$freestrtol
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3444388478-0
                                                                                                                                          • Opcode ID: 7403869242572383e56bd683cb69b1769a801e6b061c76f3d918504b1cdbba2f
                                                                                                                                          • Instruction ID: 8f4a69c81363a754ddd304638c94179cbfff9b1927f4a6e99413924a4c35ebc5
                                                                                                                                          • Opcode Fuzzy Hash: 7403869242572383e56bd683cb69b1769a801e6b061c76f3d918504b1cdbba2f
                                                                                                                                          • Instruction Fuzzy Hash: 2B4172322047888AFBA28F55E8413DE77E2F7997C4F248015FA5947B95CF78D689CB40
                                                                                                                                          Function 0000000180061767 Relevance: 6.1, APIs: 4, Instructions: 101stringCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _errno$freestrtol
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3444388478-0
                                                                                                                                          • Opcode ID: a06b1ada0f63e894549ed10f8a9d1f824d61a194adaed997a72c8b2d82c9a995
                                                                                                                                          • Instruction ID: 2819dd1aeb03ba59555edd1c06ea1e1e03ba90f198c7d6ece65a8170e5ad630e
                                                                                                                                          • Opcode Fuzzy Hash: a06b1ada0f63e894549ed10f8a9d1f824d61a194adaed997a72c8b2d82c9a995
                                                                                                                                          • Instruction Fuzzy Hash: 5A4174321087888ED7A28F55E8113DA77F6F78A795F248005FBA947B59CF39CA45CB01
                                                                                                                                          Function 0000000180056480 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 91COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memcpy
                                                                                                                                          • String ID: Unable to connect$lws_conmon_append_copy_new_dns_results
                                                                                                                                          • API String ID: 3510742995-4193639203
                                                                                                                                          • Opcode ID: cba5df87d3bc34571f15c18130ba281561c34a16ecc347fc48b3718e4e5733a0
                                                                                                                                          • Instruction ID: 62ed0a04fc34075671b1a35ecb37c3fee2d7bdfcd5a5fba08d5d5aed4e27db10
                                                                                                                                          • Opcode Fuzzy Hash: cba5df87d3bc34571f15c18130ba281561c34a16ecc347fc48b3718e4e5733a0
                                                                                                                                          • Instruction Fuzzy Hash: 8A41BF32A01B8482EBA68F15D14039977A1F788BD8F19C225FF5D177A9EF35CA94C740
                                                                                                                                          Function 0000000180061853 Relevance: 6.1, APIs: 4, Instructions: 89stringCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _errno$freestrtol
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3444388478-0
                                                                                                                                          • Opcode ID: 2fab18c1fb587b9acd116ee4d26edb839a0c2fe629e5373b20a55bce3426e234
                                                                                                                                          • Instruction ID: 03f7d72303650e760b238060e1d29e39a08159ff3c43742a9185a1a9f6e10b22
                                                                                                                                          • Opcode Fuzzy Hash: 2fab18c1fb587b9acd116ee4d26edb839a0c2fe629e5373b20a55bce3426e234
                                                                                                                                          • Instruction Fuzzy Hash: 83318432208B888ED7A28F55E8403DA77F6F78A7D5F248005FB9947A59CF39CA45CB00
                                                                                                                                          Function 000000018002F080 Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 000000018002F0A4
                                                                                                                                          • ProcessIdToSessionId.KERNEL32 ref: 000000018002F0B1
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002F164
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002F18E
                                                                                                                                            • Part of subcall function 0000000180016F60: GetCurrentProcessId.KERNEL32 ref: 0000000180016FDB
                                                                                                                                            • Part of subcall function 0000000180016F60: ProcessIdToSessionId.KERNEL32 ref: 0000000180016FEB
                                                                                                                                            • Part of subcall function 0000000180016F60: CreateToolhelp32Snapshot.KERNEL32 ref: 0000000180017014
                                                                                                                                            • Part of subcall function 0000000180016F60: GetProcessHeap.KERNEL32 ref: 0000000180017023
                                                                                                                                            • Part of subcall function 0000000180016F60: HeapAlloc.KERNEL32 ref: 0000000180017036
                                                                                                                                            • Part of subcall function 0000000180016F60: CloseHandle.KERNEL32 ref: 0000000180017047
                                                                                                                                            • Part of subcall function 0000000180016F60: WTSGetActiveConsoleSessionId.KERNEL32 ref: 0000000180017056
                                                                                                                                            • Part of subcall function 0000000180016F60: VirtualFree.KERNEL32 ref: 00000001800171B6
                                                                                                                                            • Part of subcall function 0000000180016F60: VirtualFree.KERNEL32 ref: 00000001800171E0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$AllocCriticalSection$Process$Free$EnterReadSession$CurrentHeapLeave$ActiveCloseConsoleCreateHandleInitializeSnapshotToolhelp32
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1320018004-0
                                                                                                                                          • Opcode ID: 219dca6d74f5f01e876d51951d5a85646c7e832a6bf75ab04d447e85a6392336
                                                                                                                                          • Instruction ID: ba0eed75bc608429606151e3293df9a5b704ab4f115ec94558a233db70ef6dfe
                                                                                                                                          • Opcode Fuzzy Hash: 219dca6d74f5f01e876d51951d5a85646c7e832a6bf75ab04d447e85a6392336
                                                                                                                                          • Instruction Fuzzy Hash: 11315071220B5482EBA6DF11E9543AD73A1FB8DFC4F549125FA4A43B58DF38C658CB40
                                                                                                                                          Function 0000000180034470 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$AllocEvent
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2763048252-0
                                                                                                                                          • Opcode ID: 408b677a78ec5f951b203cb1d68421295c5c1a06c57e89676511e7fcc40283bb
                                                                                                                                          • Instruction ID: ca46a6e6144f43be1c06cafe765a2f507bfaca408efeb33c880b441cc711b9cf
                                                                                                                                          • Opcode Fuzzy Hash: 408b677a78ec5f951b203cb1d68421295c5c1a06c57e89676511e7fcc40283bb
                                                                                                                                          • Instruction Fuzzy Hash: 03319332700E4442EBE68F26A9043AE5791EB8EFD0F19C120FE5A8FB96DE34D5498700
                                                                                                                                          Function 000000018002DA00 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • SetEvent.KERNEL32 ref: 000000018002DB49
                                                                                                                                          • CloseHandle.KERNEL32 ref: 000000018002DB58
                                                                                                                                          • ResetEvent.KERNEL32 ref: 000000018002DB66
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002DB85
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CriticalSectionVirtual$Alloc$EnterRead$EventLeave$CloseFreeHandleInitializeReset
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4208512464-0
                                                                                                                                          • Opcode ID: ca07846258ba37867d244566e482efccc0d3ec0fcc94a16ac108a6f4784184ef
                                                                                                                                          • Instruction ID: 7119ede1bc8f247312d9066bb2ce911e20643d41b723819dda8a12293ed4a632
                                                                                                                                          • Opcode Fuzzy Hash: ca07846258ba37867d244566e482efccc0d3ec0fcc94a16ac108a6f4784184ef
                                                                                                                                          • Instruction Fuzzy Hash: 18315C36211B4482EB96CF62E9A836963A5FB8CBC0F1A8125EF4A43B54DF38D559C700
                                                                                                                                          Function 00000001800235C0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 00000001800235DD
                                                                                                                                          • ProcessIdToSessionId.KERNEL32 ref: 00000001800235EA
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002367E
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800236A8
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$CriticalSection$Alloc$EnterRead$FreeLeaveProcess$CurrentInitializeSession
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3327369976-0
                                                                                                                                          • Opcode ID: f98e4ae98b7e11fca3d4a9eee25e402cb3ff29b46a0d4ad6d7052e7fc59a9eec
                                                                                                                                          • Instruction ID: fd99c6a66cd7ea800b156c20b4fee5fc952d6e6d35935e791b67945c2d11420b
                                                                                                                                          • Opcode Fuzzy Hash: f98e4ae98b7e11fca3d4a9eee25e402cb3ff29b46a0d4ad6d7052e7fc59a9eec
                                                                                                                                          • Instruction Fuzzy Hash: 42313C32614B4487DB65DF26E44835EB3A5FB88B80F548225EB8A43B18DF3DD649CB40
                                                                                                                                          Function 000000018002A710 Relevance: 6.1, APIs: 4, Instructions: 62threadCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • CreateThread.KERNEL32 ref: 000000018002A782
                                                                                                                                          • CloseHandle.KERNEL32 ref: 000000018002A790
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002A7AC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002A7D6
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$CriticalSection$Alloc$EnterRead$FreeLeave$CloseCreateHandleInitializeThread
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4031785131-0
                                                                                                                                          • Opcode ID: 46f8680c48a87c550885bc35dd8c9f8526c11e3e393dc63d790dd5bf2b061a43
                                                                                                                                          • Instruction ID: 09a8c634ee0a77ba13094bb06eb91f4e081066f499e8da2bd266085e45850a2b
                                                                                                                                          • Opcode Fuzzy Hash: 46f8680c48a87c550885bc35dd8c9f8526c11e3e393dc63d790dd5bf2b061a43
                                                                                                                                          • Instruction Fuzzy Hash: DF213C35708B5082EB65DF53E95435AA3A1FB8DFD0F548129EF8A43B14DF38C2598B44
                                                                                                                                          Function 0000000180026140 Relevance: 6.1, APIs: 4, Instructions: 52threadCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180026188
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800261B2
                                                                                                                                          • CreateThread.KERNEL32 ref: 00000001800261CF
                                                                                                                                          • CloseHandle.KERNEL32 ref: 00000001800261DD
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$CriticalSection$Alloc$EnterRead$FreeLeave$CloseCreateHandleInitializeThread
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4031785131-0
                                                                                                                                          • Opcode ID: 9906d6a9ce0f7f254b3389b28713ac5881b4f0dc512eb4610b511277353699d5
                                                                                                                                          • Instruction ID: fee17a65687eca907a640ac3992546147f88c45a078b2ee3effaee71f90555ba
                                                                                                                                          • Opcode Fuzzy Hash: 9906d6a9ce0f7f254b3389b28713ac5881b4f0dc512eb4610b511277353699d5
                                                                                                                                          • Instruction Fuzzy Hash: 97116031705B4082EB95CF63E95435AA3A2BF8CBC1F18C125AB4A43B54DF38D2698700
                                                                                                                                          Function 0000000180035340 Relevance: 6.0, APIs: 4, Instructions: 46synchronizationCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Event$ObjectSingleWait
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2127046782-0
                                                                                                                                          • Opcode ID: de6cca13531ef7be6a56a105a458a4c89b63c3fe75a489721cd85d5858837fa3
                                                                                                                                          • Instruction ID: 2c01373562b33313cd830499f931160716592ca7e4d13661f1fd562ed2423c3d
                                                                                                                                          • Opcode Fuzzy Hash: de6cca13531ef7be6a56a105a458a4c89b63c3fe75a489721cd85d5858837fa3
                                                                                                                                          • Instruction Fuzzy Hash: F601613271464882DBE38B26E98475E63A1EB8CFD1F598115EA5A47768DE38CA888700
                                                                                                                                          Function 00000001800657C0 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _errno$__doserrno
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2614100947-0
                                                                                                                                          • Opcode ID: 20d2c32074349d48a8cbea65d446fceb55f8d0b1952b234c74b6baaf4ab55aad
                                                                                                                                          • Instruction ID: 405686cd66764e33d468f82bc5af396d13ed71ab515ca335fd6e198ab223c558
                                                                                                                                          • Opcode Fuzzy Hash: 20d2c32074349d48a8cbea65d446fceb55f8d0b1952b234c74b6baaf4ab55aad
                                                                                                                                          • Instruction Fuzzy Hash: 3001317260030887F7569F6198C13EC7652F78C791FA4C465EA9687382CB3CDE9A9B31
                                                                                                                                          Function 0000000180035890 Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CancelEventReadclosesocket
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2025173275-0
                                                                                                                                          • Opcode ID: 4ad045dac1ffec8b3e3923f420bc84c49a6e4073b63f8c3011d5d04808e9b135
                                                                                                                                          • Instruction ID: 8d8f0d6516a369597c4c9c5b95e094f64713f714c325bb1ecda08875fb2905f0
                                                                                                                                          • Opcode Fuzzy Hash: 4ad045dac1ffec8b3e3923f420bc84c49a6e4073b63f8c3011d5d04808e9b135
                                                                                                                                          • Instruction Fuzzy Hash: 0FE06D30302B0981EB975FB1DC503A923E1AF8CFB5F28871099765A2E0EE38C68C8311
                                                                                                                                          Function 00000001800623DD Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 236COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: (null)$0
                                                                                                                                          • API String ID: 0-38302674
                                                                                                                                          • Opcode ID: abca63399dbdd7ca1ead2dfee145f9cfa62680915ab84428c804b8a6cddf5cc6
                                                                                                                                          • Instruction ID: 4d5c2c8232b3af33984ae3620493541ef960866ed1991a6be4f82b168020b8be
                                                                                                                                          • Opcode Fuzzy Hash: abca63399dbdd7ca1ead2dfee145f9cfa62680915ab84428c804b8a6cddf5cc6
                                                                                                                                          • Instruction Fuzzy Hash: 2CA1D772108B8886E7A6CF28C8507EC37A2F359BD8F349115EEA947784DF35CA89C750
                                                                                                                                          Function 00000001800625A3 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 203COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _errno
                                                                                                                                          • String ID: 0
                                                                                                                                          • API String ID: 2918714741-4108050209
                                                                                                                                          • Opcode ID: 9cb55340de0e0c956073168701fea7522db158bb8432f989bb6f7b05cee61b81
                                                                                                                                          • Instruction ID: f891781a2b9557852fdfb9fbd1eda0dcc53d157cf0ab2b3fbb965be7ad7fb1cd
                                                                                                                                          • Opcode Fuzzy Hash: 9cb55340de0e0c956073168701fea7522db158bb8432f989bb6f7b05cee61b81
                                                                                                                                          • Instruction Fuzzy Hash: 6B91D472218F4886EBA68F24C8407DD77A2F349BD8F749105EEA947784DF31CA8AC750
                                                                                                                                          Function 000000018004C240 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _write$memcpy
                                                                                                                                          • String ID: |
                                                                                                                                          • API String ID: 2496997324-2343686810
                                                                                                                                          • Opcode ID: cf61cce58ca886a15639403763adbc2e92bf79bdf61202eea4e7dfec986bcaf2
                                                                                                                                          • Instruction ID: f5d95356925bf96b949fbac8440fedc852c231d531356daa4554cdaebf1fd592
                                                                                                                                          • Opcode Fuzzy Hash: cf61cce58ca886a15639403763adbc2e92bf79bdf61202eea4e7dfec986bcaf2
                                                                                                                                          • Instruction Fuzzy Hash: 8E41F032305A9845EBE2CE25E584FD96394A70CBE8F4AC220AE6D077C1EF78C6498305
                                                                                                                                          Function 00000001800654C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: __pctype_func
                                                                                                                                          • String ID: fputc$fwrite
                                                                                                                                          • API String ID: 3630429742-4291123875
                                                                                                                                          • Opcode ID: e9c822b156731075839b8dd13e10875af72a52f84741304959ba05d5b208b560
                                                                                                                                          • Instruction ID: 44149378926c2d2e8bc3668b927d6e186dfb69a0892a42676b92b45da591eb46
                                                                                                                                          • Opcode Fuzzy Hash: e9c822b156731075839b8dd13e10875af72a52f84741304959ba05d5b208b560
                                                                                                                                          • Instruction Fuzzy Hash: BA41A47230474885EA839B15EC503D96792AB8C7D5FA88421FAAD473D1EF7EC789C350
                                                                                                                                          Function 0000000180065990 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60libraryloaderCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AddressProc
                                                                                                                                          • String ID: msvcrt.dll
                                                                                                                                          • API String ID: 190572456-370904613
                                                                                                                                          • Opcode ID: 35b34b007912df18696ede91bd601e8c24f75c165dbc50d2eff092ee0ae85306
                                                                                                                                          • Instruction ID: 83da91c7f337b7bd77e87f6f6c15018bd6bf63ffd80dd08b0972f13de6a05fcd
                                                                                                                                          • Opcode Fuzzy Hash: 35b34b007912df18696ede91bd601e8c24f75c165dbc50d2eff092ee0ae85306
                                                                                                                                          • Instruction Fuzzy Hash: BA115E32316B4486EED59B16BD543A962A1AB4C7F0F1C9325AEBE477D4DE3CC6854300
                                                                                                                                          Function 000000018001A9A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Windowlstrlen$memset$Process$ByteCharDataForegroundInputLocalMultiProcSessionTextThreadTimeWide__chkstkwsprintf
                                                                                                                                          • String ID: 0
                                                                                                                                          • API String ID: 780575994-4108050209
                                                                                                                                          • Opcode ID: 8004b3049ace1bb0400474f1a69768e4362440f1312b9a8d3f505a6f2555652d
                                                                                                                                          • Instruction ID: 2d4eacf1f5af29a440ccc26e887150bb4de9b194b90760097f7252ead43421a7
                                                                                                                                          • Opcode Fuzzy Hash: 8004b3049ace1bb0400474f1a69768e4362440f1312b9a8d3f505a6f2555652d
                                                                                                                                          • Instruction Fuzzy Hash: 70019631618A8982F7918B21E9003EA7294FB99BD0F648221FA9043BD9CF3CC648CB41
                                                                                                                                          Function 00000001800565E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35networkCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ErrorLastgetpeername
                                                                                                                                          • String ID: getpeername: %s
                                                                                                                                          • API String ID: 2962421750-464625284
                                                                                                                                          • Opcode ID: a69c3c67f136694d744e90525e7a2b9d8621fa00472cafbfdea3fe4c2253d187
                                                                                                                                          • Instruction ID: 8e5b22f6c71745472d771a736240a2f8b38a5d5d456bd51779f5d5866a1b17d5
                                                                                                                                          • Opcode Fuzzy Hash: a69c3c67f136694d744e90525e7a2b9d8621fa00472cafbfdea3fe4c2253d187
                                                                                                                                          • Instruction Fuzzy Hash: 1DF06D3570474882EA829B15F9453EAA361BB8DBC8F588121FE594775ADF39C2488B40
                                                                                                                                          Function 0000000180040900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20networkCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ErrorLastioctlsocket
                                                                                                                                          • String ID: ioctlsocket FIONBIO 1 failed with error %d
                                                                                                                                          • API String ID: 1021210092-1910823214
                                                                                                                                          • Opcode ID: 5437741f9e197df0456073593f822ef657802a2ced6ff6b5c6ff5a60d5650b15
                                                                                                                                          • Instruction ID: 75109152500bcb920f4cd58b11379dbfff7cd0b414408c246ebc3ca18becf466
                                                                                                                                          • Opcode Fuzzy Hash: 5437741f9e197df0456073593f822ef657802a2ced6ff6b5c6ff5a60d5650b15
                                                                                                                                          • Instruction Fuzzy Hash: 3DE02670760B0B82F7810BF09C843D516519B0C3E9F549024BC02462A0EE3CDACD8721
                                                                                                                                          Function 000000018001C6E0 Relevance: 5.1, APIs: 4, Instructions: 99COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134EB
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800134FD
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013510
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013527
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013556
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013568
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001357B
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013592
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800135C1
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800135D3
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800135E6
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800135FD
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001362C
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 000000018001363E
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013654
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001C7B5
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001C7DF
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001C7F5
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001C81F
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CriticalSection$Virtual$Alloc$EnterRead$Leave$Free$Initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3420869360-0
                                                                                                                                          • Opcode ID: 617031c2d221066431aaff11be6c94ed0690b72a67014eff584da1fe74eb40db
                                                                                                                                          • Instruction ID: 4b1bcc27734f02408279893b6751d45a886e410d29ecad7f0b8f3cb754ffc34a
                                                                                                                                          • Opcode Fuzzy Hash: 617031c2d221066431aaff11be6c94ed0690b72a67014eff584da1fe74eb40db
                                                                                                                                          • Instruction Fuzzy Hash: B6416A32715B4086EBA5CF62E45875AB7A5FB8CFC0F148528EF8A03B18DF39C5498B04
                                                                                                                                          Function 00000001800284D0 Relevance: 5.1, APIs: 4, Instructions: 94COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134EB
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800134FD
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013510
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013527
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013556
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013568
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001357B
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013592
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800135C1
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800135D3
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800135E6
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800135FD
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001362C
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 000000018001363E
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013654
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002859B
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800285C5
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800285DB
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180028605
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CriticalSection$Virtual$Alloc$EnterRead$Leave$Free$Initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3420869360-0
                                                                                                                                          • Opcode ID: 23f78063f8314758092a3b7e396099cf00d438552d882076b8ccf9c8bf355a0d
                                                                                                                                          • Instruction ID: 4e4304c5467bf88644f6851a9460645099648ae5db845c2dc60d587a2a73c880
                                                                                                                                          • Opcode Fuzzy Hash: 23f78063f8314758092a3b7e396099cf00d438552d882076b8ccf9c8bf355a0d
                                                                                                                                          • Instruction Fuzzy Hash: 77417936711B5486EBA5DF22E44875AB3A5FB8CFC0F598124EF8A43B18DF39D2458B00
                                                                                                                                          Function 00000001800281A0 Relevance: 5.1, APIs: 4, Instructions: 81memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 0000000180028213
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180028258
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002828E
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002829F
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1953590826-0
                                                                                                                                          • Opcode ID: 1d1b306bf3c46ccf6e7229351797aac4dc12f87dd746d871babab7f5bc255a71
                                                                                                                                          • Instruction ID: 77ad1e5231ed8a476fbfc46c42ae85b2aca4ea425d337ae87cc9ce4e505ece4b
                                                                                                                                          • Opcode Fuzzy Hash: 1d1b306bf3c46ccf6e7229351797aac4dc12f87dd746d871babab7f5bc255a71
                                                                                                                                          • Instruction Fuzzy Hash: E6316D35712E4481FBD68F62E9543A963A1FF8CFD4F18C124EE1A47B84EF28C6599700
                                                                                                                                          Function 0000000180021210 Relevance: 5.1, APIs: 4, Instructions: 77memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 0000000180021274
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800212B9
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800212EF
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180021300
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1953590826-0
                                                                                                                                          • Opcode ID: 5944f9928c617558d6447f66ff93bef18e990b1e2edeae30f48a59bf0b4b3e49
                                                                                                                                          • Instruction ID: 6a34f556e1eb952260192988d07e5359ed630ace43cde530af1f5a91e9e1e4a4
                                                                                                                                          • Opcode Fuzzy Hash: 5944f9928c617558d6447f66ff93bef18e990b1e2edeae30f48a59bf0b4b3e49
                                                                                                                                          • Instruction Fuzzy Hash: E7318E31310A4485EB96DF27E9543A923A1BB8CFD5F088124EE1A87B48EF28C6598740
                                                                                                                                          Function 0000000180033030 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 0000000180033094
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800330D9
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018003310F
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180033120
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1953590826-0
                                                                                                                                          • Opcode ID: b8f4db6db1d0367102d5a07de2158188bc80ba2991919440e33211faedfcd802
                                                                                                                                          • Instruction ID: e4aa63813d0d37e329d180b1982be950b0dfcde14e28e818de6d8c70130e72de
                                                                                                                                          • Opcode Fuzzy Hash: b8f4db6db1d0367102d5a07de2158188bc80ba2991919440e33211faedfcd802
                                                                                                                                          • Instruction Fuzzy Hash: 23316231310A4481EBD68F27E99539A63A1FF4CFD4F09C124EE5A47B98DF39C6598700
                                                                                                                                          Function 000000018001C150 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 000000018001C1B4
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001C1F9
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001C22F
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001C240
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1953590826-0
                                                                                                                                          • Opcode ID: 62c558665775160bff6bd4cbced2f3b4a28216fdecb6bb590b6097234b34c5f5
                                                                                                                                          • Instruction ID: 0111d3a934c151165b550e2593a99b7e0e9a14f01953bedcd4608c31b277a33a
                                                                                                                                          • Opcode Fuzzy Hash: 62c558665775160bff6bd4cbced2f3b4a28216fdecb6bb590b6097234b34c5f5
                                                                                                                                          • Instruction Fuzzy Hash: BC319E31310E4482EB968F67E9547A963A1FF8CFD4F08C124EE1A47B88EF38C6598745
                                                                                                                                          Function 000000018001B170 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 000000018001B1D4
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001B219
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001B24F
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001B260
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1953590826-0
                                                                                                                                          • Opcode ID: 6a0dbe3a0a406c02cb2e4d729dffdfe30f5f50d64f32219fd7338cec30936ee1
                                                                                                                                          • Instruction ID: 4b2e6c66f327050a27fcd0c51096eb3f8ae716981fc83d70c768d5fe3c7de98f
                                                                                                                                          • Opcode Fuzzy Hash: 6a0dbe3a0a406c02cb2e4d729dffdfe30f5f50d64f32219fd7338cec30936ee1
                                                                                                                                          • Instruction Fuzzy Hash: A2316D31310A4481EB969F67E9547AD63A5FB8CFD4F088124EE1A87B98EF38C6598700
                                                                                                                                          Function 000000018002A420 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 000000018002A484
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002A4C9
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002A4FF
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002A510
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1953590826-0
                                                                                                                                          • Opcode ID: 626f2b7068f63ec094e6a9f92076cad6c8906216c14cb64ffb88a0ffa73d076f
                                                                                                                                          • Instruction ID: efda1176230fd9837f10b735971e29991b7c7a4935e118cfebe42542b14e463d
                                                                                                                                          • Opcode Fuzzy Hash: 626f2b7068f63ec094e6a9f92076cad6c8906216c14cb64ffb88a0ffa73d076f
                                                                                                                                          • Instruction Fuzzy Hash: 6A317131314A4486FB969F27E9543AA63A1FF8DFD4F08C124EE1A47B58EF29C6598700
                                                                                                                                          Function 00000001800304F0 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 000000018003055B
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800305A0
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800305D6
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800305E7
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1953590826-0
                                                                                                                                          • Opcode ID: f5394e92998ff4ba06ab85d94ac86c9fd9ddc821b539b28ef3b02b42b4153c03
                                                                                                                                          • Instruction ID: cea3756b3c5a100aeeaf40825adb8834645a0e8f2fd0e7eedf42260691285d7d
                                                                                                                                          • Opcode Fuzzy Hash: f5394e92998ff4ba06ab85d94ac86c9fd9ddc821b539b28ef3b02b42b4153c03
                                                                                                                                          • Instruction Fuzzy Hash: 98319131315A4481FBD68F63E96439A63A1FF8CFD4F19C124EE1A47B48EF28C6598700
                                                                                                                                          Function 000000018002D8D0 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 000000018002D93A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002D97F
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002D9B5
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002D9C6
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1953590826-0
                                                                                                                                          • Opcode ID: ec5b1167f005ac1d8a69da9b77871cfdf6301f2a7abf43893b2e18070580acd4
                                                                                                                                          • Instruction ID: 02f4f0b180749e235a0dc1c370b86b5da43c00d82dbe72d6a566ac768cb93689
                                                                                                                                          • Opcode Fuzzy Hash: ec5b1167f005ac1d8a69da9b77871cfdf6301f2a7abf43893b2e18070580acd4
                                                                                                                                          • Instruction Fuzzy Hash: 45315031310A4841EB96DF27E9547A963A1BB4DFD4F08C126EE5A47B94DF28CA998700
                                                                                                                                          Function 000000018001C42B Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$lstrlen$Alloc$ByteCharMultiWidememset
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2589853381-0
                                                                                                                                          • Opcode ID: 9e973a8c3555f4eb24f0b8ebfcc6161375dadd9c45ee45004ec477c379de15ec
                                                                                                                                          • Instruction ID: 8b0ca1c1598baae50a5236b37b16b711799dbf7ffdf11fe73bb17caf9d3a0f63
                                                                                                                                          • Opcode Fuzzy Hash: 9e973a8c3555f4eb24f0b8ebfcc6161375dadd9c45ee45004ec477c379de15ec
                                                                                                                                          • Instruction Fuzzy Hash: DD11C231300B0442EB998F72E9547A963A2FF8CFC4F18C024EE0A07B58DE39C5498701
                                                                                                                                          Function 0000000180034840 Relevance: 5.0, APIs: 4, Instructions: 49COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.2975242920.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.2975202666.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975398356.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975471007.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.2975529637.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CriticalSection$EnterLeave
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3168844106-0
                                                                                                                                          • Opcode ID: 7d424a39128fc79d423e685d07f3b0557c8311698411645ac54d4061eb6ffd6c
                                                                                                                                          • Instruction ID: 6009e2f0abf34f140cedfbc7206dbcc2494b56a364391128098d205548f6baf9
                                                                                                                                          • Opcode Fuzzy Hash: 7d424a39128fc79d423e685d07f3b0557c8311698411645ac54d4061eb6ffd6c
                                                                                                                                          • Instruction Fuzzy Hash: 0611AC32700B8486DB959F22AD5439E6321FB4DFC4F588121FE561BBA8CF38C5598300