Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
R2-Signed.exe

Overview

General Information

Sample name:R2-Signed.exe
Analysis ID:1579841
MD5:a7471e097d4d4e84fa44a025603499e1
SHA1:231bbd89584d137fb2a418776549aa3774638d42
SHA256:deede7611a657fab998d2e354f0168adf7a9ab89f34ab1fd7ccab8c9736597e9
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

ValleyRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected ValleyRAT
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Deletes itself after installation
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain checking for user administrative privileges
Modifies the context of a thread in another process (thread injection)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to create new users
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Tries to disable installed Antivirus / HIPS / PFW
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • R2-Signed.exe (PID: 2084 cmdline: "C:\Users\user\Desktop\R2-Signed.exe" MD5: A7471E097D4D4E84FA44A025603499E1)
    • svchost.exe (PID: 1044 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 3128 cmdline: C:\Windows\system32\svchost.exe -k netsvcs MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • dllhost.exe (PID: 7216 cmdline: C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
      • ParphaCrashReport64.exe (PID: 7256 cmdline: "C:\Program Files\Windows Mail\ParphaCrashReport64.exe" MD5: 8B5D51DF7BBD67AEB51E9B9DEE6BC84A)
      • svchost.exe (PID: 7296 cmdline: C:\Windows\system32\svchost.exe -k netsvcs MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • dllhost.exe (PID: 7336 cmdline: C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: svchost.exe PID: 1044JoeSecurity_ValleyRATYara detected ValleyRATJoe Security
    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\R2-Signed.exe", ParentImage: C:\Users\user\Desktop\R2-Signed.exe, ParentProcessId: 2084, ParentProcessName: R2-Signed.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, ProcessId: 1044, ProcessName: svchost.exe
    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\R2-Signed.exe", ParentImage: C:\Users\user\Desktop\R2-Signed.exe, ParentProcessId: 2084, ParentProcessName: R2-Signed.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, ProcessId: 1044, ProcessName: svchost.exe
    No Suricata rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: C:\Program Files\Windows Mail\arphaDump64.dllReversingLabs: Detection: 52%
    Source: R2-Signed.exeReversingLabs: Detection: 15%
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 88.1% probability
    Source: C:\Windows\System32\svchost.exeDirectory created: C:\Program Files\Windows Mail\ParphaCrashReport64.exeJump to behavior
    Source: C:\Windows\System32\svchost.exeDirectory created: C:\Program Files\Windows Mail\arphaDump64.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeDirectory created: C:\Program Files\Windows Mail\arphaDump64.binJump to behavior
    Source: R2-Signed.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: D:\Build\PX\A\PoisonX\nvsphelperplugin64\x64\Release\arphaDump64.pdb source: R2-Signed.exe, R2-Signed.exe, 00000000.00000002.1690216804.0000012739F00000.00000004.00001000.00020000.00000000.sdmp, R2-Signed.exe, 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe, 00000005.00000002.1710463566.00007FFE11ED9000.00000002.00000001.01000000.00000009.sdmp, arphaDump64.dll.2.dr
    Source: Binary string: D:\jenkins\workspace\ci.arphasdk.build\qtc_out\Release_X64\arphaCrashReport64.exe.pdb source: R2-Signed.exe, R2-Signed.exe, 00000000.00000002.1690216804.0000012739F00000.00000004.00001000.00020000.00000000.sdmp, R2-Signed.exe, 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe, 00000005.00000002.1710266927.00007FF767A12000.00000002.00000001.01000000.00000008.sdmp, ParphaCrashReport64.exe, 00000005.00000000.1696950381.00007FF767A12000.00000002.00000001.01000000.00000008.sdmp, ParphaCrashReport64.exe.2.dr
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F6810 NetUserEnum,lstrlenW,NetApiBufferFree,malloc,VirtualFree,VirtualFree,free,VirtualFree,VirtualFree,2_2_000001845C4F6810
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180026810 NetUserEnum,lstrlenW,NetApiBufferFree,malloc,VirtualFree,VirtualFree,free,VirtualFree,VirtualFree,3_2_0000000180026810
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180026810 NetUserEnum,lstrlenW,NetApiBufferFree,malloc,VirtualFree,VirtualFree,free,VirtualFree,VirtualFree,4_2_0000000180026810
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_0000000180026810 NetUserEnum,lstrlenW,NetApiBufferFree,malloc,VirtualFree,VirtualFree,free,VirtualFree,VirtualFree,5_2_0000000180026810
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EDDD0 malloc,memset,FindFirstFileW,free,2_2_000001845C4EDDD0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EC850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,2_2_000001845C4EC850
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EE210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,2_2_000001845C4EE210
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4ECCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,2_2_000001845C4ECCF0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,3_2_000000018001E210
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,3_2_000000018001C850
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,3_2_000000018001CCF0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,3_2_000000018001DDD0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,4_2_000000018001E210
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,4_2_000000018001C850
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,4_2_000000018001CCF0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,4_2_000000018001DDD0
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_00007FF767A08F78 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,5_2_00007FF767A08F78
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_00007FFE11ED05EC FindFirstFileExW,5_2_00007FFE11ED05EC
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,5_2_000000018001E210
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,5_2_000000018001C850
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,5_2_000000018001CCF0
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,5_2_000000018001DDD0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FCD30 GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,lstrcpyW,lstrcatW,2_2_000001845C4FCD30
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: unknownTCP traffic detected without corresponding DNS query: 18.139.89.40
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C503E20 memset,CreateEventW,WSARecv,WSAGetLastError,WaitForMultipleObjects,WSAGetOverlappedResult,WSAGetLastError,CloseHandle,2_2_000001845C503E20
    Source: R2-Signed.exe, 00000000.00000002.1690216804.0000012739F00000.00000004.00001000.00020000.00000000.sdmp, R2-Signed.exe, 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
    Source: R2-Signed.exe, 00000000.00000002.1690216804.0000012739F00000.00000004.00001000.00020000.00000000.sdmp, R2-Signed.exe, 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
    Source: R2-Signed.exe, 00000000.00000002.1690216804.0000012739F00000.00000004.00001000.00020000.00000000.sdmp, R2-Signed.exe, 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
    Source: R2-Signed.exe, 00000000.00000002.1690216804.0000012739F00000.00000004.00001000.00020000.00000000.sdmp, R2-Signed.exe, 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
    Source: R2-Signed.exe, 00000000.00000002.1690216804.0000012739F00000.00000004.00001000.00020000.00000000.sdmp, R2-Signed.exe, 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
    Source: R2-Signed.exe, 00000000.00000002.1690216804.0000012739F00000.00000004.00001000.00020000.00000000.sdmp, R2-Signed.exe, 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
    Source: R2-Signed.exe, 00000000.00000002.1690216804.0000012739F00000.00000004.00001000.00020000.00000000.sdmp, R2-Signed.exe, 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
    Source: ParphaCrashReport64.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
    Source: R2-Signed.exe, 00000000.00000002.1690216804.0000012739F00000.00000004.00001000.00020000.00000000.sdmp, R2-Signed.exe, 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://ejemplo.com
    Source: R2-Signed.exe, 00000000.00000002.1690216804.0000012739F00000.00000004.00001000.00020000.00000000.sdmp, R2-Signed.exe, 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://ocsp.digicert.com0
    Source: R2-Signed.exe, 00000000.00000002.1690216804.0000012739F00000.00000004.00001000.00020000.00000000.sdmp, R2-Signed.exe, 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://ocsp.digicert.com0A
    Source: R2-Signed.exe, 00000000.00000002.1690216804.0000012739F00000.00000004.00001000.00020000.00000000.sdmp, R2-Signed.exe, 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://ocsp.digicert.com0C
    Source: R2-Signed.exe, 00000000.00000002.1690216804.0000012739F00000.00000004.00001000.00020000.00000000.sdmp, R2-Signed.exe, 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://ocsp.digicert.com0X
    Source: R2-Signed.exe, 00000000.00000002.1690216804.0000012739F00000.00000004.00001000.00020000.00000000.sdmp, R2-Signed.exe, 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.2.drString found in binary or memory: http://www.digicert.com/CPS0
    Source: R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore/category/extensions
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=af&category=theme81https://myactivity.google.com/myactivity/?u
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=afCtrl$1
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en-GB&category=theme81https://myactivity.google.com/myactivity
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en-GBCtrl$1
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=es&category=theme81https://myactivity.google.com/myactivity/?u
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=es-419&category=theme81https://myactivity.google.com/myactivit
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=es-419Ctrl$1
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=esCtrl$1
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=et&category=theme81https://myactivity.google.com/myactivity/?u
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=etCtrl$1
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=fi&category=theme81https://myactivity.google.com/myactivity/?u
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=fiCtrl$1
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=fil&category=theme81https://myactivity.google.com/myactivity/?
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=filCtrl$1
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=fr&category=theme81https://myactivity.google.com/myactivity/?u
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=frCtrl$1
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivity
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-TWCtrl$1
    Source: R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
    Source: R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
    Source: R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
    Source: R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
    Source: R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
    Source: R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
    Source: R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://ejemplo.com.Se
    Source: R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://myactivity.google.com/
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.com
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comContrase
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comGestoorde
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comMga
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comMots
    Source: R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comSaved
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comSe
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comSelle
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comT
    Source: R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://policies.google.com/
    Source: R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.google.com/chrome/a/?p=browser_profile_details
    Source: R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.google.com/chrome/a/answer/9122284
    Source: R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6098869
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6098869?hl=es
    Source: R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.google.com/chrome/answer/96817
    Source: R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.google.com/chromebook?p=app_intent
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&AideG
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlA&biHaldab
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlA&yudaAdministrado
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlAy&udaGestionado
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlBestuur
    Source: R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlO&hjeOrganisaatiosi
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlT&ulongPinapamahalaan
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E97D0 EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,lstrlenW,memcmp,lstrlenW,lstrlenW,lstrlenW,memcpy,OpenClipboard,CloseClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,2_2_000001845C4E97D0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E97D0 EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,lstrlenW,memcmp,lstrlenW,lstrlenW,lstrlenW,memcpy,OpenClipboard,CloseClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,2_2_000001845C4E97D0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E99F0 lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,WideCharToMultiByte,WideCharToMultiByte,lstrlenA,memcpy,OpenClipboard,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrlenA,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,2_2_000001845C4E99F0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F6200 VirtualFree,VirtualFree,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,2_2_000001845C4F6200
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FF1B0 OpenClipboard,Sleep,GetLastError,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,2_2_000001845C4FF1B0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002F1B0 OpenClipboard,Sleep,GetLastError,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,3_2_000000018002F1B0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180026200 VirtualFree,VirtualFree,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,3_2_0000000180026200
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800197D0 EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,lstrlenW,memcmp,lstrlenW,lstrlenW,lstrlenW,memcpy,OpenClipboard,CloseClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,3_2_00000001800197D0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800199F0 lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,WideCharToMultiByte,WideCharToMultiByte,lstrlenA,memcpy,OpenClipboard,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrlenA,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,3_2_00000001800199F0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018002F1B0 OpenClipboard,Sleep,GetLastError,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,4_2_000000018002F1B0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180026200 VirtualFree,VirtualFree,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,4_2_0000000180026200
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800197D0 EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,lstrlenW,memcmp,lstrlenW,lstrlenW,lstrlenW,memcpy,OpenClipboard,CloseClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,4_2_00000001800197D0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800199F0 lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,WideCharToMultiByte,WideCharToMultiByte,lstrlenA,memcpy,OpenClipboard,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrlenA,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,4_2_00000001800199F0
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_000000018002F1B0 OpenClipboard,Sleep,GetLastError,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,5_2_000000018002F1B0
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_0000000180026200 VirtualFree,VirtualFree,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,5_2_0000000180026200
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_00000001800197D0 EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,lstrlenW,memcmp,lstrlenW,lstrlenW,lstrlenW,memcpy,OpenClipboard,CloseClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,5_2_00000001800197D0
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_00000001800199F0 lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,WideCharToMultiByte,WideCharToMultiByte,lstrlenA,memcpy,OpenClipboard,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrlenA,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,5_2_00000001800199F0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EAC60 DefWindowProcW,SendMessageW,OpenClipboard,GetClipboardData,GlobalLock,lstrlenW,lstrlenW,lstrlenW,GlobalUnlock,CloseClipboard,VirtualFree,VirtualFree,CloseClipboard,SendMessageW,PostQuitMessage,2_2_000001845C4EAC60
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EA410 GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,2_2_000001845C4EA410
    Source: R2-Signed.exe, 00000000.00000002.1690413969.000001273A024000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevicesmemstr_0d366a68-4
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_0000000180005824 realloc,NtQuerySystemInformation,0_2_0000000180005824
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_00000001800080F2 VirtualAllocEx,WriteProcessMemory,memset,memcpy,NtAlpcConnectPort,0_2_00000001800080F2
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E2830 NtQuerySystemInformation,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,VirtualProtect,VirtualProtect,2_2_000001845C4E2830
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E1AE0 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,2_2_000001845C4E1AE0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E1C70 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,2_2_000001845C4E1C70
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180011AE0 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,3_2_0000000180011AE0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180011C70 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,3_2_0000000180011C70
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180012830 NtQuerySystemInformation,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,VirtualProtect,VirtualProtect,3_2_0000000180012830
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180012830 NtQuerySystemInformation,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,VirtualProtect,VirtualProtect,4_2_0000000180012830
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180011AE0 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,4_2_0000000180011AE0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180011C70 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,4_2_0000000180011C70
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_000000018000B822 VirtualAllocEx,WriteProcessMemory,memset,memcpy,NtAlpcConnectPort,5_2_000000018000B822
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_0000000180008F54 realloc,NtQuerySystemInformation,5_2_0000000180008F54
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_0000000180012830 NtQuerySystemInformation,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,VirtualProtect,VirtualProtect,5_2_0000000180012830
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_0000000180011AE0 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,5_2_0000000180011AE0
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_0000000180011C70 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,5_2_0000000180011C70
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F05A0: CreateFileW,memset,lstrlenA,DeviceIoControl,CloseHandle,2_2_000001845C4F05A0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E5FB0 GetCurrentProcessId,TerminateThread,TerminateProcess,lstrcmpiW,Sleep,ExitThread,memset,lstrcatW,lstrcatW,memset,GetSystemDirectoryW,GetLastError,lstrcatW,lstrcatW,lstrcatW,OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,DeleteService,GetLastError,CloseServiceHandle,CloseServiceHandle,memset,wsprintfW,memset,wsprintfW,memset,wsprintfW,memset,wsprintfW,memset,wsprintfW,SetFileAttributesW,DeleteFileW,SetFileAttributesW,DeleteFileW,SetFileAttributesW,DeleteFileW,SetFileAttributesW,DeleteFileW,SetFileAttributesW,DeleteFileW,SysAllocString,Sleep,GetCurrentProcess,TerminateProcess,2_2_000001845C4E5FB0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EFF40 WTSQueryUserToken,GetLastError,DuplicateTokenEx,ConvertStringSidToSidW,GetLengthSid,SetTokenInformation,CreateEnvironmentBlock,CreateProcessAsUserW,CreateProcessAsUserW,GetLastError,CloseHandle,CloseHandle,DestroyEnvironmentBlock,CloseHandle,CloseHandle,2_2_000001845C4EFF40
    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftMailUpdateTaskJump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_00000001800080F20_2_00000001800080F2
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_0000000180009BC00_2_0000000180009BC0
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_00000001800054D50_2_00000001800054D5
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_00000001800015B00_2_00000001800015B0
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_00000001800010100_2_0000000180001010
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_00000001800038330_2_0000000180003833
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_00000001800280380_2_0000000180028038
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_00000001800148480_2_0000000180014848
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_000000018000284D0_2_000000018000284D
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_000000018002C0800_2_000000018002C080
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_00000001800038800_2_0000000180003880
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_00000001800180EE0_2_00000001800180EE
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_000000018000290C0_2_000000018000290C
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_00000001800041530_2_0000000180004153
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_00000001800021700_2_0000000180002170
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_000000018000B1AC0_2_000000018000B1AC
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_00000001800069E00_2_00000001800069E0
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_00000001800151E80_2_00000001800151E8
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_0000000180002A060_2_0000000180002A06
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_0000000180001A100_2_0000000180001A10
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_0000000180002A190_2_0000000180002A19
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_00000001800032200_2_0000000180003220
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_000000018000225E0_2_000000018000225E
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_000000018001AA6C0_2_000000018001AA6C
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_000000018000B2800_2_000000018000B280
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_0000000180006AB00_2_0000000180006AB0
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_000000018000C2D00_2_000000018000C2D0
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_0000000180003AE00_2_0000000180003AE0
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_00000001800032200_2_0000000180003220
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_000000018000435B0_2_000000018000435B
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_000000018000C3700_2_000000018000C370
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_0000000180023B980_2_0000000180023B98
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_00000001800033B80_2_00000001800033B8
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_000000018001FC0C0_2_000000018001FC0C
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_00000001800284640_2_0000000180028464
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_00000001800034640_2_0000000180003464
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_000000018000947B0_2_000000018000947B
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_0000000180002C8A0_2_0000000180002C8A
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_0000000180004CB00_2_0000000180004CB0
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_00000001800044C10_2_00000001800044C1
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_0000000180003CF20_2_0000000180003CF2
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_00000001800025260_2_0000000180002526
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_00000001800035300_2_0000000180003530
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_00000001800075500_2_0000000180007550
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_0000000180001D600_2_0000000180001D60
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_0000000180016D880_2_0000000180016D88
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_00000001800045A90_2_00000001800045A9
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_0000000180003DBC0_2_0000000180003DBC
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_000000018000360B0_2_000000018000360B
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_000000018000B6200_2_000000018000B620
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_0000000180002E240_2_0000000180002E24
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_0000000180005E580_2_0000000180005E58
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_00000001800026660_2_0000000180002666
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_0000000180029E8C0_2_0000000180029E8C
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_000000018000469C0_2_000000018000469C
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_0000000180024EB00_2_0000000180024EB0
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_000000018000BEB00_2_000000018000BEB0
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_000000018000B6C00_2_000000018000B6C0
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_0000000180008EC00_2_0000000180008EC0
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_000000018001FED80_2_000000018001FED8
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_00000001800096E00_2_00000001800096E0
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_000000018000DEE80_2_000000018000DEE8
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_000000018000C6F00_2_000000018000C6F0
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_00000001800037170_2_0000000180003717
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_0000000180010F180_2_0000000180010F18
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_0000000180021F440_2_0000000180021F44
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_0000000180006F700_2_0000000180006F70
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_00000001800027770_2_0000000180002777
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800010102_2_0000000180001010
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180001A102_2_0000000180001A10
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180001D602_2_0000000180001D60
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800038332_2_0000000180003833
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800280382_2_0000000180028038
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800148482_2_0000000180014848
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000284D2_2_000000018000284D
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018002C0802_2_000000018002C080
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800038802_2_0000000180003880
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800180EE2_2_00000001800180EE
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800080F22_2_00000001800080F2
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000290C2_2_000000018000290C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800041532_2_0000000180004153
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800021702_2_0000000180002170
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000B1AC2_2_000000018000B1AC
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800069E02_2_00000001800069E0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800151E82_2_00000001800151E8
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180002A062_2_0000000180002A06
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180002A192_2_0000000180002A19
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800032202_2_0000000180003220
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000225E2_2_000000018000225E
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018001AA6C2_2_000000018001AA6C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000B2802_2_000000018000B280
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180006AB02_2_0000000180006AB0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000C2D02_2_000000018000C2D0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180003AE02_2_0000000180003AE0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800032202_2_0000000180003220
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000435B2_2_000000018000435B
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000C3702_2_000000018000C370
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180023B982_2_0000000180023B98
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800033B82_2_00000001800033B8
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180009BC02_2_0000000180009BC0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018001FC0C2_2_000000018001FC0C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800284642_2_0000000180028464
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800034642_2_0000000180003464
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000947B2_2_000000018000947B
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180002C8A2_2_0000000180002C8A
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180004CB02_2_0000000180004CB0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800044C12_2_00000001800044C1
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800054D52_2_00000001800054D5
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180003CF22_2_0000000180003CF2
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800025262_2_0000000180002526
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800035302_2_0000000180003530
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800075502_2_0000000180007550
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180016D882_2_0000000180016D88
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800045A92_2_00000001800045A9
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800015B02_2_00000001800015B0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180003DBC2_2_0000000180003DBC
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000360B2_2_000000018000360B
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000B6202_2_000000018000B620
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180002E242_2_0000000180002E24
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180005E582_2_0000000180005E58
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800026662_2_0000000180002666
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180029E8C2_2_0000000180029E8C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000469C2_2_000000018000469C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180024EB02_2_0000000180024EB0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000BEB02_2_000000018000BEB0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000B6C02_2_000000018000B6C0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180008EC02_2_0000000180008EC0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018001FED82_2_000000018001FED8
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800096E02_2_00000001800096E0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000DEE82_2_000000018000DEE8
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000000018000C6F02_2_000000018000C6F0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800037172_2_0000000180003717
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180010F182_2_0000000180010F18
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180021F442_2_0000000180021F44
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_0000000180006F702_2_0000000180006F70
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001800027772_2_0000000180002777
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF374F22_2_000001845BF374F2
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF474EE2_2_000001845BF474EE
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF5B4802_2_000001845BF5B480
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF32C802_2_000001845BF32C80
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF43C482_2_000001845BF43C48
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF31C4D2_2_000001845BF31C4D
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF574382_2_000001845BF57438
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF32C332_2_000001845BF32C33
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF304102_2_000001845BF30410
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF31B772_2_000001845BF31B77
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF363702_2_000001845BF36370
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF513442_2_000001845BF51344
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF32B172_2_000001845BF32B17
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF403182_2_000001845BF40318
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3D2E82_2_000001845BF3D2E8
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3BAF02_2_000001845BF3BAF0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF4F2D82_2_000001845BF4F2D8
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF38AE02_2_000001845BF38AE0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF382C02_2_000001845BF382C0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3AAC02_2_000001845BF3AAC0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF542B02_2_000001845BF542B0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3B2B02_2_000001845BF3B2B0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF33A9C2_2_000001845BF33A9C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF5928C2_2_000001845BF5928C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF31A662_2_000001845BF31A66
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF352582_2_000001845BF35258
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF322242_2_000001845BF32224
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3AA202_2_000001845BF3AA20
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF32A0B2_2_000001845BF32A0B
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF331BC2_2_000001845BF331BC
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF339A92_2_000001845BF339A9
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF309B02_2_000001845BF309B0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF461882_2_000001845BF46188
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF311602_2_000001845BF31160
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF369502_2_000001845BF36950
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF319262_2_000001845BF31926
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF329302_2_000001845BF32930
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF330F22_2_000001845BF330F2
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF348D52_2_000001845BF348D5
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF338C12_2_000001845BF338C1
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF340B02_2_000001845BF340B0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3208A2_2_000001845BF3208A
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3887B2_2_000001845BF3887B
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF328642_2_000001845BF32864
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF578642_2_000001845BF57864
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF4F00C2_2_000001845BF4F00C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF327B82_2_000001845BF327B8
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF38FC02_2_000001845BF38FC0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF52F982_2_000001845BF52F98
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3B7702_2_000001845BF3B770
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3375B2_2_000001845BF3375B
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF326202_2_000001845BF32620
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF32EE02_2_000001845BF32EE0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3B6D02_2_000001845BF3B6D0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF35EB02_2_000001845BF35EB0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3A6802_2_000001845BF3A680
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF49E6C2_2_000001845BF49E6C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3165E2_2_000001845BF3165E
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF31E192_2_000001845BF31E19
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF326202_2_000001845BF32620
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF31E062_2_000001845BF31E06
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF30E102_2_000001845BF30E10
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF445E82_2_000001845BF445E8
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF35DE02_2_000001845BF35DE0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF3A5AC2_2_000001845BF3A5AC
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF315702_2_000001845BF31570
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF335532_2_000001845BF33553
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845BF31D0C2_2_000001845BF31D0C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F06802_2_000001845C4F0680
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E21402_2_000001845C4E2140
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EF9E02_2_000001845C4EF9E0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DED502_2_000001845C4DED50
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EE5502_2_000001845C4EE550
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D6D442_2_000001845C4D6D44
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D656A2_2_000001845C4D656A
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D1D802_2_000001845C4D1D80
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F65302_2_000001845C4F6530
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FAD302_2_000001845C4FAD30
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C508D242_2_000001845C508D24
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D75D22_2_000001845C4D75D2
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DF5E02_2_000001845C4DF5E0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DC5F02_2_000001845C4DC5F0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DEDF02_2_000001845C4DEDF0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F4D902_2_000001845C4F4D90
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F55902_2_000001845C4F5590
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D95882_2_000001845C4D9588
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D2D8A2_2_000001845C4D2D8A
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D7DA12_2_000001845C4D7DA1
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E8DA02_2_000001845C4E8DA0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EB5A02_2_000001845C4EB5A0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FBDC02_2_000001845C4FBDC0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C5026602_2_000001845C502660
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C5266702_2_000001845C526670
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D6E102_2_000001845C4D6E10
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DCE102_2_000001845C4DCE10
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E3E102_2_000001845C4E3E10
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F9E102_2_000001845C4F9E10
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D5E062_2_000001845C4D5E06
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DFE202_2_000001845C4DFE20
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D16302_2_000001845C4D1630
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E66302_2_000001845C4E6630
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EAE402_2_000001845C4EAE40
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D3EC72_2_000001845C4D3EC7
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E76E02_2_000001845C4E76E0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D6EEB2_2_000001845C4D6EEB
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F47002_2_000001845C4F4700
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D7E892_2_000001845C4D7E89
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DA6A02_2_000001845C4DA6A0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D769C2_2_000001845C4D769C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C529E902_2_000001845C529E90
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E9EC02_2_000001845C4E9EC0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C5037602_2_000001845C503760
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D5F462_2_000001845C4D5F46
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E6F602_2_000001845C4E6F60
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D176F2_2_000001845C4D176F
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E87802_2_000001845C4E8780
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F1F802_2_000001845C4F1F80
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D7F7C2_2_000001845C4D7F7C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EF7102_2_000001845C4EF710
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D67042_2_000001845C4D6704
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D271A2_2_000001845C4D271A
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FA7F02_2_000001845C4FA7F0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D6FF72_2_000001845C4D6FF7
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D1F882_2_000001845C4D1F88
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C504FA02_2_000001845C504FA0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E7FA02_2_000001845C4E7FA0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E5FB02_2_000001845C4E5FB0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EEFC02_2_000001845C4EEFC0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F4FC02_2_000001845C4F4FC0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F57C02_2_000001845C4F57C0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D4FB52_2_000001845C4D4FB5
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EC8502_2_000001845C4EC850
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D60572_2_000001845C4D6057
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D10702_2_000001845C4D1070
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F78702_2_000001845C4F7870
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F88802_2_000001845C4F8880
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DB8222_2_000001845C4DB822
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FE0102_2_000001845C4FE010
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C5008102_2_000001845C500810
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E38D02_2_000001845C4E38D0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D20C72_2_000001845C4D20C7
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DE8DC2_2_000001845C4DE8DC
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FF8902_2_000001845C4FF890
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C50A8BC2_2_000001845C50A8BC
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E51502_2_000001845C4E5150
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D71602_2_000001845C4D7160
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D29712_2_000001845C4D2971
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E11802_2_000001845C4E1180
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D517C2_2_000001845C4D517C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D517A2_2_000001845C4D517A
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DA1102_2_000001845C4DA110
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D71132_2_000001845C4D7113
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F49302_2_000001845C4F4930
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D612D2_2_000001845C4D612D
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C5141402_2_000001845C514140
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DA1E02_2_000001845C4DA1E0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E99F02_2_000001845C4E99F0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D61EC2_2_000001845C4D61EC
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DFA002_2_000001845C4DFA00
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E91902_2_000001845C4E9190
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EA1902_2_000001845C4EA190
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D219F2_2_000001845C4D219F
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DE9B02_2_000001845C4DE9B0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D5A502_2_000001845C4D5A50
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D12642_2_000001845C4D1264
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D227C2_2_000001845C4D227C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C5012702_2_000001845C501270
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F1A102_2_000001845C4F1A10
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F5A102_2_000001845C4F5A10
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D7A332_2_000001845C4D7A33
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E82302_2_000001845C4E8230
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D3A322_2_000001845C4D3A32
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FAA302_2_000001845C4FAA30
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EEA402_2_000001845C4EEA40
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EAAD02_2_000001845C4EAAD0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FB2D02_2_000001845C4FB2D0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DD2F02_2_000001845C4DD2F0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D62E62_2_000001845C4D62E6
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D33002_2_000001845C4D3300
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D6B002_2_000001845C4D6B00
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F93002_2_000001845C4F9300
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D62F92_2_000001845C4D62F9
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F72902_2_000001845C4F7290
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DFAA02_2_000001845C4DFAA0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D4A982_2_000001845C4D4A98
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E2B502_2_000001845C4E2B50
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F4B602_2_000001845C4F4B60
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F53402_2_000001845C4F5340
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D5B3E2_2_000001845C4D5B3E
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E73D02_2_000001845C4E73D0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D83E02_2_000001845C4D83E0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D2BD62_2_000001845C4D2BD6
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D13F72_2_000001845C4D13F7
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DCBAB2_2_000001845C4DCBAB
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D73C02_2_000001845C4D73C0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F3BC02_2_000001845C4F3BC0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FFC542_2_000001845C4FFC54
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FFC5D2_2_000001845C4FFC5D
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FFC4B2_2_000001845C4FFC4B
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D34702_2_000001845C4D3470
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F34642_2_000001845C4F3464
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4DAC802_2_000001845C4DAC80
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E44102_2_000001845C4E4410
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D8C052_2_000001845C4D8C05
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C500C202_2_000001845C500C20
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D6B002_2_000001845C4D6B00
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4ED4202_2_000001845C4ED420
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FFC392_2_000001845C4FFC39
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FFC422_2_000001845C4FFC42
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FFC272_2_000001845C4FFC27
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D7C3B2_2_000001845C4D7C3B
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FFC302_2_000001845C4FFC30
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D2CD22_2_000001845C4D2CD2
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D54E02_2_000001845C4D54E0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F24E02_2_000001845C4F24E0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4ECCF02_2_000001845C4ECCF0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C5034F02_2_000001845C5034F0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F5C902_2_000001845C4F5C90
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D6C982_2_000001845C4D6C98
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E9CB02_2_000001845C4E9CB0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F44B02_2_000001845C4F44B0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4D3CA62_2_000001845C4D3CA6
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800121403_2_0000000180012140
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800151503_2_0000000180015150
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800224E03_2_00000001800224E0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800206803_2_0000000180020680
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800176E03_2_00000001800176E0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001F9E03_2_000000018001F9E0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001AAD03_2_000000018001AAD0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180013E103_2_0000000180013E10
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180006FF73_2_0000000180006FF7
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002E0103_2_000000018002E010
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800060573_2_0000000180006057
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800010703_2_0000000180001070
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800020C73_2_00000001800020C7
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000A1103_2_000000018000A110
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800071133_2_0000000180007113
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000612D3_2_000000018000612D
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800441403_2_0000000180044140
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800071603_2_0000000180007160
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000517A3_2_000000018000517A
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000517C3_2_000000018000517C
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800111803_2_0000000180011180
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001A1903_2_000000018001A190
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800191903_2_0000000180019190
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000219F3_2_000000018000219F
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000A1E03_2_000000018000A1E0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800061EC3_2_00000001800061EC
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800182303_2_0000000180018230
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800012643_2_0000000180001264
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800312703_2_0000000180031270
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000227C3_2_000000018000227C
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800272903_2_0000000180027290
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002B2D03_2_000000018002B2D0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800642E03_2_00000001800642E0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800062E63_2_00000001800062E6
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000D2F03_2_000000018000D2F0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800062F93_2_00000001800062F9
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800293003_2_0000000180029300
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800033003_2_0000000180003300
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800623273_2_0000000180062327
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800253403_2_0000000180025340
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018005B3803_2_000000018005B380
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800073C03_2_00000001800073C0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800173D03_2_00000001800173D0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800083E03_2_00000001800083E0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800013F73_2_00000001800013F7
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018004C4103_2_000000018004C410
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800144103_2_0000000180014410
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001D4203_2_000000018001D420
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800234643_2_0000000180023464
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800034703_2_0000000180003470
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800244B03_2_00000001800244B0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800054E03_2_00000001800054E0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800334F03_2_00000001800334F0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800265303_2_0000000180026530
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001E5503_2_000000018001E550
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000656A3_2_000000018000656A
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800095883_2_0000000180009588
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800255903_2_0000000180025590
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001B5A03_2_000000018001B5A0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800075D23_2_00000001800075D2
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000F5E03_2_000000018000F5E0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000C5F03_2_000000018000C5F0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800166303_2_0000000180016630
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800016303_2_0000000180001630
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018003664B3_2_000000018003664B
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800326603_2_0000000180032660
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800566703_2_0000000180056670
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000769C3_2_000000018000769C
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000A6A03_2_000000018000A6A0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800486E03_2_00000001800486E0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800247003_2_0000000180024700
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800067043_2_0000000180006704
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001F7103_2_000000018001F710
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000271A3_2_000000018000271A
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800337603_2_0000000180033760
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800637703_2_0000000180063770
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000176F3_2_000000018000176F
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800187803_2_0000000180018780
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800527903_2_0000000180052790
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800367B83_2_00000001800367B8
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800257C03_2_00000001800257C0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002A7F03_2_000000018002A7F0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800308103_2_0000000180030810
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000B8223_2_000000018000B822
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001C8503_2_000000018001C850
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800278703_2_0000000180027870
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800288803_2_0000000180028880
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002F8903_2_000000018002F890
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018003A8BC3_2_000000018003A8BC
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800138D03_2_00000001800138D0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000E8DC3_2_000000018000E8DC
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800249303_2_0000000180024930
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800029713_2_0000000180002971
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000E9B03_2_000000018000E9B0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800199F03_2_00000001800199F0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180053A003_2_0000000180053A00
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000FA003_2_000000018000FA00
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180021A103_2_0000000180021A10
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180025A103_2_0000000180025A10
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002AA303_2_000000018002AA30
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180003A323_2_0000000180003A32
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180007A333_2_0000000180007A33
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001EA403_2_000000018001EA40
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180005A503_2_0000000180005A50
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180004A983_2_0000000180004A98
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000FAA03_2_000000018000FAA0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180035AD03_2_0000000180035AD0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180006B003_2_0000000180006B00
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180005B3E3_2_0000000180005B3E
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180012B503_2_0000000180012B50
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180024B603_2_0000000180024B60
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000CBAB3_2_000000018000CBAB
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180023BC03_2_0000000180023BC0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180002BD63_2_0000000180002BD6
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180008C053_2_0000000180008C05
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180030C203_2_0000000180030C20
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180006B003_2_0000000180006B00
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002FC273_2_000000018002FC27
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002FC303_2_000000018002FC30
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002FC393_2_000000018002FC39
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180007C3B3_2_0000000180007C3B
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002FC423_2_000000018002FC42
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002FC4B3_2_000000018002FC4B
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002FC543_2_000000018002FC54
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180065C603_2_0000000180065C60
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002FC5D3_2_000000018002FC5D
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000AC803_2_000000018000AC80
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180035C903_2_0000000180035C90
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180025C903_2_0000000180025C90
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180006C983_2_0000000180006C98
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180036C9E3_2_0000000180036C9E
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180061CA73_2_0000000180061CA7
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180003CA63_2_0000000180003CA6
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180019CB03_2_0000000180019CB0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180002CD23_2_0000000180002CD2
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001CCF03_2_000000018001CCF0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180038D243_2_0000000180038D24
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002AD303_2_000000018002AD30
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180006D443_2_0000000180006D44
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000ED503_2_000000018000ED50
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180062D703_2_0000000180062D70
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180001D803_2_0000000180001D80
    Source: Joe Sandbox ViewDropped File: C:\Program Files\Windows Mail\ParphaCrashReport64.exe E743E8FAC075A379161E1736388451E0AF0FDE7DA595EA9D15EEB5140E3E8271
    Source: Joe Sandbox ViewDropped File: C:\Program Files\Windows Mail\arphaDump64.dll ACC214BCA1EE6212144EC1F45F247389FD81C462C8D4C4D85B323198F911759A
    Source: C:\Windows\System32\svchost.exeCode function: String function: 0000000180044F40 appears 61 times
    Source: C:\Windows\System32\svchost.exeCode function: String function: 0000000180041800 appears 91 times
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: String function: 0000000180044F40 appears 61 times
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: String function: 0000000180041800 appears 91 times
    Source: C:\Windows\System32\dllhost.exeCode function: String function: 0000000180044F40 appears 61 times
    Source: C:\Windows\System32\dllhost.exeCode function: String function: 0000000180041800 appears 91 times
    Source: R2-Signed.exeStatic PE information: invalid certificate
    Source: R2-Signed.exeBinary or memory string: OriginalFilename vs R2-Signed.exe
    Source: R2-Signed.exe, 00000000.00000002.1690216804.0000012739F00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamearphaCrashReport.exe2 vs R2-Signed.exe
    Source: R2-Signed.exe, 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamearphaCrashReport.exe2 vs R2-Signed.exe
    Source: R2-Signed.exeStatic PE information: Section: .qtmimed ZLIB complexity 0.997458770800317
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AEF4C000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: ndre-land.nonet.slnet.soin-brb.de123website.lutrentino-stirol.it
    Source: classification engineClassification label: mal100.troj.evad.winEXE@11/4@0/1
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F0680 VirtualAlloc,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,InitializeCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,2_2_000001845C4F0680
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EFD10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,GetLastError,2_2_000001845C4EFD10
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FCE70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,memset,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,lstrcpyW,CloseHandle,2_2_000001845C4FCE70
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F7870 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedUdpTable,VirtualAlloc,GetExtendedUdpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,lstrlenA,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,2_2_000001845C4F7870
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F9A70 memset,memset,VirtualFree,VirtualFree,GetModuleHandleW,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,TerminateProcess,Sleep,DeleteFileW,lstrcpyW,lstrcatW,TerminateProcess,CloseHandle,Sleep,2_2_000001845C4F9A70
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F9300 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,2_2_000001845C4F9300
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F7290 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedTcpTable,VirtualAlloc,GetExtendedTcpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,2_2_000001845C4F7290
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F0480 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,GetLastError,memcpy,2_2_000001845C4F0480
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180020680 VirtualAlloc,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,InitializeCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,3_2_0000000180020680
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180027290 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedTcpTable,VirtualAlloc,GetExtendedTcpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,3_2_0000000180027290
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180029300 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,3_2_0000000180029300
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180020480 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,GetLastError,memcpy,3_2_0000000180020480
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180027870 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedUdpTable,VirtualAlloc,GetExtendedUdpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,lstrlenA,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,3_2_0000000180027870
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180029A70 memset,memset,VirtualFree,VirtualFree,GetModuleHandleW,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,TerminateProcess,Sleep,DeleteFileW,lstrcpyW,lstrcatW,TerminateProcess,CloseHandle,Sleep,3_2_0000000180029A70
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001FD10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,GetLastError,3_2_000000018001FD10
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002CE70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,memset,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,lstrcpyW,CloseHandle,3_2_000000018002CE70
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180027290 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedTcpTable,VirtualAlloc,GetExtendedTcpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,4_2_0000000180027290
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180029300 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,4_2_0000000180029300
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180020480 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,GetLastError,memcpy,4_2_0000000180020480
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180020680 VirtualAlloc,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,InitializeCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,4_2_0000000180020680
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180027870 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedUdpTable,VirtualAlloc,GetExtendedUdpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,lstrlenA,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,4_2_0000000180027870
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180029A70 memset,memset,VirtualFree,VirtualFree,GetModuleHandleW,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,TerminateProcess,Sleep,DeleteFileW,lstrcpyW,lstrcatW,TerminateProcess,CloseHandle,Sleep,4_2_0000000180029A70
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001FD10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,GetLastError,4_2_000000018001FD10
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018002CE70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,memset,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,lstrcpyW,CloseHandle,4_2_000000018002CE70
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_0000000180020480 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,GetLastError,memcpy,5_2_0000000180020480
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_0000000180020680 VirtualAlloc,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,InitializeCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,5_2_0000000180020680
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_0000000180027290 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedTcpTable,VirtualAlloc,GetExtendedTcpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,5_2_0000000180027290
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_0000000180029300 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,5_2_0000000180029300
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_0000000180027870 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedUdpTable,VirtualAlloc,GetExtendedUdpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,lstrlenA,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,5_2_0000000180027870
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_0000000180029A70 memset,memset,VirtualFree,VirtualFree,GetModuleHandleW,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,TerminateProcess,Sleep,DeleteFileW,lstrcpyW,lstrcatW,TerminateProcess,CloseHandle,Sleep,5_2_0000000180029A70
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_000000018001FD10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,GetLastError,5_2_000000018001FD10
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_000000018002CE70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,memset,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,lstrcpyW,CloseHandle,5_2_000000018002CE70
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EC4E0 memset,memset,memset,QueryDosDeviceW,GetDriveTypeW,lstrlenW,GetVolumeInformationW,lstrlenW,GetDiskFreeSpaceExW,2_2_000001845C4EC4E0
    Source: C:\Windows\System32\svchost.exeCode function: memset,lstrcatW,memset,GetWindowsDirectoryW,GetLastError,lstrcatW,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,GetLastError,StartServiceW,CloseServiceHandle,CloseServiceHandle,2_2_000001845C4F63C0
    Source: C:\Windows\System32\svchost.exeCode function: memset,lstrcatW,memset,GetWindowsDirectoryW,GetLastError,lstrcatW,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,GetLastError,StartServiceW,CloseServiceHandle,CloseServiceHandle,3_2_00000001800263C0
    Source: C:\Windows\System32\dllhost.exeCode function: memset,lstrcatW,memset,GetWindowsDirectoryW,GetLastError,lstrcatW,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,GetLastError,StartServiceW,CloseServiceHandle,CloseServiceHandle,4_2_00000001800263C0
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: memset,lstrcatW,memset,GetWindowsDirectoryW,GetLastError,lstrcatW,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,GetLastError,StartServiceW,CloseServiceHandle,CloseServiceHandle,5_2_00000001800263C0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FC950 memset,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,2_2_000001845C4FC950
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_0000000180001A10 CoInitialize,CLSIDFromString,IIDFromString,CoCreateInstance,0_2_0000000180001A10
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_00007FF7679F4000 LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,5_2_00007FF7679F4000
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E2140 WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,memset,GetModuleFileNameW,IsUserAnAdmin,memset,wsprintfW,OpenSCManagerW,GetLastError,OpenServiceW,ChangeServiceConfig2W,GetLastError,CloseServiceHandle,CloseServiceHandle,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess,2_2_000001845C4E2140
    Source: C:\Windows\System32\svchost.exeFile created: C:\Program Files\Windows Mail\ParphaCrashReport64.exeJump to behavior
    Source: R2-Signed.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\R2-Signed.exeSystem information queried: HandleInformationJump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: R2-Signed.exeReversingLabs: Detection: 15%
    Source: svchost.exeString found in binary or memory: \\.\{F8284233-48F4-4680-ADDD-F8284233}
    Source: svchost.exeString found in binary or memory: /Processid:{F8284233-48F4-4680-ADDD-F8284233}
    Source: svchost.exeString found in binary or memory: /Processid:{F8284233-48F4-4680-ADDD-F8284233}
    Source: svchost.exeString found in binary or memory: \\.\{F8284233-48F4-4680-ADDD-F8284233}
    Source: dllhost.exeString found in binary or memory: /Processid:{F8284233-48F4-4680-ADDD-F8284233}
    Source: dllhost.exeString found in binary or memory: \\.\{F8284233-48F4-4680-ADDD-F8284233}
    Source: ParphaCrashReport64.exeString found in binary or memory: /Processid:{F8284233-48F4-4680-ADDD-F8284233}
    Source: ParphaCrashReport64.exeString found in binary or memory: \\.\{F8284233-48F4-4680-ADDD-F8284233}
    Source: unknownProcess created: C:\Users\user\Desktop\R2-Signed.exe "C:\Users\user\Desktop\R2-Signed.exe"
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Mail\ParphaCrashReport64.exe "C:\Program Files\Windows Mail\ParphaCrashReport64.exe"
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcsJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Mail\ParphaCrashReport64.exe "C:\Program Files\Windows Mail\ParphaCrashReport64.exe"Jump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcsJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}Jump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}Jump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeSection loaded: dwrite.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: taskschd.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: devenum.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: arphadump64.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: devenum.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}\InprocServer32Jump to behavior
    Source: C:\Windows\System32\svchost.exeDirectory created: C:\Program Files\Windows Mail\ParphaCrashReport64.exeJump to behavior
    Source: C:\Windows\System32\svchost.exeDirectory created: C:\Program Files\Windows Mail\arphaDump64.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeDirectory created: C:\Program Files\Windows Mail\arphaDump64.binJump to behavior
    Source: R2-Signed.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: R2-Signed.exeStatic PE information: Image base 0x140000000 > 0x60000000
    Source: R2-Signed.exeStatic file information: File size 23289008 > 1048576
    Source: R2-Signed.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x9bec00
    Source: R2-Signed.exeStatic PE information: Raw size of .vmp2 is bigger than: 0x100000 < 0xbf0400
    Source: R2-Signed.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: R2-Signed.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: R2-Signed.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: R2-Signed.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: R2-Signed.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: R2-Signed.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: R2-Signed.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: R2-Signed.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: D:\Build\PX\A\PoisonX\nvsphelperplugin64\x64\Release\arphaDump64.pdb source: R2-Signed.exe, R2-Signed.exe, 00000000.00000002.1690216804.0000012739F00000.00000004.00001000.00020000.00000000.sdmp, R2-Signed.exe, 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe, 00000005.00000002.1710463566.00007FFE11ED9000.00000002.00000001.01000000.00000009.sdmp, arphaDump64.dll.2.dr
    Source: Binary string: D:\jenkins\workspace\ci.arphasdk.build\qtc_out\Release_X64\arphaCrashReport64.exe.pdb source: R2-Signed.exe, R2-Signed.exe, 00000000.00000002.1690216804.0000012739F00000.00000004.00001000.00020000.00000000.sdmp, R2-Signed.exe, 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe, 00000005.00000002.1710266927.00007FF767A12000.00000002.00000001.01000000.00000008.sdmp, ParphaCrashReport64.exe, 00000005.00000000.1696950381.00007FF767A12000.00000002.00000001.01000000.00000008.sdmp, ParphaCrashReport64.exe.2.dr
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F4080 VirtualAlloc,LoadLibraryW,GetProcAddress,FreeLibrary,2_2_000001845C4F4080
    Source: R2-Signed.exeStatic PE information: section name: .vmp2
    Source: R2-Signed.exeStatic PE information: section name: .qtmetad
    Source: R2-Signed.exeStatic PE information: section name: .qtmimed
    Source: R2-Signed.exeStatic PE information: section name: _RDATA
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EC3E0 push rcx; ret 2_2_000001845C4EC3E1
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001C3E0 push rcx; ret 3_2_000000018001C3E1
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800619F7 push FF491775h; ret 3_2_00000001800619FC
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001C3E0 push rcx; ret 4_2_000000018001C3E1
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_00000001800619F7 push FF491775h; ret 4_2_00000001800619FC
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_000000018001C3E0 push rcx; ret 5_2_000000018001C3E1
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_00000001800619F7 push FF491775h; ret 5_2_00000001800619FC
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F30FE VirtualFree,VirtualFree,malloc,malloc,VirtualFree,VirtualFree,NetUserAdd,Sleep,NetLocalGroupAddMembers,free,free,2_2_000001845C4F30FE
    Source: C:\Windows\System32\svchost.exeFile created: C:\Program Files\Windows Mail\arphaDump64.dllJump to dropped file
    Source: C:\Windows\System32\svchost.exeFile created: C:\Program Files\Windows Mail\ParphaCrashReport64.exeJump to dropped file
    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftMailUpdateTaskJump to behavior
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FD060 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,CloseServiceHandle,StartServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_000001845C4FD060

    Hooking and other Techniques for Hiding and Protection

    barindex
    Source: C:\Windows\System32\svchost.exeFile deleted: c:\users\user\desktop\r2-signed.exeJump to behavior
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EBFC0 OpenEventLogW,ClearEventLogW,CloseEventLog,OpenEventLogW,ClearEventLogW,CloseEventLog,OpenEventLogW,ClearEventLogW,CloseEventLog,OpenEventLogW,ClearEventLogW,CloseEventLog,2_2_000001845C4EBFC0
    Source: C:\Users\user\Desktop\R2-Signed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Source: C:\Windows\System32\dllhost.exeCheck user administrative privileges: IsUserAndAdmin, DecisionNode
    Source: C:\Users\user\Desktop\R2-Signed.exeCheck user administrative privileges: IsUserAndAdmin, DecisionNodegraph_0-13630
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCheck user administrative privileges: IsUserAndAdmin, DecisionNode
    Source: C:\Windows\System32\svchost.exeCheck user administrative privileges: IsUserAndAdmin, DecisionNodegraph_2-41454
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E6F60 GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,CloseHandle,WTSGetActiveConsoleSessionId,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,CreateThread,VirtualFree,VirtualFree,VirtualFree,VirtualFree,2_2_000001845C4E6F60
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: malloc,memcpy,malloc,memset,memcpy,memset,GetModuleFileNameW,malloc,memset,memcpy,OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,0_2_00000001800015B0
    Source: C:\Windows\System32\svchost.exeCode function: malloc,memcpy,malloc,memset,memcpy,memset,GetModuleFileNameW,malloc,memset,memcpy,OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,2_2_00000001800015B0
    Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,2_2_000001845C4FD140
    Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusW,LocalAlloc,EnumServicesStatusW,memset,OpenServiceW,lstrlenW,memcpy,lstrlenW,memcpy,VirtualAlloc,QueryServiceConfig2W,lstrlenW,memcpy,lstrcpyW,VirtualAlloc,QueryServiceConfigW,lstrcpyW,lstrlenW,memcpy,lstrlenW,memcpy,lstrlenW,memcpy,CloseServiceHandle,VirtualFree,VirtualFree,CloseServiceHandle,LocalFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,2_2_000001845C4FF890
    Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,3_2_000000018002D140
    Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusW,LocalAlloc,EnumServicesStatusW,memset,OpenServiceW,lstrlenW,memcpy,lstrlenW,memcpy,VirtualAlloc,QueryServiceConfig2W,lstrlenW,memcpy,lstrcpyW,VirtualAlloc,QueryServiceConfigW,lstrcpyW,lstrlenW,memcpy,lstrlenW,memcpy,lstrlenW,memcpy,CloseServiceHandle,VirtualFree,VirtualFree,CloseServiceHandle,LocalFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,3_2_000000018002F890
    Source: C:\Windows\System32\dllhost.exeCode function: OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,4_2_000000018002D140
    Source: C:\Windows\System32\dllhost.exeCode function: OpenSCManagerW,EnumServicesStatusW,LocalAlloc,EnumServicesStatusW,memset,OpenServiceW,lstrlenW,memcpy,lstrlenW,memcpy,VirtualAlloc,QueryServiceConfig2W,lstrlenW,memcpy,lstrcpyW,VirtualAlloc,QueryServiceConfigW,lstrcpyW,lstrlenW,memcpy,lstrlenW,memcpy,lstrlenW,memcpy,CloseServiceHandle,VirtualFree,VirtualFree,CloseServiceHandle,LocalFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,4_2_000000018002F890
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,5_2_000000018002D140
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: OpenSCManagerW,EnumServicesStatusW,LocalAlloc,EnumServicesStatusW,memset,OpenServiceW,lstrlenW,memcpy,lstrlenW,memcpy,VirtualAlloc,QueryServiceConfig2W,lstrlenW,memcpy,lstrcpyW,VirtualAlloc,QueryServiceConfigW,lstrcpyW,lstrlenW,memcpy,lstrlenW,memcpy,lstrlenW,memcpy,CloseServiceHandle,VirtualFree,VirtualFree,CloseServiceHandle,LocalFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,5_2_000000018002F890
    Source: C:\Windows\System32\svchost.exeAPI coverage: 4.1 %
    Source: C:\Windows\System32\svchost.exeAPI coverage: 7.5 %
    Source: C:\Windows\System32\dllhost.exeAPI coverage: 3.2 %
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeAPI coverage: 3.3 %
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EDDD0 malloc,memset,FindFirstFileW,free,2_2_000001845C4EDDD0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EC850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,2_2_000001845C4EC850
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EE210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,2_2_000001845C4EE210
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4ECCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,2_2_000001845C4ECCF0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,3_2_000000018001E210
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,3_2_000000018001C850
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,3_2_000000018001CCF0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,3_2_000000018001DDD0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,4_2_000000018001E210
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,4_2_000000018001C850
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,4_2_000000018001CCF0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,4_2_000000018001DDD0
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_00007FF767A08F78 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,5_2_00007FF767A08F78
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_00007FFE11ED05EC FindFirstFileExW,5_2_00007FFE11ED05EC
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,5_2_000000018001E210
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,5_2_000000018001C850
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,5_2_000000018001CCF0
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,5_2_000000018001DDD0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FCD30 GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,lstrcpyW,lstrcatW,2_2_000001845C4FCD30
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F24E0 memset,memset,memset,memset,gethostname,gethostbyname,inet_ntoa,wsprintfW,lstrcatW,GetForegroundWindow,GetWindowTextW,VirtualAlloc,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,VirtualFree,GetComputerNameW,GetCurrentProcess,IsWow64Process,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,RegCloseKey,GetSystemInfo,wsprintfW,GlobalMemoryStatusEx,wsprintfW,VirtualAlloc,VirtualAlloc,GetUserNameW,GetCurrentProcessId,wsprintfW,VirtualFree,VirtualFree,memset,GetWindowsDirectoryW,GetLastError,GetVolumeInformationW,wsprintfA,wsprintfA,wsprintfW,CoInitialize,CoCreateInstance,SysFreeString,CoUninitialize,GetCurrentProcess,IsWow64Process,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,2_2_000001845C4F24E0
    Source: svchost.exe, 00000002.00000002.2927994658.000001845AC2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
    Source: R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: .?AVQEmulationPaintEngine@@
    Source: svchost.exe, 00000002.00000000.1672530680.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2928065655.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2926027380.0000026539213000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2926510340.00000246DB213000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 00000007.00000002.2926000650.00000236CB6DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: dllhost.exe, 00000004.00000002.2926057037.000002707A79B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%%
    Source: ParphaCrashReport64.exe, 00000005.00000002.1709470295.000002B07F865000.00000004.00000020.00020000.00000000.sdmp, ParphaCrashReport64.exe, 00000005.00000003.1699861960.000002B07F865000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll??
    Source: C:\Users\user\Desktop\R2-Signed.exeAPI call chain: ExitProcess graph end nodegraph_0-13637
    Source: C:\Windows\System32\svchost.exeAPI call chain: ExitProcess graph end nodegraph_2-41788
    Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FE010 BlockInput,BlockInput,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,mouse_event,BlockInput,2_2_000001845C4FE010
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180064130 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0000000180064130
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_00007FF7679FD1E8 GetLastError,IsDebuggerPresent,OutputDebugStringW,5_2_00007FF7679FD1E8
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4E6F60 GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,CloseHandle,WTSGetActiveConsoleSessionId,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,CreateThread,VirtualFree,VirtualFree,VirtualFree,VirtualFree,2_2_000001845C4E6F60
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180034DA0 VirtualAlloc ?,?,00000000,0000000180035130,?,?,00000000,0000000180014AAC3_2_0000000180034DA0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F4080 VirtualAlloc,LoadLibraryW,GetProcAddress,FreeLibrary,2_2_000001845C4F4080
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FCA60 CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,CloseHandle,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,2_2_000001845C4FCA60
    Source: C:\Users\user\Desktop\R2-Signed.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_00000001801129E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00000001801129E0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C530030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_000001845C530030
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180060030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0000000180060030
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180064130 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0000000180064130
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180060770 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0000000180060770
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180060030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0000000180060030
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180064130 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0000000180064130
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180060770 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0000000180060770
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_00007FF7679FEEF4 SetUnhandledExceptionFilter,5_2_00007FF7679FEEF4
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_00007FF7679FED0C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FF7679FED0C
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_00007FF7679FE440 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FF7679FE440
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_00007FF767A021D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FF767A021D8
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_00007FFE11EC5860 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FFE11EC5860
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_00007FFE11ECD3B4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FFE11ECD3B4
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_00007FFE11EC6270 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FFE11EC6270
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_0000000180060030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0000000180060030
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_0000000180064130 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0000000180064130
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_0000000180060770 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0000000180060770

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Source: C:\Windows\System32\svchost.exeFile created: ParphaCrashReport64.exe.2.drJump to dropped file
    Source: C:\Users\user\Desktop\R2-Signed.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1845B370000 protect: page execute and read and writeJump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1845BE00000 protect: page read and writeJump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1845B380000 protect: page execute and read and writeJump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1845B390000 protect: page read and writeJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1845C380000 protect: page execute and read and writeJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1845C390000 protect: page read and writeJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1845C420000 protect: page execute and read and writeJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1845C430000 protect: page read and writeJump to behavior
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EF9E0 VirtualAllocEx,GetLastError,VirtualAllocEx,WriteProcessMemory,GetLastError,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,memset,GetThreadContext,SetThreadContext,memset,Wow64GetThreadContext,Wow64SetThreadContext,ResumeThread,GetLastError,2_2_000001845C4EF9E0
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F9E10 VirtualAlloc,GetLastError,VirtualFree,VirtualFree,GetLastError,memset,lstrcatW,lstrcatW,lstrcatW,memset,memset,memcpy,VirtualFree,VirtualFree,VirtualFree,VirtualFree,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,2_2_000001845C4F9E10
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4EF710 VirtualAllocEx,GetLastError,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,GetModuleHandleW,GetProcAddress,CreateRemoteThread,2_2_000001845C4EF710
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FE4D0 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,2_2_000001845C4FE4D0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002E4D0 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,3_2_000000018002E4D0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001F710 VirtualAllocEx,GetLastError,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,GetModuleHandleW,GetProcAddress,CreateRemoteThread,3_2_000000018001F710
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180029E10 VirtualAlloc,GetLastError,VirtualFree,VirtualFree,GetLastError,memset,lstrcatW,lstrcatW,lstrcatW,memset,memset,memcpy,VirtualFree,VirtualFree,VirtualFree,VirtualFree,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,3_2_0000000180029E10
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018002E4D0 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,4_2_000000018002E4D0
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018001F710 VirtualAllocEx,GetLastError,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,GetModuleHandleW,GetProcAddress,CreateRemoteThread,4_2_000000018001F710
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180029E10 VirtualAlloc,GetLastError,VirtualFree,VirtualFree,GetLastError,memset,lstrcatW,lstrcatW,lstrcatW,memset,memset,memcpy,VirtualFree,VirtualFree,VirtualFree,VirtualFree,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,4_2_0000000180029E10
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_000000018002E4D0 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,5_2_000000018002E4D0
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_000000018001F710 VirtualAllocEx,GetLastError,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,GetModuleHandleW,GetProcAddress,CreateRemoteThread,5_2_000000018001F710
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_0000000180029E10 VirtualAlloc,GetLastError,VirtualFree,VirtualFree,GetLastError,memset,lstrcatW,lstrcatW,lstrcatW,memset,memset,memcpy,VirtualFree,VirtualFree,VirtualFree,VirtualFree,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,5_2_0000000180029E10
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtWriteVirtualMemory: Direct from: 0x18000E065Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtClose: Direct from: 0x18002CA47
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtProtectVirtualMemory: Direct from: 0x18002D4F8Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtQuerySystemInformation: Direct from: 0x18001244CJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x1800209C4Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtProtectVirtualMemory: Direct from: 0x18002D89DJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtClose: Direct from: 0x18002052B
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x18000D3EBJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x180008FB0Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtQuerySystemInformation: Direct from: 0x18001216DJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x18001B0FAJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x180020758Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x1800207ADJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x1800208EEJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x18000E4F4Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x180020A2FJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAdjustPrivilegesToken: Direct from: 0x180020511Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtWriteVirtualMemory: Direct from: 0x18000E8B1Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtUnmapViewOfSection: Direct from: 0x18002C9A7Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x18002069DJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtWriteVirtualMemory: Direct from: 0x18000E6D2Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtUnmapViewOfSection: Direct from: 0x18002C9C4Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x180020818Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x180020959Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtQueryInformationProcess: Direct from: 0x1800091B3Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x1800121DBJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtWriteVirtualMemory: Direct from: 0x18000B93EJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtQuerySystemInformation: Direct from: 0x18002D84BJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x180020A9AJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x18000E173Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x18001B08CJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtProtectVirtualMemory: Direct from: 0x18002D52BJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAdjustPrivilegesToken: Direct from: 0x18000C5C9Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtProtectVirtualMemory: Direct from: 0x18002D88CJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x18001B0C3Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x180020883Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtClose: Direct from: 0x180020741
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x180008494Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtQuerySystemInformation: Direct from: 0x180009000Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x18001AFDDJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x18000B8ADJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAdjustPrivilegesToken: Direct from: 0x180020727Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtQuerySystemInformation: Direct from: 0x18002C984Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x180012212Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x180020544Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x18001B131Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeNtAllocateVirtualMemory: Direct from: 0x18002D1CCJump to behavior
    Source: C:\Windows\System32\svchost.exeThread register set: target process: 3128Jump to behavior
    Source: C:\Windows\System32\svchost.exeThread register set: target process: 7296Jump to behavior
    Source: C:\Windows\System32\svchost.exeThread register set: target process: 7216Jump to behavior
    Source: C:\Windows\System32\svchost.exeThread register set: target process: 7336Jump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B370000Jump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeMemory written: C:\Windows\System32\svchost.exe base: 1845BE00000Jump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B380000Jump to behavior
    Source: C:\Users\user\Desktop\R2-Signed.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B390000Jump to behavior
    Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\System32\dllhost.exe base: 2707A630000Jump to behavior
    Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\System32\dllhost.exe base: 2707A6C0000Jump to behavior
    Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\System32\dllhost.exe base: 2707A620000Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeMemory written: C:\Windows\System32\svchost.exe base: 1845C380000Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeMemory written: C:\Windows\System32\svchost.exe base: 1845C390000Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeMemory written: C:\Windows\System32\svchost.exe base: 1845C420000Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeMemory written: C:\Windows\System32\svchost.exe base: 1845C430000Jump to behavior
    Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\System32\dllhost.exe base: 236CB450000Jump to behavior
    Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\System32\dllhost.exe base: 236CB4E0000Jump to behavior
    Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\System32\dllhost.exe base: 236CB440000Jump to behavior
    Source: C:\Windows\System32\svchost.exeCode function: WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,memset,GetModuleFileNameW,IsUserAnAdmin,memset,wsprintfW,OpenSCManagerW,GetLastError,OpenServiceW,ChangeServiceConfig2W,GetLastError,CloseServiceHandle,CloseServiceHandle,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess, svchost.exe2_2_000001845C4E2140
    Source: C:\Windows\System32\svchost.exeCode function: WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,memset,GetModuleFileNameW,IsUserAnAdmin,memset,wsprintfW,OpenSCManagerW,GetLastError,OpenServiceW,ChangeServiceConfig2W,GetLastError,CloseServiceHandle,CloseServiceHandle,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess, svchost.exe3_2_0000000180012140
    Source: C:\Windows\System32\dllhost.exeCode function: WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,memset,GetModuleFileNameW,IsUserAnAdmin,memset,wsprintfW,OpenSCManagerW,GetLastError,OpenServiceW,ChangeServiceConfig2W,GetLastError,CloseServiceHandle,CloseServiceHandle,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess, svchost.exe4_2_0000000180012140
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,memset,GetModuleFileNameW,IsUserAnAdmin,memset,wsprintfW,OpenSCManagerW,GetLastError,OpenServiceW,ChangeServiceConfig2W,GetLastError,CloseServiceHandle,CloseServiceHandle,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess, svchost.exe5_2_0000000180012140
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FE010 BlockInput,BlockInput,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,mouse_event,BlockInput,2_2_000001845C4FE010
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4FE010 BlockInput,BlockInput,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,mouse_event,BlockInput,2_2_000001845C4FE010
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcsJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Mail\ParphaCrashReport64.exe "C:\Program Files\Windows Mail\ParphaCrashReport64.exe"Jump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcsJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}Jump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}Jump to behavior
    Source: C:\Windows\System32\svchost.exeFile opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeFile opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeFile opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dllJump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeFile opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeFile opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeFile opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dllJump to behavior
    Source: svchost.exe, 00000003.00000002.2928204871.000002653A690000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2320497763.000002653A660000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 00000004.00000003.2300635309.000002707CD60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program Manager
    Source: svchost.exe, 00000003.00000003.2320869082.000002653A990000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2347105316.00000246DC900000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: TCPProgram Manager
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_000000018002BBA8 cpuid 0_2_000000018002BBA8
    Source: C:\Users\user\Desktop\R2-Signed.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftMailUpdateTask VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftMailUpdateTask VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F7E20 CreateNamedPipeW,GetLastError,ConnectNamedPipe,GetLastError,2_2_000001845C4F7E20
    Source: C:\Users\user\Desktop\R2-Signed.exeCode function: 0_2_0000000180112B5C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_0000000180112B5C
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F24E0 memset,memset,memset,memset,gethostname,gethostbyname,inet_ntoa,wsprintfW,lstrcatW,GetForegroundWindow,GetWindowTextW,VirtualAlloc,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,VirtualFree,GetComputerNameW,GetCurrentProcess,IsWow64Process,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,RegCloseKey,GetSystemInfo,wsprintfW,GlobalMemoryStatusEx,wsprintfW,VirtualAlloc,VirtualAlloc,GetUserNameW,GetCurrentProcessId,wsprintfW,VirtualFree,VirtualFree,memset,GetWindowsDirectoryW,GetLastError,GetVolumeInformationW,wsprintfA,wsprintfA,wsprintfW,CoInitialize,CoCreateInstance,SysFreeString,CoUninitialize,GetCurrentProcess,IsWow64Process,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,2_2_000001845C4F24E0

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1044, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1044, type: MEMORYSTR
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C4F1520 memset,VirtualFree,VirtualFree,socket,setsockopt,htons,inet_addr,htonl,bind,WSAGetLastError,listen,CreateThread,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,2_2_000001845C4F1520
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C517630 socket,setsockopt,setsockopt,setsockopt,WSAGetLastError,listen,closesocket,WSAGetLastError,closesocket,closesocket,2_2_000001845C517630
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C51A830 socket,socket,htonl,bind,getsockname,2_2_000001845C51A830
    Source: C:\Windows\System32\svchost.exeCode function: 2_2_000001845C526B30 htons,_unlink,bind,WSAGetLastError,getsockname,htons,2_2_000001845C526B30
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180021520 memset,VirtualFree,VirtualFree,socket,setsockopt,htons,inet_addr,htonl,bind,WSAGetLastError,listen,CreateThread,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,3_2_0000000180021520
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180047630 socket,setsockopt,setsockopt,setsockopt,WSAGetLastError,listen,closesocket,WSAGetLastError,closesocket,closesocket,3_2_0000000180047630
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018004A830 socket,socket,htonl,bind,getsockname,3_2_000000018004A830
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180056B30 htons,_unlink,bind,WSAGetLastError,getsockname,htons,3_2_0000000180056B30
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180021520 memset,VirtualFree,VirtualFree,socket,setsockopt,htons,inet_addr,htonl,bind,WSAGetLastError,listen,CreateThread,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,4_2_0000000180021520
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180047630 socket,setsockopt,setsockopt,setsockopt,WSAGetLastError,listen,closesocket,WSAGetLastError,closesocket,closesocket,4_2_0000000180047630
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_000000018004A830 socket,socket,htonl,bind,getsockname,4_2_000000018004A830
    Source: C:\Windows\System32\dllhost.exeCode function: 4_2_0000000180056B30 htons,_unlink,bind,WSAGetLastError,getsockname,htons,4_2_0000000180056B30
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_0000000180021520 memset,VirtualFree,VirtualFree,socket,setsockopt,htons,inet_addr,htonl,bind,WSAGetLastError,listen,CreateThread,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,5_2_0000000180021520
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_0000000180047630 socket,setsockopt,setsockopt,setsockopt,WSAGetLastError,listen,closesocket,WSAGetLastError,closesocket,closesocket,5_2_0000000180047630
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_000000018004A830 socket,socket,htonl,bind,getsockname,5_2_000000018004A830
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 5_2_0000000180056B30 htons,_unlink,bind,WSAGetLastError,getsockname,htons,5_2_0000000180056B30
    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire Infrastructure1
    Valid Accounts
    11
    Native API
    1
    DLL Side-Loading
    1
    Abuse Elevation Control Mechanism
    3
    Disable or Modify Tools
    21
    Input Capture
    1
    System Time Discovery
    Remote Services1
    Archive Collected Data
    1
    Ingress Tool Transfer
    Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    Exploitation for Client Execution
    1
    Create Account
    1
    DLL Side-Loading
    1
    Deobfuscate/Decode Files or Information
    LSASS Memory11
    Account Discovery
    Remote Desktop Protocol21
    Input Capture
    1
    Encrypted Channel
    Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts2
    Command and Scripting Interpreter
    1
    Valid Accounts
    1
    Valid Accounts
    1
    Abuse Elevation Control Mechanism
    Security Account Manager1
    System Service Discovery
    SMB/Windows Admin Shares3
    Clipboard Data
    SteganographyAutomated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal Accounts1
    Scheduled Task/Job
    12
    Windows Service
    11
    Access Token Manipulation
    2
    Obfuscated Files or Information
    NTDS2
    File and Directory Discovery
    Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud Accounts12
    Service Execution
    1
    Scheduled Task/Job
    12
    Windows Service
    1
    Software Packing
    LSA Secrets25
    System Information Discovery
    SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts523
    Process Injection
    1
    DLL Side-Loading
    Cached Domain Credentials1
    Network Share Discovery
    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
    Scheduled Task/Job
    1
    File Deletion
    DCSync141
    Security Software Discovery
    Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
    Masquerading
    Proc Filesystem4
    Process Discovery
    Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
    Valid Accounts
    /etc/passwd and /etc/shadow1
    System Owner/User Discovery
    Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
    Access Token Manipulation
    Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd523
    Process Injection
    Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
    Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
    Indicator Removal
    KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579841 Sample: R2-Signed.exe Startdate: 23/12/2024 Architecture: WINDOWS Score: 100 42 Multi AV Scanner detection for dropped file 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected ValleyRAT 2->46 48 3 other signatures 2->48 8 R2-Signed.exe 2->8         started        process3 signatures4 54 Writes to foreign memory regions 8->54 56 Allocates memory in foreign processes 8->56 58 Found evasive API chain checking for user administrative privileges 8->58 11 svchost.exe 12 4 8->11 injected process5 file6 28 C:\Program Files\...\arphaDump64.dll, PE32+ 11->28 dropped 30 C:\Program Files\...\ParphaCrashReport64.exe, PE32+ 11->30 dropped 60 Benign windows process drops PE files 11->60 62 Contains functionality to inject threads in other processes 11->62 64 Contains functionality to inject code into remote processes 11->64 66 3 other signatures 11->66 15 svchost.exe 1 11->15         started        19 ParphaCrashReport64.exe 11->19         started        21 svchost.exe 11->21         started        signatures7 process8 dnsIp9 32 18.139.89.40, 49741, 49743, 80 AMAZON-02US United States 15->32 34 Writes to foreign memory regions 15->34 36 Modifies the context of a thread in another process (thread injection) 15->36 23 dllhost.exe 15->23         started        38 Allocates memory in foreign processes 19->38 40 Found direct / indirect Syscall (likely to bypass EDR) 19->40 26 dllhost.exe 21->26         started        signatures10 process11 signatures12 50 Contains functionality to inject threads in other processes 23->50 52 Found evasive API chain checking for user administrative privileges 23->52

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    R2-Signed.exe16%ReversingLabs
    SourceDetectionScannerLabelLink
    C:\Program Files\Windows Mail\ParphaCrashReport64.exe4%ReversingLabs
    C:\Program Files\Windows Mail\arphaDump64.dll52%ReversingLabsWin64.Trojan.Generic
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    No contacted domains info
    NameSourceMaliciousAntivirus DetectionReputation
    https://support.google.com/chrome/answer/6098869?hl=esR2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
      high
      https://support.google.com/chrome/answer/6098869R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
        high
        https://www.google.com/chrome/privacy/eula_text.htmlR2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
          high
          https://www.google.com/chrome/privacy/eula_text.htmlAy&udaGestionadoR2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
            high
            https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivityR2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
              high
              https://chrome.google.com/webstore?hl=es-419Ctrl$1R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                high
                https://chrome.google.com/webstore?hl=et&category=theme81https://myactivity.google.com/myactivity/?uR2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                  high
                  https://chrome.google.com/webstore?hl=af&category=theme81https://myactivity.google.com/myactivity/?uR2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                    high
                    https://chrome.google.com/webstore?hl=etCtrl$1R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                      high
                      https://chrome.google.com/webstore?hl=es&category=theme81https://myactivity.google.com/myactivity/?uR2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                        high
                        https://chrome.google.com/webstore?hl=fi&category=theme81https://myactivity.google.com/myactivity/?uR2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                          high
                          https://passwords.google.comSavedR2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                            unknown
                            https://chrome.google.com/webstore?hl=zh-TWCtrl$1R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                              high
                              https://myactivity.google.com/R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                high
                                https://chrome.google.com/webstore?hl=fr&category=theme81https://myactivity.google.com/myactivity/?uR2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                  high
                                  https://www.google.com/chrome/privacy/eula_text.htmlH&elpManagedR2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                    high
                                    https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrlR2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                      high
                                      https://passwords.google.comSelleR2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                        unknown
                                        https://passwords.google.comGestoordeR2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                          unknown
                                          https://chromeenterprise.google/policies/#BrowserSwitcherUrlListR2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                            high
                                            https://passwords.google.comR2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                              high
                                              https://policies.google.com/R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                high
                                                https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                  high
                                                  https://chrome.google.com/webstore?hl=esCtrl$1R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                    high
                                                    https://ejemplo.com.SeR2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                      unknown
                                                      https://chrome.google.com/webstore?hl=afCtrl$1R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                        high
                                                        https://passwords.google.comSeR2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                          unknown
                                                          https://www.google.com/chrome/privacy/eula_text.html&AideGR2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                            high
                                                            https://chromeenterprise.google/policies/#BrowserSwitcherEnabledR2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                              high
                                                              https://passwords.google.comMotsR2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                unknown
                                                                https://chrome.google.com/webstore/category/extensionsR2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                  high
                                                                  https://support.google.com/chromebook?p=app_intentR2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                    high
                                                                    https://chrome.google.com/webstore?hl=frCtrl$1R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                      high
                                                                      https://chrome.google.com/webstore?hl=es-419&category=theme81https://myactivity.google.com/myactivitR2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                        high
                                                                        https://passwords.google.comTR2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                          unknown
                                                                          https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?uR2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                            high
                                                                            https://chrome.google.com/webstore?hl=en-GB&category=theme81https://myactivity.google.com/myactivityR2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                              high
                                                                              https://support.google.com/chrome/answer/96817R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                high
                                                                                https://support.google.com/chrome/a/?p=browser_profile_detailsR2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                  high
                                                                                  https://chrome.google.com/webstore?hl=filCtrl$1R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                    high
                                                                                    https://www.google.com/chrome/privacy/eula_text.htmlA&biHaldabR2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                      high
                                                                                      https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrlR2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                        high
                                                                                        https://www.google.com/chrome/privacy/eula_text.htmlT&ulongPinapamahalaanR2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                          high
                                                                                          https://passwords.google.comMgaR2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                            unknown
                                                                                            https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelistR2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                              high
                                                                                              https://support.google.com/chrome/a/answer/9122284R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                high
                                                                                                https://chrome.google.com/webstore?hl=fil&category=theme81https://myactivity.google.com/myactivity/?R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                  high
                                                                                                  https://chrome.google.com/webstore?hl=enCtrl$1R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                    high
                                                                                                    https://passwords.google.comContraseR2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                      unknown
                                                                                                      https://chrome.google.com/webstore?hl=fiCtrl$1R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                        high
                                                                                                        https://www.google.com/chrome/privacy/eula_text.htmlBestuurR2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                          high
                                                                                                          https://www.google.com/chrome/privacy/eula_text.htmlO&hjeOrganisaatiosiR2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                            high
                                                                                                            http://ejemplo.comR2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                              unknown
                                                                                                              https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylistR2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                                high
                                                                                                                https://www.google.com/chrome/privacy/eula_text.htmlA&yudaAdministradoR2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                                  high
                                                                                                                  https://chrome.google.com/webstore?hl=en-GBCtrl$1R2-Signed.exe, 00000000.00000000.1666745025.00007FF6AE6C5000.00000008.00000001.01000000.00000003.sdmp, R2-Signed.exe, 00000000.00000002.1692179704.00007FF6AE716000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                                    high
                                                                                                                    • No. of IPs < 25%
                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                    • 75% < No. of IPs
                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                    18.139.89.40
                                                                                                                    unknownUnited States
                                                                                                                    16509AMAZON-02USfalse
                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                    Analysis ID:1579841
                                                                                                                    Start date and time:2024-12-23 11:21:09 +01:00
                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                    Overall analysis duration:0h 8m 59s
                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                    Report type:full
                                                                                                                    Cookbook file name:default.jbs
                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                    Number of analysed new started processes analysed:11
                                                                                                                    Number of new started drivers analysed:0
                                                                                                                    Number of existing processes analysed:0
                                                                                                                    Number of existing drivers analysed:0
                                                                                                                    Number of injected processes analysed:1
                                                                                                                    Technologies:
                                                                                                                    • HCA enabled
                                                                                                                    • EGA enabled
                                                                                                                    • AMSI enabled
                                                                                                                    Analysis Mode:default
                                                                                                                    Analysis stop reason:Timeout
                                                                                                                    Sample name:R2-Signed.exe
                                                                                                                    Detection:MAL
                                                                                                                    Classification:mal100.troj.evad.winEXE@11/4@0/1
                                                                                                                    EGA Information:
                                                                                                                    • Successful, ratio: 100%
                                                                                                                    HCA Information:
                                                                                                                    • Successful, ratio: 99%
                                                                                                                    • Number of executed functions: 33
                                                                                                                    • Number of non-executed functions: 299
                                                                                                                    Cookbook Comments:
                                                                                                                    • Found application associated with file extension: .exe
                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                    • Excluded IPs from analysis (whitelisted): 184.28.90.27, 4.175.87.197, 172.202.163.200, 13.107.246.63
                                                                                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                    • VT rate limit hit for: R2-Signed.exe
                                                                                                                    TimeTypeDescription
                                                                                                                    10:22:01Task SchedulerRun new task: MicrosoftMailUpdateTask path: C:\Program Files\Windows Mail\ParphaCrashReport64.exe
                                                                                                                    No context
                                                                                                                    No context
                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                    AMAZON-02USTsWpfWrp.exeGet hashmaliciousValleyRATBrowse
                                                                                                                    • 52.74.204.186
                                                                                                                    Archivo-PxFkiLTWYG-23122024095010.htaGet hashmaliciousUnknownBrowse
                                                                                                                    • 3.5.232.230
                                                                                                                    Archivo-PxFkiLTWYG-23122024095010.htaGet hashmaliciousUnknownBrowse
                                                                                                                    • 3.5.232.130
                                                                                                                    Archivo-PxFkiLTWYG-23122024095010.htaGet hashmaliciousUnknownBrowse
                                                                                                                    • 3.5.234.55
                                                                                                                    FBmz85HS0d.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 185.166.143.50
                                                                                                                    armv5l.elfGet hashmaliciousUnknownBrowse
                                                                                                                    • 108.159.159.70
                                                                                                                    BJQizQ6sqT.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 185.166.143.48
                                                                                                                    jSFUzuYPG9.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 52.216.152.124
                                                                                                                    mG83m82qhF.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 185.166.143.49
                                                                                                                    LP4a6BowQN.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 185.166.143.49
                                                                                                                    No context
                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                    C:\Program Files\Windows Mail\ParphaCrashReport64.exeTsWpfWrp.exeGet hashmaliciousValleyRATBrowse
                                                                                                                      hvix64.exeGet hashmaliciousValleyRATBrowse
                                                                                                                        2024-12-10#U67e5#U9605_uninst.exeGet hashmaliciousValleyRATBrowse
                                                                                                                          2024-12-10#U67e5#U9605_uninst.exeGet hashmaliciousValleyRATBrowse
                                                                                                                            png131.exeGet hashmaliciousValleyRATBrowse
                                                                                                                              install.exeGet hashmaliciousValleyRATBrowse
                                                                                                                                Telegrm2.69.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  Telegrm2.69.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    file_6c73ff4553d147e39fc35434c1e9e972_2024-07-30_02_54_11_351000.zipGet hashmaliciousUnknownBrowse
                                                                                                                                      SvpnLong2.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        C:\Program Files\Windows Mail\arphaDump64.dllpng131.exeGet hashmaliciousValleyRATBrowse
                                                                                                                                          install.exeGet hashmaliciousValleyRATBrowse
                                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):238384
                                                                                                                                            Entropy (8bit):6.278635939854228
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:fN9rZ5vuFomptSepjTxUPjfOgwXCtRLDya09M9EvoHmkQ/2Y8L6vVefD:rZ5qomPSeCx7tRNQjSfD
                                                                                                                                            MD5:8B5D51DF7BBD67AEB51E9B9DEE6BC84A
                                                                                                                                            SHA1:DD63C3D4ACF0CE27F71CCE44B8950180E48E36FA
                                                                                                                                            SHA-256:E743E8FAC075A379161E1736388451E0AF0FDE7DA595EA9D15EEB5140E3E8271
                                                                                                                                            SHA-512:1B4350D51C2107D0AA22EB01D64E1F1AB73C28114045C388BAF9547CC39A902C8A274A24479C7C2599F94C96F8772E438F21A2849316B5BD7F5D47C26A1E483B
                                                                                                                                            Malicious:true
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                            Joe Sandbox View:
                                                                                                                                            • Filename: TsWpfWrp.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: hvix64.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: 2024-12-10#U67e5#U9605_uninst.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: 2024-12-10#U67e5#U9605_uninst.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: png131.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: install.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: Telegrm2.69.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: Telegrm2.69.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: file_6c73ff4553d147e39fc35434c1e9e972_2024-07-30_02_54_11_351000.zip, Detection: malicious, Browse
                                                                                                                                            • Filename: SvpnLong2.exe, Detection: malicious, Browse
                                                                                                                                            Reputation:moderate, very likely benign file
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........i...:...:...:...;...:...;)..:...;...:...;...:...;...:...;...:...;...:3..;...:...:...:3..;...:3.4:...:..\:...:3..;...:Rich...:........................PE..d......`.........."..........t......$..........@....................................j.....`..........................................................p...-...P.......h..0;......l...P...8.......................(.................... ..@............................text............................... ..`.rdata..F.... ......................@..@.data...L&... ......................@....pdata.......P......................@..@.rsrc....-...p.......2..............@..@.reloc..l............`..............@..B........................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):546252
                                                                                                                                            Entropy (8bit):6.543977929343346
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:12288:awnKbeNO/thmmWIK3z9rG3U9szzrHUPRxG0+UfYlrYSF:flXDp9HPYlr5F
                                                                                                                                            MD5:3E6532D7FE0BB87D94B2BB7986F12CC9
                                                                                                                                            SHA1:0644EEF386564C0411FDD067473F85A9921E34BC
                                                                                                                                            SHA-256:FAC90A422E92EDB585C4C89746ED47CDE8D045BEF7BBAE4F527CC8A0767E62B1
                                                                                                                                            SHA-512:1B431C7ECD2FDEC4FE601AFFA4AEAEC905860008A5420EAFFDC5892CA3AE1080BEA1427DFFCE53BABFCE0225F9133F4CE97BAA5D34817079CF3B9AFF70CE7B9B
                                                                                                                                            Malicious:false
                                                                                                                                            Reputation:low
                                                                                                                                            Preview:4...H..(H...D$8run.H.L$8.O...H..(...eH..%`......D..3.L..E..t"A........A..a.J..L.I....A..D....u..H.A.....H.\$.H.l$.H.t$.WAVAWH.. D......H.P.H.j L..I.......M..L.P0M..tLIcB<B.........t<I.<..O.I...j....w 3.I..D..9_.v...I...P...A..D;.t+..H...;_.r.L;.u.3.H.\$@H.l$HH.t$PH.. A_A^_.O$I..D...Y.O.I..B...I.......@SH.. H.......%...H..H.. [H....H.\$.WH.. H..H...........H..H..H.\$0H.. _H.....H.\$.UVWATAUAVAWH.. L..M..3.Z.H........2=..L.......-A..H.D$x....M..M.f.H.D$p3...A..y.H..(fA;A.s|I..9.u29E8~ZHc]8A......O.H..I..A.....A..L..G.3.H...T$p.-.O.A.......I..A.....A..W.H..D..I..H...T$x._.I....H..(..H......;.|.H.\$`H.. A_A^A]A\_^].H.\$.H.l$.H.t$ WATAUAVAWH..@L..-A........ ...H.L$ D..H..3...D.g.E..H.L$ A....E..W.H.L$$..E..W.H.L$(..E..W.H.L$,..E..W.H.L$0..E..W`H.L$4..E..H.L$8....E..W H.L$<....O.B....../.H...5...M..E3.L..A..H.........A..Y.I.q0H..(H#.fE;i.......I..D.C.A.....A.....E..A#.A...A#.A....s..K.A..@....H.....OH..B..I..RD.T. A....A....D.CT. ..u.A..@t.A.A ..E..y.A.A$..t..K.L.L$pH...E.
                                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):287232
                                                                                                                                            Entropy (8bit):6.391182582162269
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:qzZrTgN6uyqfkqc53wuY+OrGW2LRKK9+R/BsP3VkxQO6yOxaXLNC3dvMvuTYp:ksxkmyLRKiM/BsNd3yGaXpruT2
                                                                                                                                            MD5:1184B14D782403EAF5EB02DFA36777C5
                                                                                                                                            SHA1:7C6FBCFC3C26B1BFB232DADCE23F31124468BD72
                                                                                                                                            SHA-256:ACC214BCA1EE6212144EC1F45F247389FD81C462C8D4C4D85B323198F911759A
                                                                                                                                            SHA-512:B378B9D3A51919654A8C5D56B6359F870EC9C14C7EFB9F56BAB6F547CDF5A45A1A9BE793C2461752196B8BA64C7ED9CDCBE6E34BFFF68A8C05FA8CAA8A96FB5B
                                                                                                                                            Malicious:true
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 52%
                                                                                                                                            Joe Sandbox View:
                                                                                                                                            • Filename: png131.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: install.exe, Detection: malicious, Browse
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K+...Js..Js..Js.D2p..Js.D2v..Js.D2w..Js...p..Js...w..Js...v.,Js.D2r..Js..Jr.jJs...z..Js...s..Js.....Js...q..Js.Rich.Js.................PE..d....DDg.........." ...*.............^....................................................`..........................................,.......-..<............p..........................p.......................(.......@............................................text...P~.......................... ..`.rdata.............................@..@.data....&...@.......,..............@....pdata.......p.......B..............@..@.rsrc................X..............@..@.reloc...............Z..............@..B........................................................................................................................................................................................................................................
                                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):3198
                                                                                                                                            Entropy (8bit):3.559796516107948
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:48:yei1q9tNTyOXZj9c9V9Lbra+iaiudupRCRvA9ufAuRa7T5XhPsV8ic4dTKp+++:tX4diaigVA9ll7dhFF7+
                                                                                                                                            MD5:79C8530188472FA4159DE398A9CA797F
                                                                                                                                            SHA1:0B8743354489D4460DA39E8E4EF2230E9925F638
                                                                                                                                            SHA-256:46722563913B24900DFD02AFD809AE2BBABB5CE420AA81ECBF008F7ACE247F34
                                                                                                                                            SHA-512:2079F7EA505FC410028A0D36A408AFE97E0BDED14548EE6448F692FEEF2D55D52CE6EC9DF5A016C6737595275FF6BD5F4D5397F0C128445ED262B75BF4DD7EE5
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.A.u.t.h.o.r.>.S.Y.S.T.E.M.<./.A.u.t.h.o.r.>..... . . . .<.D.e.s.c.r.i.p.t.i.o.n.>.M.i.c.r.o.s.o.f.t. .M.a.i.l. .U.p.d.a.t.e. .T.a.s.k. .M.a.c.h.i.n.e.C.o.r.e.<./.D.e.s.c.r.i.p.t.i.o.n.>..... . . . .<.U.R.I.>.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.M.i.c.r.o.s.o.f.t.M.a.i.l.U.p.d.a.t.e.T.a.s.k.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.B.o.o.t.T.r.i.g.g.e.r.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.B.o.o.t.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>..... . . . . . .<.U.s.e.r.I.d.>.S.-.1.-.5.-.1.8.<./.U.s.
                                                                                                                                            File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                            Entropy (8bit):7.015585406867402
                                                                                                                                            TrID:
                                                                                                                                            • Win64 Executable GUI (202006/5) 92.65%
                                                                                                                                            • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                                            • DOS Executable Generic (2002/1) 0.92%
                                                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                            File name:R2-Signed.exe
                                                                                                                                            File size:23'289'008 bytes
                                                                                                                                            MD5:a7471e097d4d4e84fa44a025603499e1
                                                                                                                                            SHA1:231bbd89584d137fb2a418776549aa3774638d42
                                                                                                                                            SHA256:deede7611a657fab998d2e354f0168adf7a9ab89f34ab1fd7ccab8c9736597e9
                                                                                                                                            SHA512:b5309cadd5e85a17a19e5c15a56eb2e668d1cc7b46f31f2977afde309d33b96fa93e1c3cb9c23314c027c895772821930d56388ccad5b75d0831f804892dc434
                                                                                                                                            SSDEEP:393216:G1/Uf6MyNXElYsjLl7Skew2j+bqJqJsv6tWKFdu9CnF:a4pKRiqJK
                                                                                                                                            TLSH:E737BF07B29006A9E072E078DA47C117FB71F418A76097DB35A896D92F73BF0A93B351
                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................|.....7.............................................r...................\...r.......s.......s......
                                                                                                                                            Icon Hash:03898f8f8f8f8b01
                                                                                                                                            Entrypoint:0x1408afff0
                                                                                                                                            Entrypoint Section:.text
                                                                                                                                            Digitally signed:true
                                                                                                                                            Imagebase:0x140000000
                                                                                                                                            Subsystem:windows gui
                                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                            Time Stamp:0x675000B5 [Wed Dec 4 07:11:49 2024 UTC]
                                                                                                                                            TLS Callbacks:
                                                                                                                                            CLR (.Net) Version:
                                                                                                                                            OS Version Major:6
                                                                                                                                            OS Version Minor:0
                                                                                                                                            File Version Major:6
                                                                                                                                            File Version Minor:0
                                                                                                                                            Subsystem Version Major:6
                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                            Import Hash:7ef050b01014b0234d5be0c3d4a81582
                                                                                                                                            Signature Valid:false
                                                                                                                                            Signature Issuer:CN=VeriSign Class 3 Code Signing 2009-2 CA, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
                                                                                                                                            Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                            Error Number:-2146869232
                                                                                                                                            Not Before, Not After
                                                                                                                                            • 24/05/2010 20:00:00 15/07/2011 19:59:59
                                                                                                                                            Subject Chain
                                                                                                                                            • CN="Dolby Laboratories, Inc.", OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Dolby Laboratories, Inc.", L=San Francisco, S=California, C=US
                                                                                                                                            Version:3
                                                                                                                                            Thumbprint MD5:1546F35EF8BB0380178D89F5A9756956
                                                                                                                                            Thumbprint SHA-1:191FF743577ED5AC47B800923ACA83D3352A0AEC
                                                                                                                                            Thumbprint SHA-256:D61CE0F870501FF2B1319CC53084963FDD016D456FB54BDB06D9D24301E0DA33
                                                                                                                                            Serial:20892E8E533FAE56ADE2E9120D5B9B5F
                                                                                                                                            Instruction
                                                                                                                                            dec eax
                                                                                                                                            sub esp, 28h
                                                                                                                                            call 00007FD36131E8FCh
                                                                                                                                            dec eax
                                                                                                                                            add esp, 28h
                                                                                                                                            jmp 00007FD36131DC5Fh
                                                                                                                                            int3
                                                                                                                                            int3
                                                                                                                                            dec eax
                                                                                                                                            mov dword ptr [esp+08h], ebx
                                                                                                                                            push edi
                                                                                                                                            dec eax
                                                                                                                                            sub esp, 20h
                                                                                                                                            mov edx, 00000FA0h
                                                                                                                                            dec eax
                                                                                                                                            lea ecx, dword ptr [00D17776h]
                                                                                                                                            call dword ptr [00110668h]
                                                                                                                                            dec eax
                                                                                                                                            lea ecx, dword ptr [00BD9769h]
                                                                                                                                            call dword ptr [001102BBh]
                                                                                                                                            dec eax
                                                                                                                                            mov ebx, eax
                                                                                                                                            dec eax
                                                                                                                                            test eax, eax
                                                                                                                                            jne 00007FD36131DDF7h
                                                                                                                                            dec eax
                                                                                                                                            lea ecx, dword ptr [00BD979Ch]
                                                                                                                                            call dword ptr [001102A6h]
                                                                                                                                            dec eax
                                                                                                                                            mov ebx, eax
                                                                                                                                            dec eax
                                                                                                                                            test eax, eax
                                                                                                                                            je 00007FD36131DE61h
                                                                                                                                            dec eax
                                                                                                                                            lea edx, dword ptr [00BD97A7h]
                                                                                                                                            dec eax
                                                                                                                                            mov ecx, ebx
                                                                                                                                            call dword ptr [00110296h]
                                                                                                                                            dec eax
                                                                                                                                            lea edx, dword ptr [00BD97B7h]
                                                                                                                                            dec eax
                                                                                                                                            mov ecx, ebx
                                                                                                                                            dec eax
                                                                                                                                            mov edi, eax
                                                                                                                                            call dword ptr [00110283h]
                                                                                                                                            dec eax
                                                                                                                                            test edi, edi
                                                                                                                                            je 00007FD36131DDF7h
                                                                                                                                            dec eax
                                                                                                                                            test eax, eax
                                                                                                                                            je 00007FD36131DDF2h
                                                                                                                                            dec eax
                                                                                                                                            mov dword ptr [00D1773Ah], edi
                                                                                                                                            dec eax
                                                                                                                                            mov dword ptr [00D1773Bh], eax
                                                                                                                                            jmp 00007FD36131DE00h
                                                                                                                                            inc ebp
                                                                                                                                            xor ecx, ecx
                                                                                                                                            inc ebp
                                                                                                                                            xor eax, eax
                                                                                                                                            xor ecx, ecx
                                                                                                                                            inc ecx
                                                                                                                                            lea edx, dword ptr [ecx+01h]
                                                                                                                                            call dword ptr [001105A7h]
                                                                                                                                            dec eax
                                                                                                                                            mov dword ptr [00D176E8h], eax
                                                                                                                                            dec eax
                                                                                                                                            test eax, eax
                                                                                                                                            je 00007FD36131DE06h
                                                                                                                                            xor ecx, ecx
                                                                                                                                            call 00007FD36131D909h
                                                                                                                                            test al, al
                                                                                                                                            je 00007FD36131DDFBh
                                                                                                                                            dec eax
                                                                                                                                            lea ecx, dword ptr [0000001Dh]
                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x9c0f380x154.idata
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x16280000x21bc0.rsrc
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0xa221a80x75e1c.vmp2
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x1630c000x50b0.rsrc
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x161b0000xc1f8.reloc
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x14d12380x1c.vmp2
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x14d14000x28.vmp2
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x14d12600x138.vmp2
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x9c00000xf10.idata
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                            .text0x10000x9bea600x9bec00ad7a18a94e844ab16267efbd30a99280unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                            .idata0x9c00000x424e0x4400ffa77a54d4f138e8c9bbfab0fcc8e5efFalse0.3131893382352941data4.775786531589324IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                            .vmp20x9c50000xc0455c0xbf0400be936bd807d3d0de837401ea3bbb98fcunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                            .qtmetad0x15ca0000x5360x600bfd0a37e057f358d80d1716d9a9abd7eFalse0.24609375data5.0500249701877475IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                                                            .qtmimed0x15cb0000x4ece50x4ee002d32d357ab751ffbbb513570c6ee6986False0.997458770800317gzip compressed data, original size modulo 2^32 07.998000978505572IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                                                            _RDATA0x161a0000x1300x2004cf87728c7431acc28c0e2229f313f5aFalse0.318359375data2.6787961516860954IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                            .reloc0x161b0000xc1f80xc200ae4ac34fee01f20308f4133c27853680False0.16233086340206185data5.483512500297378IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                            .rsrc0x16280000x21bc00x21c0033c26467011d800558c1f808e28a0223False0.4668041087962963data5.570115815801445IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                            RT_ICON0x16281b00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m0.4333224890571395
                                                                                                                                            RT_ICON0x16389d80x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 2835 x 2835 px/m0.45877128442295567
                                                                                                                                            RT_ICON0x1641e800x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m0.5150566839867737
                                                                                                                                            RT_ICON0x16460a80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.5564315352697096
                                                                                                                                            RT_ICON0x16486500x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.6531425891181989
                                                                                                                                            RT_ICON0x16496f80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.8342198581560284
                                                                                                                                            RT_GROUP_ICON0x1649b600x5adata0.7777777777777778
                                                                                                                                            DLLImport
                                                                                                                                            WTSAPI32.dllWTSFreeMemory, WTSQuerySessionInformationW
                                                                                                                                            UxTheme.dllGetThemeColor, GetThemeInt, GetThemePartSize, OpenThemeData, GetThemeEnumValue, GetThemeMargins, GetCurrentThemeName, IsAppThemed, IsThemeActive, SetWindowTheme, GetThemeBool, IsThemeBackgroundPartiallyTransparent, GetThemeBackgroundRegion, CloseThemeData, GetThemeTransitionDuration, GetThemePropertyOrigin
                                                                                                                                            dwmapi.dllDwmGetWindowAttribute, DwmIsCompositionEnabled, DwmSetWindowAttribute, DwmEnableBlurBehindWindow
                                                                                                                                            GDI32.dllCreateRectRgn, DeleteDC, DeleteObject, GetRegionData, SelectClipRgn, SelectObject, CreateDIBSection, GdiFlush, BitBlt, CreateCompatibleDC, SetLayout, GetDeviceCaps, CreateCompatibleBitmap, CreateDCW, CreateBitmap, ChoosePixelFormat, SetPixelFormat, DescribePixelFormat, GetPixelFormat, SwapBuffers, GetBitmapBits, GetObjectW, CreateFontIndirectW, EnumFontFamiliesExW, GetFontData, GetStockObject, AddFontResourceExW, RemoveFontResourceExW, AddFontMemResourceEx, RemoveFontMemResourceEx, GetTextMetricsW, GetTextFaceW, GetCharABCWidthsW, GetCharABCWidthsFloatW, GetGlyphOutlineW, GetOutlineTextMetricsW, GetTextExtentPoint32W, GetCharABCWidthsI, SetBkMode, SetGraphicsMode, SetTextColor, SetTextAlign, SetWorldTransform, ExtTextOutW, CombineRgn, OffsetRgn, GetDIBits
                                                                                                                                            OLEAUT32.dllSafeArrayPutElement, SysAllocString, SafeArrayCreateVector, SysFreeString
                                                                                                                                            IMM32.dllImmGetVirtualKey, ImmSetCandidateWindow, ImmGetDefaultIMEWnd, ImmGetContext, ImmReleaseContext, ImmAssociateContext, ImmAssociateContextEx, ImmGetCompositionStringW, ImmGetOpenStatus, ImmNotifyIME, ImmSetCompositionWindow
                                                                                                                                            KERNEL32.dllEnterCriticalSection, RaiseException, lstrcmpW, GetLastError, GetCurrentThreadId, GetModuleHandleW, GetProcAddress, LocalFree, FormatMessageW, WTSGetActiveConsoleSessionId, ExpandEnvironmentStringsW, CloseHandle, CreateProcessW, CheckRemoteDebuggerPresent, OpenProcess, GlobalAlloc, GlobalUnlock, GlobalLock, GetLocaleInfoW, LoadLibraryW, LoadLibraryA, GlobalSize, GetCurrentProcessId, GetUserDefaultLangID, CreateFileW, GetFileSizeEx, ReadFile, WriteFile, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, WideCharToMultiByte, RtlPcToFileHeader, GetExitCodeProcess, GetUserGeoID, InitializeCriticalSectionEx, GetTimeZoneInformation, GetModuleHandleExW, FreeLibrary, FindNextFileW, VirtualFree, VirtualAlloc, CreateMutexW, ReleaseMutex, InitializeCriticalSection, WriteConsoleW, HeapSize, GetProcessHeap, FreeEnvironmentStringsW, FindFirstFileExW, FindNextChangeNotification, FindFirstChangeNotificationW, FindCloseChangeNotification, MultiByteToWideChar, LCMapStringW, CompareStringW, RegisterWaitForSingleObject, UnregisterWaitEx, SetFilePointerEx, SetEndOfFile, GetFileType, FlushFileBuffers, GetFileInformationByHandleEx, SystemTimeToFileTime, FileTimeToSystemTime, TzSpecificLocalTimeToSystemTime, MoveFileExW, MoveFileW, CopyFileW, DeviceIoControl, SetErrorMode, GetVolumePathNamesForVolumeNameW, GetTempPathW, SetFileTime, RemoveDirectoryW, GetLogicalDrives, GetFullPathNameW, GetFileInformationByHandle, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, CreateDirectoryW, GetCurrentDirectoryW, GetModuleFileNameW, GetStartupInfoW, GetTickCount64, QueryPerformanceFrequency, QueryPerformanceCounter, GetFileAttributesExW, GetUserPreferredUILanguages, GetUserDefaultLCID, GetCurrencyFormatW, GetTimeFormatW, GetDateFormatW, ResetEvent, GetSystemInfo, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, ResumeThread, TerminateThread, GetThreadPriority, SetThreadPriority, GetCurrentThread, CreateThread, WaitForMultipleObjects, Sleep, WaitForSingleObject, DuplicateHandle, GetSystemDirectoryW, CreateEventW, WaitForSingleObjectEx, SetEvent, IsProcessorFeaturePresent, TerminateProcess, GetCurrentProcess, OutputDebugStringW, GetLocalTime, GetSystemTime, InitializeCriticalSectionAndSpinCount, GetCommandLineW, CompareStringEx, GetConsoleWindow, GetDriveTypeW, GetVolumeInformationW, GetLongPathNameW, DeleteCriticalSection, LeaveCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetStringTypeW, SetLastError, RtlUnwind, LoadLibraryExW, ExitProcess, GetCommandLineA, ExitThread, FreeLibraryAndExitThread, SetFileAttributesW, SetStdHandle, GetConsoleMode, ReadConsoleW, GetConsoleCP, GetStdHandle, HeapFree, HeapAlloc, HeapReAlloc, RtlUnwindEx, GetCPInfo, IsValidLocale, GetGeoInfoW, SetEnvironmentVariableW, IsValidCodePage, GetACP, GetOEMCP, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EnumSystemLocalesW, GetEnvironmentStringsW, GetSystemTimeAsFileTime, InitializeSListHead
                                                                                                                                            ole32.dllOleFlushClipboard, OleGetClipboard, OleSetClipboard, CoCreateGuid, CoInitialize, CoCreateInstance, CoUninitialize, OleUninitialize, OleInitialize, RevokeDragDrop, RegisterDragDrop, CoLockObjectExternal, OleIsCurrentClipboard, DoDragDrop, CoTaskMemFree, ReleaseStgMedium, CoInitializeEx, CoGetMalloc, StringFromGUID2
                                                                                                                                            SHELL32.dllSHGetKnownFolderPath, CommandLineToArgvW, SHGetFileInfoW, SHGetStockIconInfo, ShellExecuteW, SHCreateItemFromIDList, SHCreateItemFromParsingName, SHGetMalloc, SHGetPathFromIDListW, SHGetKnownFolderIDList, SHBrowseForFolderW, Shell_NotifyIconW, Shell_NotifyIconGetRect
                                                                                                                                            USER32.dllIsZoomed, PeekMessageW, FindWindowA, SetCaretPos, GetIconInfo, CreateIconIndirect, CreateCursor, ShowCaret, HideCaret, DestroyCaret, CreateCaret, IsWindowEnabled, RegisterWindowMessageW, GetKeyboardLayout, RegisterClipboardFormatW, SetClipboardViewer, IsHungAppWindow, LoadIconW, EnumDisplayMonitors, GetMonitorInfoW, MonitorFromWindow, SetMenuItemInfoW, GetMenuItemInfoW, TrackPopupMenu, RemoveMenu, ModifyMenuW, AppendMenuW, InsertMenuW, DestroyMenu, CreatePopupMenu, CreateMenu, DrawMenuBar, SetMenu, LoadImageW, GetSysColorBrush, ChildWindowFromPointEx, WindowFromPoint, GetCursorPos, GetFocus, RegisterClassExW, GetClassInfoW, UnregisterClassW, UnregisterPowerSettingNotification, RegisterPowerSettingNotification, GetKeyboardLayoutList, GetAncestor, DestroyIcon, DestroyCursor, GetWindow, GetWindowThreadProcessId, SetParent, GetParent, SetWindowLongPtrW, GetKeyboardState, LoadCursorW, GetWindowLongW, ScreenToClient, ClientToScreen, SetCursor, AdjustWindowRectEx, GetWindowRect, GetClientRect, SetWindowTextW, InvalidateRect, SetWindowRgn, GetUpdateRect, EndPaint, BeginPaint, SetForegroundWindow, GetForegroundWindow, EnableMenuItem, GetSystemMenu, GetMenu, ReleaseCapture, SetCapture, GetCapture, IsTouchWindow, UnregisterTouchWindow, RegisterTouchWindow, SetFocus, IsIconic, IsWindowVisible, SetWindowPlacement, GetWindowPlacement, SetWindowPos, MoveWindow, FlashWindowEx, SetLayeredWindowAttributes, UpdateLayeredWindow, ShowWindow, IsChild, CreateWindowExW, AttachThreadInput, PostMessageW, SendMessageW, UpdateLayeredWindowIndirect, GetCaretBlinkTime, MessageBeep, IsWindow, GetDoubleClickTime, GetDesktopWindow, GetSysColor, ReleaseDC, GetDC, DestroyWindow, DefWindowProcW, SystemParametersInfoW, GetSystemMetrics, GetKeyState, ToAscii, ToUnicode, MapVirtualKeyW, TrackPopupMenuEx, ChangeWindowMessageFilterEx, RealGetWindowClassW, EnumWindows, GetWindowTextW, CloseTouchInputHandle, GetTouchInputInfo, GetAsyncKeyState, GetMessageExtraInfo, TrackMouseEvent, GetClipboardFormatNameW, GetWindowLongPtrW, MessageBoxW, DrawIconEx, TranslateMessage, DispatchMessageW, GetQueueStatus, GetCursor, GetCursorInfo, SetCursorPos, EnumDisplayDevicesW, SetWindowLongW, RegisterClassW, MsgWaitForMultipleObjectsEx, SetTimer, KillTimer, CharNextExA, RegisterDeviceNotificationW, UnregisterDeviceNotification, MonitorFromPoint, ChangeClipboardChain
                                                                                                                                            WINMM.dlltimeSetEvent, PlaySoundW, timeKillEvent
                                                                                                                                            USERENV.dllGetUserProfileDirectoryW
                                                                                                                                            VERSION.dllVerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
                                                                                                                                            NETAPI32.dllNetApiBufferFree, NetShareEnum
                                                                                                                                            WS2_32.dllWSAAsyncSelect
                                                                                                                                            ADVAPI32.dllRegCloseKey, RegOpenKeyExW, RegQueryValueExW, SystemFunction036, GetSidSubAuthority, GetSidSubAuthorityCount, GetTokenInformation, RegCreateKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumKeyExW, RegEnumValueW, RegFlushKey, RegQueryInfoKeyW, RegSetValueExW, OpenProcessToken, AccessCheck, AllocateAndInitializeSid, CopySid, DuplicateToken, FreeSid, GetLengthSid, MapGenericMask, LookupAccountSidW, GetEffectiveRightsFromAclW, GetNamedSecurityInfoW, BuildTrusteeWithSidW
                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                            Dec 23, 2024 11:22:02.387995005 CET4974180192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:22:02.507847071 CET804974118.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:22:02.507973909 CET4974180192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:22:02.508163929 CET4974180192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:22:02.627983093 CET804974118.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:22:04.090142965 CET804974118.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:22:04.141693115 CET4974180192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:22:04.210383892 CET4974180192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:22:04.330365896 CET804974118.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:22:04.376780987 CET4974380192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:22:04.499732971 CET804974318.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:22:04.502361059 CET4974380192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:22:04.634212017 CET4974380192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:22:04.754256010 CET804974318.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:22:06.133008957 CET804974318.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:22:06.172904015 CET4974380192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:22:06.221169949 CET4974380192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:22:06.341059923 CET804974318.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:22:14.344845057 CET4974180192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:22:14.464904070 CET804974118.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:22:16.344837904 CET4974380192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:22:16.464739084 CET804974318.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:22:24.469825029 CET4974180192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:22:24.589898109 CET804974118.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:22:26.469940901 CET4974380192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:22:26.590063095 CET804974318.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:22:34.594846964 CET4974180192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:22:34.714613914 CET804974118.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:22:36.594881058 CET4974380192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:22:36.714562893 CET804974318.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:22:44.719907999 CET4974180192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:22:44.839602947 CET804974118.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:22:46.719917059 CET4974380192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:22:46.839723110 CET804974318.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:22:54.842978001 CET4974180192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:22:54.962863922 CET804974118.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:22:56.855546951 CET4974380192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:22:56.975357056 CET804974318.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:23:04.969964027 CET4974180192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:23:05.089565992 CET804974118.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:23:05.231806040 CET4974180192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:23:05.351249933 CET804974118.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:23:06.985567093 CET4974380192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:23:07.105087042 CET804974318.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:23:07.860107899 CET4974380192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:23:07.979743958 CET804974318.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:23:15.360596895 CET4974180192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:23:15.535686970 CET804974118.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:23:17.985589981 CET4974380192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:23:18.105360985 CET804974318.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:23:25.548089981 CET4974180192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:23:25.667799950 CET804974118.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:23:28.110619068 CET4974380192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:23:28.230062962 CET804974318.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:23:35.673129082 CET4974180192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:23:35.792912960 CET804974118.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:23:38.235641956 CET4974380192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:23:38.355344057 CET804974318.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:23:45.798170090 CET4974180192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:23:45.917817116 CET804974118.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:23:48.360656023 CET4974380192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:23:48.480294943 CET804974318.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:23:55.923197031 CET4974180192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:23:56.043132067 CET804974118.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:23:58.485712051 CET4974380192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:23:58.605711937 CET804974318.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:24:06.048197985 CET4974180192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:24:06.126758099 CET4974180192.168.2.418.139.89.40
                                                                                                                                            Dec 23, 2024 11:24:06.168011904 CET804974118.139.89.40192.168.2.4
                                                                                                                                            Dec 23, 2024 11:24:06.246507883 CET804974118.139.89.40192.168.2.4
                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                            0192.168.2.44974118.139.89.40803128C:\Windows\System32\svchost.exe
                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                            Dec 23, 2024 11:22:02.508163929 CET56OUTData Raw: 15 1a 09 2c 0d 03 28 17 20 0d 18 26 15 09 13 19 08 27 22 25 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 1e 1a 3d 38
                                                                                                                                            Data Ascii: ,( &'"%::::::::::::::::::::::::::::::::=8
                                                                                                                                            Dec 23, 2024 11:22:04.090142965 CET85INData Raw: 0f 23 1e 2e 06 0c 09 14 13 25 20 2e 0f 12 13 22 0c 1a 1c 22 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3b 3a 3a 3a 5e 3a 3a 3a 27 3a 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c 63 b2 12 b1 e2 b3 e2 01 92 dc 56 1c 56 9c 60 9a c9 8a d9 8a 9a 00 00 b5
                                                                                                                                            Data Ascii: #.% .""::::::::::::::::;:::^:::':::::::=8xcVV`Iu
                                                                                                                                            Dec 23, 2024 11:22:04.210383892 CET833OUTData Raw: 0f 23 1e 2e 06 0c 09 14 13 25 20 2e 0f 12 13 22 0c 1a 1c 22 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3b 3a 3a 3a da 11 3a 3a 33 39 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c ed 5a c9 6e 13 41 10 45 ce c5 d8 8e 93 83 0f 91 15 21 14 21 84 10 e2 c4
                                                                                                                                            Data Ascii: #.% .""::::::::::::::::;:::::39::::::=8xZnAE!!"g1`Kq@Gg,^eLP=qOW%(b)"NDgV:UUYNQ@pizZMZ*%X,86Ij8\Q^Dww3ZDOi%
                                                                                                                                            Dec 23, 2024 11:22:14.344845057 CET6OUTData Raw: 00
                                                                                                                                            Data Ascii:
                                                                                                                                            Dec 23, 2024 11:22:24.469825029 CET6OUTData Raw: 00
                                                                                                                                            Data Ascii:
                                                                                                                                            Dec 23, 2024 11:22:34.594846964 CET6OUTData Raw: 00
                                                                                                                                            Data Ascii:
                                                                                                                                            Dec 23, 2024 11:22:44.719907999 CET6OUTData Raw: 00
                                                                                                                                            Data Ascii:
                                                                                                                                            Dec 23, 2024 11:22:54.842978001 CET6OUTData Raw: 00
                                                                                                                                            Data Ascii:
                                                                                                                                            Dec 23, 2024 11:23:04.969964027 CET6OUTData Raw: 00
                                                                                                                                            Data Ascii:
                                                                                                                                            Dec 23, 2024 11:23:05.231806040 CET645OUTData Raw: 07 27 0c 10 1b 1b 2c 11 1a 1d 06 28 27 1c 09 15 15 28 2a 0f 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 32 1a 3a 3a 3a 1e 3a 3a 77 38 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c ed 58 5d 6b 1a 51 10 85 3e 15 fa 92 87 3c 88 91 52 a4 84 12 42 c8 43 9e
                                                                                                                                            Data Ascii: ',('(*::::::::::::::::2:::::w8::::::=8xX]kQ><RBC}()ljUduMBm |%\IH5TY=sj=BSx=AyBiE]}o!k-w\+{QQl7i}N>FES`aW J


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                            1192.168.2.44974318.139.89.40807296C:\Windows\System32\svchost.exe
                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                            Dec 23, 2024 11:22:04.634212017 CET56OUTData Raw: 0f 23 1e 2e 06 0c 09 14 13 25 20 2e 0f 12 13 22 0c 1a 1c 22 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 1e 1a 3d 38
                                                                                                                                            Data Ascii: #.% .""::::::::::::::::::::::::::::::::=8
                                                                                                                                            Dec 23, 2024 11:22:06.133008957 CET85INData Raw: 06 1b 2e 19 2b 1e 1e 1a 02 2d 28 06 11 27 10 06 00 18 09 0b 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3b 3a 3a 3a 5e 3a 3a 3a 27 3a 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c 63 b2 12 b1 e2 b3 e2 01 92 dc 56 1c 56 9c 60 9a c9 8a d9 8a 9a 00 00 b5
                                                                                                                                            Data Ascii: .+-('::::::::::::::::;:::^:::':::::::=8xcVV`Iu
                                                                                                                                            Dec 23, 2024 11:22:06.221169949 CET801OUTData Raw: 06 1b 2e 19 2b 1e 1e 1a 02 2d 28 06 11 27 10 06 00 18 09 0b 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3b 3a 3a 3a 96 11 3a 3a d3 38 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c ed 58 5b 6f 12 51 10 36 f4 05 81 5e 1e 78 68 48 63 4c 63 8c 31 c6 27 9f
                                                                                                                                            Data Ascii: .+-('::::::::::::::::;:::::8::::::=8xX[oQ6^xhHcLc1'Fa]"Y.6>T4b~3eYf9{|3ssv#m-%Vv!-xHx1lD#IyqR}qm'rW)<Dpa%nP%Mb|p%t}')}G81;
                                                                                                                                            Dec 23, 2024 11:22:16.344837904 CET6OUTData Raw: 00
                                                                                                                                            Data Ascii:
                                                                                                                                            Dec 23, 2024 11:22:26.469940901 CET6OUTData Raw: 00
                                                                                                                                            Data Ascii:
                                                                                                                                            Dec 23, 2024 11:22:36.594881058 CET6OUTData Raw: 00
                                                                                                                                            Data Ascii:
                                                                                                                                            Dec 23, 2024 11:22:46.719917059 CET6OUTData Raw: 00
                                                                                                                                            Data Ascii:
                                                                                                                                            Dec 23, 2024 11:22:56.855546951 CET6OUTData Raw: 00
                                                                                                                                            Data Ascii:
                                                                                                                                            Dec 23, 2024 11:23:06.985567093 CET6OUTData Raw: 00
                                                                                                                                            Data Ascii:
                                                                                                                                            Dec 23, 2024 11:23:07.860107899 CET645OUTData Raw: 29 1c 0c 03 1c 04 0d 16 15 05 0e 01 28 21 2e 19 09 1f 17 24 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 32 1a 3a 3a 3a 1e 3a 3a 77 38 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c ed 58 5d 6b 1a 51 10 85 3e 15 fa 92 87 3c 88 91 52 a4 84 12 42 c8 43 9e
                                                                                                                                            Data Ascii: )(!.$::::::::::::::::2:::::w8::::::=8xX]kQ><RBC}()ljUduMBm |%\IH5TY=sj=BSx=AyBiE]}o!k-w\+{QQl7i}N>FES`aW J


                                                                                                                                            Click to jump to process

                                                                                                                                            Click to jump to process

                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                            Click to jump to process

                                                                                                                                            Target ID:0
                                                                                                                                            Start time:05:21:58
                                                                                                                                            Start date:23/12/2024
                                                                                                                                            Path:C:\Users\user\Desktop\R2-Signed.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:"C:\Users\user\Desktop\R2-Signed.exe"
                                                                                                                                            Imagebase:0x7ff6add00000
                                                                                                                                            File size:23'289'008 bytes
                                                                                                                                            MD5 hash:A7471E097D4D4E84FA44A025603499E1
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:low
                                                                                                                                            Has exited:true

                                                                                                                                            Target ID:2
                                                                                                                                            Start time:05:21:59
                                                                                                                                            Start date:23/12/2024
                                                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                                                                                                            Imagebase:0x7ff6eef20000
                                                                                                                                            File size:55'320 bytes
                                                                                                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high
                                                                                                                                            Has exited:false

                                                                                                                                            Target ID:3
                                                                                                                                            Start time:05:22:00
                                                                                                                                            Start date:23/12/2024
                                                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:C:\Windows\system32\svchost.exe -k netsvcs
                                                                                                                                            Imagebase:0x7ff6eef20000
                                                                                                                                            File size:55'320 bytes
                                                                                                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high
                                                                                                                                            Has exited:false

                                                                                                                                            Target ID:4
                                                                                                                                            Start time:05:22:01
                                                                                                                                            Start date:23/12/2024
                                                                                                                                            Path:C:\Windows\System32\dllhost.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
                                                                                                                                            Imagebase:0x7ff70f330000
                                                                                                                                            File size:21'312 bytes
                                                                                                                                            MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:moderate
                                                                                                                                            Has exited:false

                                                                                                                                            Target ID:5
                                                                                                                                            Start time:05:22:01
                                                                                                                                            Start date:23/12/2024
                                                                                                                                            Path:C:\Program Files\Windows Mail\ParphaCrashReport64.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:"C:\Program Files\Windows Mail\ParphaCrashReport64.exe"
                                                                                                                                            Imagebase:0x7ff7679f0000
                                                                                                                                            File size:238'384 bytes
                                                                                                                                            MD5 hash:8B5D51DF7BBD67AEB51E9B9DEE6BC84A
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Antivirus matches:
                                                                                                                                            • Detection: 4%, ReversingLabs
                                                                                                                                            Reputation:moderate
                                                                                                                                            Has exited:true

                                                                                                                                            Target ID:6
                                                                                                                                            Start time:05:22:02
                                                                                                                                            Start date:23/12/2024
                                                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:C:\Windows\system32\svchost.exe -k netsvcs
                                                                                                                                            Imagebase:0x7ff6eef20000
                                                                                                                                            File size:55'320 bytes
                                                                                                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high
                                                                                                                                            Has exited:false

                                                                                                                                            Target ID:7
                                                                                                                                            Start time:05:22:03
                                                                                                                                            Start date:23/12/2024
                                                                                                                                            Path:C:\Windows\System32\dllhost.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
                                                                                                                                            Imagebase:0x7ff70f330000
                                                                                                                                            File size:21'312 bytes
                                                                                                                                            MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:moderate
                                                                                                                                            Has exited:false

                                                                                                                                            Reset < >

                                                                                                                                              Execution Graph

                                                                                                                                              Execution Coverage:1.5%
                                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                                              Signature Coverage:76.4%
                                                                                                                                              Total number of Nodes:110
                                                                                                                                              Total number of Limit Nodes:4
                                                                                                                                              execution_graph 13595 1800080f2 VirtualAllocEx WriteProcessMemory 13596 180008273 memset memcpy NtAlpcConnectPort 13595->13596 13598 18000a8b2 WriteProcessMemory 13599 18000a939 13598->13599 13600 180005824 realloc NtQuerySystemInformation 13601 1800054d5 13602 180005524 DuplicateHandle 13601->13602 13603 1800055a7 13602->13603 13604 180005a0d GetProcessId 13605 180005a8c 13604->13605 13610 180008e30 RtlAdjustPrivilege 13611 180008eb4 13610->13611 13612 180008eaf 13610->13612 13615 180112660 13611->13615 13614 180008eb9 13617 180112669 13615->13617 13616 180112674 13616->13614 13617->13616 13618 180112a14 IsProcessorFeaturePresent 13617->13618 13619 180112a2c 13618->13619 13622 180112ae8 RtlCaptureContext 13619->13622 13621 180112a3f 13621->13614 13623 180112b02 RtlLookupFunctionEntry 13622->13623 13624 180112b51 13623->13624 13625 180112b18 RtlVirtualUnwind 13623->13625 13624->13621 13625->13623 13625->13624 13626 180009bc0 VirtualAllocEx 13627 180009da0 13626->13627 13628 180001920 memset GetModuleFileNameW wcsstr 13629 1800019a8 13628->13629 13630 18000197a IsUserAnAdmin 13628->13630 13661 180001010 malloc 13629->13661 13631 180001984 13630->13631 13634 180001995 13630->13634 13640 1800015b0 13631->13640 13637 18000199f ExitProcess 13634->13637 13637->13629 13638 180112660 4 API calls 13639 1800019c0 13638->13639 13641 1800015db malloc 13640->13641 13642 180001893 13640->13642 13641->13642 13644 1800015f7 memcpy malloc 13641->13644 13643 180112660 4 API calls 13642->13643 13645 18000190e ExitProcess 13643->13645 13644->13642 13646 180001625 memset 13644->13646 13645->13634 13647 180001656 13646->13647 13648 18000165b 13646->13648 13649 18000169b memset GetModuleFileNameW malloc 13647->13649 13648->13647 13651 180001682 memcpy 13648->13651 13649->13642 13650 1800016df memset memcpy 13649->13650 13652 180001720 13650->13652 13651->13649 13652->13652 13653 180001773 OpenSCManagerW 13652->13653 13653->13642 13654 18000179b EnumServicesStatusExW malloc 13653->13654 13654->13642 13655 1800017f4 memset EnumServicesStatusExW 13654->13655 13656 180001845 CloseServiceHandle free 13655->13656 13657 180001856 CloseServiceHandle 13655->13657 13656->13642 13657->13642 13658 180001865 13657->13658 13658->13642 13659 180001870 lstrcmpiW 13658->13659 13659->13658 13660 180001895 free 13659->13660 13660->13642 13662 18000104e 13661->13662 13666 180001568 13661->13666 13665 1800010c4 malloc 13662->13665 13663 180112660 4 API calls 13664 18000159f 13663->13664 13664->13638 13665->13666 13667 1800010db memcpy memcpy 13665->13667 13666->13663 13668 180001120 13667->13668 13668->13666 13669 180001195 memset wsprintfW CreateFileW 13668->13669 13670 180001212 GetLastError 13669->13670 13671 18000121a WriteFile 13669->13671 13672 18000124c Sleep memset wsprintfW CreateFileW 13670->13672 13673 180001243 CloseHandle 13671->13673 13674 18000123d GetLastError 13671->13674 13675 1800012c4 GetLastError 13672->13675 13676 1800012cc WriteFile 13672->13676 13673->13672 13674->13673 13677 1800012fe Sleep memset wsprintfW CreateFileW 13675->13677 13678 1800012f5 CloseHandle 13676->13678 13679 1800012ef GetLastError 13676->13679 13680 180001376 GetLastError 13677->13680 13681 18000137e WriteFile 13677->13681 13678->13677 13679->13678 13682 1800013ac Sleep 13680->13682 13683 1800013a3 CloseHandle 13681->13683 13684 18000139d GetLastError 13681->13684 13682->13666 13685 1800013c1 VirtualAlloc 13682->13685 13683->13682 13684->13683 13685->13666 13686 1800013e6 memcpy CreateThread 13685->13686 13698 180001a10 CoInitialize 13686->13698 13689 180001523 memset memcpy CreateThread 13689->13666 13690 180001430 VariantInit 13691 180001498 13690->13691 13692 18000149c SysAllocString 13691->13692 13693 1800014be GetLastError 13691->13693 13695 1800014ba 13692->13695 13694 1800014c4 13693->13694 13694->13689 13696 1800014ca memset wsprintfW 13694->13696 13695->13693 13695->13694 13706 180001d60 13696->13706 13699 180001b50 13698->13699 13699->13699 13700 180001cae CLSIDFromString 13699->13700 13701 180001d04 IIDFromString 13700->13701 13702 180001d3b 13700->13702 13701->13702 13703 180001d17 CoCreateInstance 13701->13703 13704 180112660 4 API calls 13702->13704 13703->13702 13705 180001423 13704->13705 13705->13689 13705->13690 13707 180001da5 SysAllocString 13706->13707 13718 18000206a 13706->13718 13708 180001dbb 13707->13708 13711 180001dd9 SysAllocString SysAllocString 13708->13711 13708->13718 13709 180112660 4 API calls 13710 180002086 13709->13710 13710->13689 13712 180001e08 13711->13712 13713 180001f1f IIDFromString 13712->13713 13712->13718 13714 180001f4c 13713->13714 13715 180001f5e SysAllocString SysAllocString 13714->13715 13714->13718 13716 180001f88 13715->13716 13717 180001fd9 VariantInit SysAllocString 13716->13717 13716->13718 13717->13718 13718->13709

                                                                                                                                              Control-flow Graph

                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: mallocmemset$CloseEnumHandleServiceServicesStatusmemcpy$FileManagerModuleNameOpenfreelstrcmpi
                                                                                                                                              • String ID: Schedule
                                                                                                                                              • API String ID: 3636854120-2739827629
                                                                                                                                              • Opcode ID: 7697f6b2c45ef8c94f65c33818677cfec83935d60c7d49dafd4f2fb68cf7ed65
                                                                                                                                              • Instruction ID: 6ee3f7f16e62e9fbbf62cb728b63543f6f6100922e48a7ada6915e3d38cfd098
                                                                                                                                              • Opcode Fuzzy Hash: 7697f6b2c45ef8c94f65c33818677cfec83935d60c7d49dafd4f2fb68cf7ed65
                                                                                                                                              • Instruction Fuzzy Hash: 84A1AE36705B8886EBA5CB19E4883EDB7A4F78DB94F54D128EE8903755EF38D648C700

                                                                                                                                              Control-flow Graph

                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              • 0, xrefs: 000000018000828B
                                                                                                                                              • Dive right in and make a splash,We're throwing a pool party in a flash!Bring your swimsuits and sunscreen galore,We'll turn up the heat and let the good times pour!, xrefs: 0000000180008315
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AllocAlpcConnectMemoryPortProcessVirtualWritememcpymemset
                                                                                                                                              • String ID: 0$Dive right in and make a splash,We're throwing a pool party in a flash!Bring your swimsuits and sunscreen galore,We'll turn up the heat and let the good times pour!
                                                                                                                                              • API String ID: 2322259470-3460289035
                                                                                                                                              • Opcode ID: c43cf6f9343ddec1ca79c7315b89c45580cd43461ba35576a3c26a51ac169fb6
                                                                                                                                              • Instruction ID: a438414d86da3f9fa76c6e2917a93b97ec5bb287934b9f4f7f73d30ebcaf7dce
                                                                                                                                              • Opcode Fuzzy Hash: c43cf6f9343ddec1ca79c7315b89c45580cd43461ba35576a3c26a51ac169fb6
                                                                                                                                              • Instruction Fuzzy Hash: 6D713DB5324EC891EBA5CF65E8587DA6362F788798F80A216DE4D07668DF3CC249C700

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 47 180009bc0-180009d4a VirtualAllocEx 48 180009da0-180009da9 47->48 49 180009db1-180009e16 48->49 50 180009dab 48->50 50->49
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AllocVirtual
                                                                                                                                              • String ID: @
                                                                                                                                              • API String ID: 4275171209-2766056989
                                                                                                                                              • Opcode ID: 08567cc30074b475b331b46d2cc87d554941ba0be2af3992f720d6e759045faf
                                                                                                                                              • Instruction ID: 13e2f726a9112c9c31c995d983c9da114070f7450b087ebba6d3042457f4b947
                                                                                                                                              • Opcode Fuzzy Hash: 08567cc30074b475b331b46d2cc87d554941ba0be2af3992f720d6e759045faf
                                                                                                                                              • Instruction Fuzzy Hash: 8F41CF32318B9881EB65CF62F854BD67764F788784F519116EE8D43B14DF38C61AC700

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 54 180005824-1800058d4 realloc NtQuerySystemInformation
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: InformationQuerySystemrealloc
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 4089764311-0
                                                                                                                                              • Opcode ID: aa0bfc6469bc17d5eeda48fd87731ce22d6874c3ca3fc959c4416cf641374c4d
                                                                                                                                              • Instruction ID: b0525076bbbf58c043072cd616ac76dc382e5d39b6996fcf6a95a9be821e6ce1
                                                                                                                                              • Opcode Fuzzy Hash: aa0bfc6469bc17d5eeda48fd87731ce22d6874c3ca3fc959c4416cf641374c4d
                                                                                                                                              • Instruction Fuzzy Hash: 27015EB632498485FB55CBA6E86839BB362E38CBD4F44E0269E0D47758CE28C1098700

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 55 1800054d5-1800055a1 DuplicateHandle 57 1800055a7 55->57 58 1800069ad 55->58 57->58
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: DuplicateHandle
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3793708945-0
                                                                                                                                              • Opcode ID: de33ea6b4f9ce6d4b4402c8e18623ba837b56d9b22b6662e0c33dbf5e61d8208
                                                                                                                                              • Instruction ID: 9c50cbf5d08d3b6d4a605893f6b359a3682b26f1feaf6ace4ca51b493498b96a
                                                                                                                                              • Opcode Fuzzy Hash: de33ea6b4f9ce6d4b4402c8e18623ba837b56d9b22b6662e0c33dbf5e61d8208
                                                                                                                                              • Instruction Fuzzy Hash: 9211BFB1614B8885FB61CFA5E8187C773A0E38D794F45A116DE4E17B64CF38C209C704

                                                                                                                                              Control-flow Graph

                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: memset$malloc$ExitFileModuleNameProcessmemcpy$AdminManagerOpenUserwcsstr
                                                                                                                                              • String ID: svchost.exe
                                                                                                                                              • API String ID: 2075570005-3106260013
                                                                                                                                              • Opcode ID: 79fe10d2032a91db138303a6d4bba14be8b863467a7872a6f2e5965e82f79385
                                                                                                                                              • Instruction ID: bee279387a080e4ef1cf93fe2260fe9373c10eb3ce040ed65f2ee5617e8a23f3
                                                                                                                                              • Opcode Fuzzy Hash: 79fe10d2032a91db138303a6d4bba14be8b863467a7872a6f2e5965e82f79385
                                                                                                                                              • Instruction Fuzzy Hash: 87019631310A4C81FBAADB21E4A93DA6360BB8C795F449025A95E46695DF3CC34CC740

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 51 18000ad3e-18000adcc VirtualAllocEx 52 18000add5 51->52 53 18000adce 51->53 53->52
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AllocVirtual
                                                                                                                                              • String ID: @
                                                                                                                                              • API String ID: 4275171209-2766056989
                                                                                                                                              • Opcode ID: 25e8e2e1e41b46ff06f862ad0091e17087f53469a818b64f494525446fc89b42
                                                                                                                                              • Instruction ID: 6b845daad974ccd9c6abd76d61111d535f536517db2d34ef27256cbb8d76cfd7
                                                                                                                                              • Opcode Fuzzy Hash: 25e8e2e1e41b46ff06f862ad0091e17087f53469a818b64f494525446fc89b42
                                                                                                                                              • Instruction Fuzzy Hash: 7B016DB5729A8C41FBA9CBA1F465BD62360A78DBD4F40A21A9D0E17B55DE2CC2068304

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 59 18000a9be-18000aa4b VirtualAllocEx 60 18000aa51 59->60 61 18000b194 59->61 60->61
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AllocVirtual
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 4275171209-0
                                                                                                                                              • Opcode ID: e550c5f1444e37c0b1477e103827308c662109d29a65ec8f8fad6b41b1961b1e
                                                                                                                                              • Instruction ID: 251b8e02f3a2b925dc00676b0f08ae0c6924386de3889a0ff5d432a66f8cfcc3
                                                                                                                                              • Opcode Fuzzy Hash: e550c5f1444e37c0b1477e103827308c662109d29a65ec8f8fad6b41b1961b1e
                                                                                                                                              • Instruction Fuzzy Hash: 75012CB5619E8C41FBA9CBA1F464BDA6774E78DB94F40A11ADE0E17B51DF28C20AC304

                                                                                                                                              Control-flow Graph

                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AdjustPrivilege
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3260937286-0
                                                                                                                                              • Opcode ID: 0831086ae50f2ba65709bcbf1c33f12cfd0f3053b93a604bdcfa268e10cb0fbc
                                                                                                                                              • Instruction ID: 04bb496a426d1b43e6b52f20395e61ae4e41d159ec3593a713d9b4970c529e46
                                                                                                                                              • Opcode Fuzzy Hash: 0831086ae50f2ba65709bcbf1c33f12cfd0f3053b93a604bdcfa268e10cb0fbc
                                                                                                                                              • Instruction Fuzzy Hash: A5F04F3A334F8C81EBE9DB21E85979667A0B74CB98F41A406ED4D43764CE3DC2158B00

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 67 180005a0d-180005a86 GetProcessId 68 1800069ba 67->68 69 180005a8c 67->69 69->68
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Process
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1235230986-0
                                                                                                                                              • Opcode ID: d16e56ca8ceffb6996a770eebb8859cff0112ba79151dc499dea6e218c25d2af
                                                                                                                                              • Instruction ID: d652ffa87c38ed1c04ac93e0a0d2335ef1528c7a1f19fbd04ef7ff50280f2555
                                                                                                                                              • Opcode Fuzzy Hash: d16e56ca8ceffb6996a770eebb8859cff0112ba79151dc499dea6e218c25d2af
                                                                                                                                              • Instruction Fuzzy Hash: 0C018BB271490485EB54CB59E4503AB7371F78DBD8F50A122EF4E87764DF29C256C704

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 70 18000af22-18000afa4 WriteProcessMemory 71 18000afaa 70->71 72 18000b1a0 70->72 71->72
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: MemoryProcessWrite
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3559483778-0
                                                                                                                                              • Opcode ID: 4492a0bf8fcf8f33afd06441f64975728a7ffe302e5029ee3f64efdc84710f0c
                                                                                                                                              • Instruction ID: 56856a108c934b35fd8b12db096080665d1aff2e22ecb35535ebb708edeb7d18
                                                                                                                                              • Opcode Fuzzy Hash: 4492a0bf8fcf8f33afd06441f64975728a7ffe302e5029ee3f64efdc84710f0c
                                                                                                                                              • Instruction Fuzzy Hash: 9101E8B5319E8891FBA9CB52E898386A362A78DBD0F51D1169D0D47768CE2DC109C304

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 73 18000a8b2-18000a937 WriteProcessMemory 74 18000a939 73->74 75 18000a940 73->75 74->75
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: MemoryProcessWrite
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3559483778-0
                                                                                                                                              • Opcode ID: a9c6a2df7492c35cbc3cd719515342c8cda296547e204cd9f67484ff88ad8695
                                                                                                                                              • Instruction ID: 440d9c2e63d84a318507e4d3145013176a8cc7cafd38941c5fd7eab054e276a3
                                                                                                                                              • Opcode Fuzzy Hash: a9c6a2df7492c35cbc3cd719515342c8cda296547e204cd9f67484ff88ad8695
                                                                                                                                              • Instruction Fuzzy Hash: 4A013CF5319E8881FBA5CB56E898786A762E78EBD4F41D1168D4D0B768CF3DC109C304

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 76 18000b100-18000b183 WriteProcessMemory 77 18000b185 76->77 78 18000b18c 76->78 77->78
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: MemoryProcessWrite
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3559483778-0
                                                                                                                                              • Opcode ID: 35ffae5299d4c335a8ff36bc6453c7f7216bb7ebbfbf3e1d59d74c353a4e1218
                                                                                                                                              • Instruction ID: 24c97e1a4b5bf787aa031fe235fe3c6da918f95ea593df74073bd4adbefb4954
                                                                                                                                              • Opcode Fuzzy Hash: 35ffae5299d4c335a8ff36bc6453c7f7216bb7ebbfbf3e1d59d74c353a4e1218
                                                                                                                                              • Instruction Fuzzy Hash: 73F03CF5329E9981FBA5CB12EC58786A322F789BD4F41E1168D0D4B768CE2DC2098384

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 79 180001010-180001048 malloc 80 18000104e-18000107d call 180113300 79->80 81 180001590-1800015a9 call 180112660 79->81 86 180001084-18000108c 80->86 87 18000107f-180001082 80->87 89 180001093-1800010a4 86->89 90 18000108e-180001091 86->90 88 1800010c4-1800010d5 malloc 87->88 93 180001578-180001588 88->93 94 1800010db-180001116 memcpy * 2 88->94 91 1800010a6-1800010a9 89->91 92 1800010ab-1800010be call 180113336 89->92 90->88 91->88 92->88 93->81 96 180001120-18000116c 94->96 96->96 98 18000116e-18000117a 96->98 99 180001180-18000118b 98->99 99->99 100 18000118d-18000118f 99->100 100->93 101 180001195-180001210 memset wsprintfW CreateFileW 100->101 102 180001212-180001218 GetLastError 101->102 103 18000121a-18000123b WriteFile 101->103 104 18000124c-1800012c2 Sleep memset wsprintfW CreateFileW 102->104 105 180001243-180001246 CloseHandle 103->105 106 18000123d GetLastError 103->106 107 1800012c4-1800012ca GetLastError 104->107 108 1800012cc-1800012ed WriteFile 104->108 105->104 106->105 109 1800012fe-180001374 Sleep memset wsprintfW CreateFileW 107->109 110 1800012f5-1800012f8 CloseHandle 108->110 111 1800012ef GetLastError 108->111 112 180001376-18000137c GetLastError 109->112 113 18000137e-18000139b WriteFile 109->113 110->109 111->110 114 1800013ac-1800013bb Sleep 112->114 115 1800013a3-1800013a6 CloseHandle 113->115 116 18000139d GetLastError 113->116 117 1800013c1-1800013e0 VirtualAlloc 114->117 118 180001568-180001570 114->118 115->114 116->115 117->118 119 1800013e6-18000142a memcpy CreateThread call 180001a10 117->119 118->93 122 180001523-180001562 memset memcpy CreateThread 119->122 123 180001430-18000149a VariantInit 119->123 122->118 125 18000149c-1800014bc SysAllocString 123->125 126 1800014be GetLastError 123->126 125->126 127 1800014c4-1800014c8 125->127 126->127 127->122 129 1800014ca-18000151e memset wsprintfW call 180001d60 127->129 129->122
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ErrorLast$File$Creatememset$memcpywsprintf$CloseHandleSleepWrite$AllocThreadmalloc$InitStringVariantVirtual
                                                                                                                                              • String ID: %s\%s$\Microsoft\Windows
                                                                                                                                              • API String ID: 1085075972-4137575348
                                                                                                                                              • Opcode ID: 11d6cde565b72d1d43927487ff83bed9824f46b89a23802b2bfd78be970e790e
                                                                                                                                              • Instruction ID: ca852493329d7e8b29278f03f5207e3e8a0b6c409a20f5d7edd43a4be3d27a44
                                                                                                                                              • Opcode Fuzzy Hash: 11d6cde565b72d1d43927487ff83bed9824f46b89a23802b2bfd78be970e790e
                                                                                                                                              • Instruction Fuzzy Hash: 4DF18A32610F8985F7A6CF24E8087DD33A0F78DBA8F449215EE9A17694EF38C249C700

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 131 180001a10-180001b4f CoInitialize 132 180001b50-180001b5c 131->132 132->132 133 180001b5e-180001c9b 132->133 134 180001ca0-180001cac 133->134 134->134 135 180001cae-180001d02 CLSIDFromString 134->135 136 180001d04-180001d15 IIDFromString 135->136 137 180001d3b-180001d5a call 180112660 135->137 136->137 138 180001d17-180001d39 CoCreateInstance 136->138 138->137
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FromString$CreateInitializeInstance
                                                                                                                                              • String ID: :_:$:Y:$:$A::$X:[:$X:^:$Y::$Y:\:$\:[:$\:^:$^:G:
                                                                                                                                              • API String ID: 511945936-2205580742
                                                                                                                                              • Opcode ID: 024cd465da59768dcf6c08cf3900c20a72cd4ffd1450610ea91f3c4b38ce9232
                                                                                                                                              • Instruction ID: 28b9f900473ef5d70d4cda544e42fab565c9dc4f26e78512e927f69b0d8a042f
                                                                                                                                              • Opcode Fuzzy Hash: 024cd465da59768dcf6c08cf3900c20a72cd4ffd1450610ea91f3c4b38ce9232
                                                                                                                                              • Instruction Fuzzy Hash: 0291FD73D18BD4CAE311CF7994016EDBB70F799348F14A249EB946A919EB78E684CF00
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: String$Alloc$FromInitVariant
                                                                                                                                              • String ID: SYSTEM${4c3d624d-fd6b-49a3-b9b7-09cb3cd3f047}
                                                                                                                                              • API String ID: 929278495-107290059
                                                                                                                                              • Opcode ID: ce7cb2923214bf6d84e2195aaa923cf65e5dbc7fe3967ba643ece21ae7ad8fe5
                                                                                                                                              • Instruction ID: 371f9a688604c33e3b5ae190077701ce0554801126743d20ac49bde758192535
                                                                                                                                              • Opcode Fuzzy Hash: ce7cb2923214bf6d84e2195aaa923cf65e5dbc7fe3967ba643ece21ae7ad8fe5
                                                                                                                                              • Instruction Fuzzy Hash: E5B1C236B00B558AEB40DF6AD88829D77B1FB88FA9F559016DE0E57B28DF35C189C300
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 808467561-0
                                                                                                                                              • Opcode ID: e6e2a47d0b7aca8797bf2f78af511f090b7de726a253ea606c4e540f123b5b7a
                                                                                                                                              • Instruction ID: 4599084cfb13f8c747939fbc3aba35a6bd4e8a08bbcc0f0b71949d4f47730483
                                                                                                                                              • Opcode Fuzzy Hash: e6e2a47d0b7aca8797bf2f78af511f090b7de726a253ea606c4e540f123b5b7a
                                                                                                                                              • Instruction Fuzzy Hash: 5FB2E0766022998BE7A7CE69D544BED37A5F78C3C8F509125EA0657B88DF34CB48CB00
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: ?Vse4"$NtAlpcConnectPort$NtAlpcCreatePort$NtAlpcSetInformation$TpAllocAlpcCompletion$\RPC Control\$ntdll.dll
                                                                                                                                              • API String ID: 0-3440571002
                                                                                                                                              • Opcode ID: 3e7f587f86fd0b2bf1a8a0d1d2c8b2dcce1149cee181315916f08b714af195f2
                                                                                                                                              • Instruction ID: 8c3100648684ed6cf3a6acba9f1e9974d33f54458c7afc613a7cd7d66638faa8
                                                                                                                                              • Opcode Fuzzy Hash: 3e7f587f86fd0b2bf1a8a0d1d2c8b2dcce1149cee181315916f08b714af195f2
                                                                                                                                              • Instruction Fuzzy Hash: 53124DF5720E9891EF94CBB9E8687C66362F78D798F81A117DE0D57624DE38C20AC700
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ExceptionThrow
                                                                                                                                              • String ID: __restrict$__swift_1$__swift_2$__unaligned$call
                                                                                                                                              • API String ID: 432778473-3141380587
                                                                                                                                              • Opcode ID: 6a396b12831feff5c6f80a323355d14ea9fae3a8da964f50d645d654625ebbdc
                                                                                                                                              • Instruction ID: 673e966dcc0d85f334313fac89718d38bf41ed5ef13417959e8c730922fdb805
                                                                                                                                              • Opcode Fuzzy Hash: 6a396b12831feff5c6f80a323355d14ea9fae3a8da964f50d645d654625ebbdc
                                                                                                                                              • Instruction Fuzzy Hash: 5C627E72701E8882EB86EB25D4583DD27A1FB8EBD4F408125FA5E577A6DF38C649C700
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                              • String ID: gfffffff
                                                                                                                                              • API String ID: 3215553584-1523873471
                                                                                                                                              • Opcode ID: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
                                                                                                                                              • Instruction ID: 7c5b9028af6473dd728daef05391e74bafcea77e80a4e195b251d3550d854208
                                                                                                                                              • Opcode Fuzzy Hash: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
                                                                                                                                              • Instruction Fuzzy Hash: 869145767057CC86EF97CB2AE4013EDABA5A758BC4F06C022EA5947395DE3DC60AC701
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: C:\windows\$C:\windows\system32\$WinSta0\Default$taskmgr.exe
                                                                                                                                              • API String ID: 0-638001070
                                                                                                                                              • Opcode ID: 3c7d1f0fb87f662b2079bad57b09a5afaa48cb8c83d5525282594a227a335d39
                                                                                                                                              • Instruction ID: 1bf4e9e1e70513e3816d114cab4aa84c7a719184b3830627372934e1f9606700
                                                                                                                                              • Opcode Fuzzy Hash: 3c7d1f0fb87f662b2079bad57b09a5afaa48cb8c83d5525282594a227a335d39
                                                                                                                                              • Instruction Fuzzy Hash: 0C8127F5324E9982EF95CBA8F8697D66322F7897D8F80A112CD1E57624DE38D209C704
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: C:\windows\$C:\windows\system32\$WinSta0\Default$winver.exe
                                                                                                                                              • API String ID: 0-1160837885
                                                                                                                                              • Opcode ID: 1308d712bd6591429a8d37c48bbd1829232a434116c75b441977ccfa919fa798
                                                                                                                                              • Instruction ID: 55855d67a1f766f1614c6ad6b77d44964cb4204ffe99e224a87b86ff19b563fd
                                                                                                                                              • Opcode Fuzzy Hash: 1308d712bd6591429a8d37c48bbd1829232a434116c75b441977ccfa919fa798
                                                                                                                                              • Instruction Fuzzy Hash: C841A4B5324E9882FF55CB69F8687966322F789BD8F40A116CD5E4B764DE3CC20AC704
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: memcpy_s
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1502251526-0
                                                                                                                                              • Opcode ID: 4ea583caa57715286bcbaff0c0c248d65fdcd68c244adb70adfc071040c02cb8
                                                                                                                                              • Instruction ID: 57088630f82899a46a4f04304140a90d468cb093ad556e4d18a7d8c59b71a2f9
                                                                                                                                              • Opcode Fuzzy Hash: 4ea583caa57715286bcbaff0c0c248d65fdcd68c244adb70adfc071040c02cb8
                                                                                                                                              • Instruction Fuzzy Hash: 5EC1387671628987EB66CF19E044B9EB791F7987C4F44C125EB4A43B84DB38EA09DB00
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                              • String ID: 0$ko-KR
                                                                                                                                              • API String ID: 3215553584-2196303776
                                                                                                                                              • Opcode ID: f96d09346a2f6e77d59369c2194a8b950e6b78dbaa0c336e0d12ce098f52cc8c
                                                                                                                                              • Instruction ID: 454ebc8193fa5ca865f8f1965dd2a4e4b4682b0a5584ee5ea9980d899769f2f6
                                                                                                                                              • Opcode Fuzzy Hash: f96d09346a2f6e77d59369c2194a8b950e6b78dbaa0c336e0d12ce098f52cc8c
                                                                                                                                              • Instruction Fuzzy Hash: 3A71D33521070D82FBFB9A1990807E963A1E74D7C4FA4D126BE49437ABCF35CA4B9705
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: 0$p
                                                                                                                                              • API String ID: 0-2059906072
                                                                                                                                              • Opcode ID: e7e5a160b0dc7bf11acf6e058a7a07693b04e0544c402e7120b811fb21f28438
                                                                                                                                              • Instruction ID: 3ee67f828506e40d833cc10e170725f94807106ad1cab914bfb00022e22d59fe
                                                                                                                                              • Opcode Fuzzy Hash: e7e5a160b0dc7bf11acf6e058a7a07693b04e0544c402e7120b811fb21f28438
                                                                                                                                              • Instruction Fuzzy Hash: A731F075605E9D81EB55DF56E894BD62321F388BD8F42A212ED4E0BB24EE3CC15AC700
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3215553584-0
                                                                                                                                              • Opcode ID: 9a675805437782ecf3217d5187c311e375e8358acccf04f95891004c6cc889dd
                                                                                                                                              • Instruction ID: 1f61cd1c6d9a0cc47e5c3170d1c15f4e9de5b8ae94a737795fa3a990e1df4aaf
                                                                                                                                              • Opcode Fuzzy Hash: 9a675805437782ecf3217d5187c311e375e8358acccf04f95891004c6cc889dd
                                                                                                                                              • Instruction Fuzzy Hash: 0BA1E67231069881EBA3DB66A8047DAA3A0F78DBD4F549526FE9D07BC4DF78C64D8304
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _clrfp
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3618594692-0
                                                                                                                                              • Opcode ID: 0e21b991dae342f80746e460734db2b0327f033799438967f91080e093b168d9
                                                                                                                                              • Instruction ID: 0593f73a9b31075b8e6bf2cb9e383320a294c5aeb291d1da762f6cdddc12ea76
                                                                                                                                              • Opcode Fuzzy Hash: 0e21b991dae342f80746e460734db2b0327f033799438967f91080e093b168d9
                                                                                                                                              • Instruction Fuzzy Hash: 10B12B73600B88CBEB56CF29C88679C77A0F349B88F19C916EB59877A8CB35C955C701
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ExceptionThrow
                                                                                                                                              • String ID: l section in CAtlBaseModule
                                                                                                                                              • API String ID: 432778473-2709337986
                                                                                                                                              • Opcode ID: a127ccbb264a5a4aec1e8b8c97d9fa5e153886bac66a3a6cc8a19aedac249b0e
                                                                                                                                              • Instruction ID: 3133a5dfd5f79aac6ce2c53f471fbcfe22b2aa6c2a7d5a5a984ae032cb248d46
                                                                                                                                              • Opcode Fuzzy Hash: a127ccbb264a5a4aec1e8b8c97d9fa5e153886bac66a3a6cc8a19aedac249b0e
                                                                                                                                              • Instruction Fuzzy Hash: 23027C36600E8886EB96DF25E8443DD73A1FB8DBD5F448526EA4E43BA4DF38C648C700
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: __restrict
                                                                                                                                              • API String ID: 0-803856930
                                                                                                                                              • Opcode ID: 5745e3cfed15ffb7b3e2fa7717aad80a57a6249b3a0910dbd319ea413861beba
                                                                                                                                              • Instruction ID: 2a1f3f8c5416bf1435224dd1e95b651f0a407b08188742a7ac323c2b5a68232f
                                                                                                                                              • Opcode Fuzzy Hash: 5745e3cfed15ffb7b3e2fa7717aad80a57a6249b3a0910dbd319ea413861beba
                                                                                                                                              • Instruction Fuzzy Hash: DAF15936601F4886EB928F65D8543DC73A5EB8DBC8F548526FE0E47BA4DE78CB498340
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                              • String ID: 0
                                                                                                                                              • API String ID: 3215553584-4108050209
                                                                                                                                              • Opcode ID: 5f4ddedfd77a8f2be46d5b27c9f7dfb0d5136d7c17e53cee70af679ad4ba4177
                                                                                                                                              • Instruction ID: 71f2418fc044250fc616a08c0bb954c8cfb89a1255eab9d4a98bc77a135e3a3b
                                                                                                                                              • Opcode Fuzzy Hash: 5f4ddedfd77a8f2be46d5b27c9f7dfb0d5136d7c17e53cee70af679ad4ba4177
                                                                                                                                              • Instruction Fuzzy Hash: 5871E235210A0D82FBFB9A29A0407F92392E7487C4F94D016BE46577EACF35CA4B9745
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: 201ef99a-7fa0-444c-9399-19ba84f12a1a
                                                                                                                                              • API String ID: 0-3963691810
                                                                                                                                              • Opcode ID: 305143c906e545cbbdba88b15ed8d96aa5c5b1023b370279aab489ed2de4cf70
                                                                                                                                              • Instruction ID: f859e3b1c76c282179c02603d62779a177e542a7d14e57d8a75f66858979eba8
                                                                                                                                              • Opcode Fuzzy Hash: 305143c906e545cbbdba88b15ed8d96aa5c5b1023b370279aab489ed2de4cf70
                                                                                                                                              • Instruction Fuzzy Hash: A54153B1715B9D46EF89CB78D9653A62322FB8C7ACF40A516C90E47765DE38C209C300
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: ncalrpc
                                                                                                                                              • API String ID: 0-2983622238
                                                                                                                                              • Opcode ID: 8e139b6873f62461d47cfb06735ed223aa3699eae5bf13dfab6a051279dd2f2d
                                                                                                                                              • Instruction ID: 72ca54434e2e545ad87ad6f85711ca4f80c48705b1af1cf0b8a8e1738ac29a0d
                                                                                                                                              • Opcode Fuzzy Hash: 8e139b6873f62461d47cfb06735ed223aa3699eae5bf13dfab6a051279dd2f2d
                                                                                                                                              • Instruction Fuzzy Hash: 99312FB1721A6952EF49CF78E8687966762F79C794F91E522CE0E4B624DE3CC209C700
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 3e631ec45a2daf68f48d52614a6345ed429c570a616f22469c908a5fe8b28b5b
                                                                                                                                              • Instruction ID: 6d80879f2b6ca484a565809d41c0eb2dabc8ae21e66747f9efe079bfb1bd8c10
                                                                                                                                              • Opcode Fuzzy Hash: 3e631ec45a2daf68f48d52614a6345ed429c570a616f22469c908a5fe8b28b5b
                                                                                                                                              • Instruction Fuzzy Hash: DA22D177310AA882EB46DB65C0547AC33B6FB48B84F028116FB599B7B1DF38D668C354
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 1622125fadd830d72695094e7b85cc31ec002336933b0e724cad098e10e2d7b0
                                                                                                                                              • Instruction ID: 946e0dd2bba7b3100fd246393857d7d015b19ff97fe3a12f1d34a5a40530aed8
                                                                                                                                              • Opcode Fuzzy Hash: 1622125fadd830d72695094e7b85cc31ec002336933b0e724cad098e10e2d7b0
                                                                                                                                              • Instruction Fuzzy Hash: E4E181722046C986EBB2CB15E8943E977A1F78E7D4F84C121EA8A936D5DF78C64DC700
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: cfe71d8e7cd50308ca462f153a194306955503b02d46b76410196ab8a6e65239
                                                                                                                                              • Instruction ID: c02e86e1f92cc5576d6cd232989999bceb531278b49536794b781076c4770d9c
                                                                                                                                              • Opcode Fuzzy Hash: cfe71d8e7cd50308ca462f153a194306955503b02d46b76410196ab8a6e65239
                                                                                                                                              • Instruction Fuzzy Hash: BFE1D032708A848AE793CF68E5803DD77B1F74A7D8F548116EA4E57B99DE38C25AC700
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 16ae51d95b1815005dd45d5e3ab8a349bfdaaf9539e2a3891bf7a9a4281af68b
                                                                                                                                              • Instruction ID: 207e761d23252ea67ff1337872d1fa257f2b4668b6d9f4a23401ae9418e5b291
                                                                                                                                              • Opcode Fuzzy Hash: 16ae51d95b1815005dd45d5e3ab8a349bfdaaf9539e2a3891bf7a9a4281af68b
                                                                                                                                              • Instruction Fuzzy Hash: AFB1AB72A10B8886E352CF39D8457DC37A4F389B88F519216EE4D17B66DF35D689CB00
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: a86f20f7f5deea267c01afef8e7a4c05c31875faa151d310fea3b18ea46ae3c1
                                                                                                                                              • Instruction ID: 30b487c4dbfd5edb157edb9dd0446cf9089909246d75a709a71c41256c183c41
                                                                                                                                              • Opcode Fuzzy Hash: a86f20f7f5deea267c01afef8e7a4c05c31875faa151d310fea3b18ea46ae3c1
                                                                                                                                              • Instruction Fuzzy Hash: 4F410672B10A5886EB14CF64F815B9AB3A8F788794F505025DF8E47B68EF3CC156C700
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: bfda2f7c180109932206dffacf20a53aef2a56dc1179a3e9a6f89e125c1a26ad
                                                                                                                                              • Instruction ID: 6a73b4ca67aa358b5cca9cf8f50e7addbf38a80432c4fb2377473208703d20e7
                                                                                                                                              • Opcode Fuzzy Hash: bfda2f7c180109932206dffacf20a53aef2a56dc1179a3e9a6f89e125c1a26ad
                                                                                                                                              • Instruction Fuzzy Hash: 645126E9654B9982EF94DBA9F8693D62322FB497D8F80F112CE1E57724DD38D209C304
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 073128fd360148c17e41ec35af6a18c2df5ced6b4e463a8a16fec66cb74d860e
                                                                                                                                              • Instruction ID: b6fa69fb7e3d6089a58b1dc0a55349c666dd73e1d328c0310e1d9ae523244059
                                                                                                                                              • Opcode Fuzzy Hash: 073128fd360148c17e41ec35af6a18c2df5ced6b4e463a8a16fec66cb74d860e
                                                                                                                                              • Instruction Fuzzy Hash: A351CF32715F8896EB64CB65F94478A73A5F7887C4F54412AEA8E83B28EF3CD119C700
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: de1111058f7c16aa1c110f3b5979ca66c856bb8bda45b3eaebbbd55d773fd606
                                                                                                                                              • Instruction ID: 9937fe3f73516922539d469a7d9b5dbd200fa43091dfd9594953e81ca0841af9
                                                                                                                                              • Opcode Fuzzy Hash: de1111058f7c16aa1c110f3b5979ca66c856bb8bda45b3eaebbbd55d773fd606
                                                                                                                                              • Instruction Fuzzy Hash: 7F51C2B5760E9982EB64CF65E8687D66321FB89BD4F44E126DE0E57B24DE3CC11AC300
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: a53c239ed1f9684605d2ef346be0b8bf89de5d156fdc40e0d799da5887b65061
                                                                                                                                              • Instruction ID: 211af31c44281ca6c3f3932d9a28d26ed70725301ca9e5a4bb4aa04c7d8998f6
                                                                                                                                              • Opcode Fuzzy Hash: a53c239ed1f9684605d2ef346be0b8bf89de5d156fdc40e0d799da5887b65061
                                                                                                                                              • Instruction Fuzzy Hash: 25419232310A5886EB85CF6AE954399A391E34CFD4F49D427EE4D97B58DE3CC649C300
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 68527aba035480757e2393879a0d4de352a47f6bf703ed5fa56455fc597868c2
                                                                                                                                              • Instruction ID: 9b73b6c5183f860324fa61cee2baeb0ca0f8f8b507aed4a99a4e0eda6c344d24
                                                                                                                                              • Opcode Fuzzy Hash: 68527aba035480757e2393879a0d4de352a47f6bf703ed5fa56455fc597868c2
                                                                                                                                              • Instruction Fuzzy Hash: 984103B3714E4995EB25CF61E86478AB3A5F3887D8F44E126EE4D07A58DF38C246C300
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: eaae997217fc1b3336f25de6e62d34e0746f7d3c2a6a256d0b5f71472e0a0425
                                                                                                                                              • Instruction ID: 048e6db2ecfd184872977d7eb727c5e493510e05d032e6f18c4ab6865a9947bf
                                                                                                                                              • Opcode Fuzzy Hash: eaae997217fc1b3336f25de6e62d34e0746f7d3c2a6a256d0b5f71472e0a0425
                                                                                                                                              • Instruction Fuzzy Hash: B341B37261C6888AF7EB8F15B4847967B91E34E3D0F11C429F94A87691DF79C6888F00
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 59276b993bbd5f607d6d3a9a9acf607f8ad274a0d99c33aa421d3a75b3b8979b
                                                                                                                                              • Instruction ID: ea9816badbe891c07a2aded6d1ec92d5857af46983f2473552b7590bc608b90a
                                                                                                                                              • Opcode Fuzzy Hash: 59276b993bbd5f607d6d3a9a9acf607f8ad274a0d99c33aa421d3a75b3b8979b
                                                                                                                                              • Instruction Fuzzy Hash: 24419D76B20A8886EB14CB65F45479AB365F38CBC4F40912ADE4E53B68DE3CC216C740
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: f3a4f3e3c3f40ea96cedb268f2507c4aa92d7cf089ba266e7691892548829ecb
                                                                                                                                              • Instruction ID: ff810da637aa1fd401c95da2c6d69315e604f84d2d111450c1a2a7c20e68e2a5
                                                                                                                                              • Opcode Fuzzy Hash: f3a4f3e3c3f40ea96cedb268f2507c4aa92d7cf089ba266e7691892548829ecb
                                                                                                                                              • Instruction Fuzzy Hash: B941FFB2318F89D6DB54CFA5E4A579A7B61F388788F84901ADE4E47A14DF38C12AC340
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: a7caa211d1805da3631b5417297298fbd746491c9ff13b9b06d3acbe089dc0ae
                                                                                                                                              • Instruction ID: 1f6bebfb10a220892d2831274fb9d9e41c253fa787b11ea253d3ff134c5c468f
                                                                                                                                              • Opcode Fuzzy Hash: a7caa211d1805da3631b5417297298fbd746491c9ff13b9b06d3acbe089dc0ae
                                                                                                                                              • Instruction Fuzzy Hash: FF419FB2214F88D2EB54CF55E88478AB7A6F3447C4F94D126EE8D5BA18CF78C15AC740
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 9dc054b22e393740934c6599b1190f187be60ae239c821f3ddf288e380813183
                                                                                                                                              • Instruction ID: d558cfae5a731fffe16df58c07b62597b32ae423ecf54f032ed4b289fbb168ab
                                                                                                                                              • Opcode Fuzzy Hash: 9dc054b22e393740934c6599b1190f187be60ae239c821f3ddf288e380813183
                                                                                                                                              • Instruction Fuzzy Hash: 4041D3B2324E4DD2DF48CB15E454B9A7365F748BC8F658216DA4E87768EF39C21AC700
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 711a5f6cc3d39d5f0aef55b7034a878137727931ce5006779a437fec81a29920
                                                                                                                                              • Instruction ID: c4b80034388e89da8ffe7b427c8155ba048d36e5b74cf413b7ce4096cc0294b9
                                                                                                                                              • Opcode Fuzzy Hash: 711a5f6cc3d39d5f0aef55b7034a878137727931ce5006779a437fec81a29920
                                                                                                                                              • Instruction Fuzzy Hash: AC4126B2728E48A2DB14CF25E69878E7762F3443C4F45A206EE4E57328DF39C225C700
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: c02ea177d7df7be9d47921f817159e6b389a93a74e3aee8d1a395a9d44e4e98a
                                                                                                                                              • Instruction ID: 30f2c0aa2bc627d33595a3753288768bcaf23473739ac437f1ff85fbf168e941
                                                                                                                                              • Opcode Fuzzy Hash: c02ea177d7df7be9d47921f817159e6b389a93a74e3aee8d1a395a9d44e4e98a
                                                                                                                                              • Instruction Fuzzy Hash: FA31CFB2764E8987EB94CFA4E4657EA3B21F384398F84911BDE4F47A14DE68C01AC341
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: c43f2c2cbd10ab131c97a87bfb9a8d77e076664a556218998fa3f3ff93ba8f25
                                                                                                                                              • Instruction ID: 42c4d16a0e0d136c5a94160c46d85d5892129638e54f14ca30ac4ff8e229c4e5
                                                                                                                                              • Opcode Fuzzy Hash: c43f2c2cbd10ab131c97a87bfb9a8d77e076664a556218998fa3f3ff93ba8f25
                                                                                                                                              • Instruction Fuzzy Hash: 65310DF9654B9892EB55DBB8F8697C62322F74D7D8F81B502CE0E27624DE38D209C740
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 2bce6376752d693395b932a5d9318ffbe6d4c9bed5557d96fc3b5228a6ed1993
                                                                                                                                              • Instruction ID: 91db3ca7ca736f51b2b9f4a1fdda40ff6b442f2c49d3b76bc6f7bd54feb42801
                                                                                                                                              • Opcode Fuzzy Hash: 2bce6376752d693395b932a5d9318ffbe6d4c9bed5557d96fc3b5228a6ed1993
                                                                                                                                              • Instruction Fuzzy Hash: 2531FBB5314E8481EF99CF66ECA93A66362FB88BE4F54E1168E0F57B64CE3DC1458304
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 11c12f5db1e7ae7d88fc0262756b9d0bf6622ca984ac394aaf837a3336d7d9a4
                                                                                                                                              • Instruction ID: b9540b73c02fa2fd8fd9ed4b04a7558bae6bb2522907684b3f8178f982c6447f
                                                                                                                                              • Opcode Fuzzy Hash: 11c12f5db1e7ae7d88fc0262756b9d0bf6622ca984ac394aaf837a3336d7d9a4
                                                                                                                                              • Instruction Fuzzy Hash: 3F215EF53159A882EB95CF65E8787972322FB49BD8F81E112CD1E57764DE38C209C304
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: e74b49f80d6d3cffa9bfb68b489edd80f871d1e69f348bd9d5bedd62bb40d514
                                                                                                                                              • Instruction ID: 34ebe62695f2a6a6ea2397927167a92a4784dc70ec7df40509b9419055f8788e
                                                                                                                                              • Opcode Fuzzy Hash: e74b49f80d6d3cffa9bfb68b489edd80f871d1e69f348bd9d5bedd62bb40d514
                                                                                                                                              • Instruction Fuzzy Hash: 7D31C1F6715A499AEB14CF60E46478AB3A5F3447C8F48E226EA4E47A1CDF78C219C304
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 29ed0da8da41128ee95df92606b628508953cd21a2e597ae56ff743980468b27
                                                                                                                                              • Instruction ID: ea228047f8abccb8f34d8cb69d0855da280cee6fe6b78123f25de321abaee775
                                                                                                                                              • Opcode Fuzzy Hash: 29ed0da8da41128ee95df92606b628508953cd21a2e597ae56ff743980468b27
                                                                                                                                              • Instruction Fuzzy Hash: BD2101B2724E8885EB95CF62E828B9A7361F38CBD4F419126DE4E47B54CE3CC10AC700
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 659e1158283c071cac0272366369d00d1cfa562a966f2f5affa459bf10e8deba
                                                                                                                                              • Instruction ID: 6d7058e35041f85eefca8006119c3596d2fa62747ef7dd2be534be946fff4e46
                                                                                                                                              • Opcode Fuzzy Hash: 659e1158283c071cac0272366369d00d1cfa562a966f2f5affa459bf10e8deba
                                                                                                                                              • Instruction Fuzzy Hash: BB21D5B2764E5892DB59CFB6E864BC63761E759BD4F40A116EE0D57324EE38CA06C300
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 879b8cc6a287b552be2b8c7838c9cf5361018535551b3c5eae2337da7c2a05c9
                                                                                                                                              • Instruction ID: 64e956f36281cdf23b4cab459502cafc9c3b83219f603c2a53f066b43bdf7739
                                                                                                                                              • Opcode Fuzzy Hash: 879b8cc6a287b552be2b8c7838c9cf5361018535551b3c5eae2337da7c2a05c9
                                                                                                                                              • Instruction Fuzzy Hash: 9931A2B2724A49A6DB15CF64D25878E7B62F3443D8F49A206DB0E57628EF39C16AC700
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 7643b34bb1144c09516ca8224fed32c138a04b2f755b136cd71388444af2efbb
                                                                                                                                              • Instruction ID: 8007ea01a93bf6de8c95f9a16faa5e8d6c04bd6e38d315922757046993a1328b
                                                                                                                                              • Opcode Fuzzy Hash: 7643b34bb1144c09516ca8224fed32c138a04b2f755b136cd71388444af2efbb
                                                                                                                                              • Instruction Fuzzy Hash: 5F2148F5761EA982EB89CFB5E86979A2321E749BD8F41A112CD0E17724DE2CD6098300
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: c104ebe3e0084b9c2d6c68d3b1b1809b1ba36be3a0ef8b7a361271054a232770
                                                                                                                                              • Instruction ID: baf3eb62263214422a0973d769ae56c08939dd68f110effc1bb9cb03c9f86de4
                                                                                                                                              • Opcode Fuzzy Hash: c104ebe3e0084b9c2d6c68d3b1b1809b1ba36be3a0ef8b7a361271054a232770
                                                                                                                                              • Instruction Fuzzy Hash: CE2159F5720AA892EB85CFB4E468BD627A1F74C3A4F81A413DE0D47620EE39C209C300
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 5d83384389e1bc3f5c40116a0a1417798e316c1697b6e029db620e488cbd2b1f
                                                                                                                                              • Instruction ID: 7d1135aa24797edbf35de8feb47ffd13e3235087d5b84f893e072cfd3e31e24b
                                                                                                                                              • Opcode Fuzzy Hash: 5d83384389e1bc3f5c40116a0a1417798e316c1697b6e029db620e488cbd2b1f
                                                                                                                                              • Instruction Fuzzy Hash: D1118EA271498C46FB96DBB4F969BD76322EB4C3A9F80A012DD0D07A55DD3CC24AC700
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 0213aaa7a16af12e76c05f13803a6cb1816da3aa76317169f32ff85a43e83aea
                                                                                                                                              • Instruction ID: 95480194bb9f6c9ad9d964584a4fad66eb43ce3f3ee230db89eb3e49904c33dd
                                                                                                                                              • Opcode Fuzzy Hash: 0213aaa7a16af12e76c05f13803a6cb1816da3aa76317169f32ff85a43e83aea
                                                                                                                                              • Instruction Fuzzy Hash: 56210BF2711A5D92EB49DF75D868BD667A2E78CBD4F41E512CD0E5B624DE3CC2098300
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 3f85260008f1cca6d719552e34a0840437b2decd6b2aec5b8999dc0ce01bbffe
                                                                                                                                              • Instruction ID: 02ba138fbc53fc0a7e206b6c0fccc1f4cb11f22df8a79a790e142c2087e4c986
                                                                                                                                              • Opcode Fuzzy Hash: 3f85260008f1cca6d719552e34a0840437b2decd6b2aec5b8999dc0ce01bbffe
                                                                                                                                              • Instruction Fuzzy Hash: 48213BB6761A5DC5EF49DF65E868B8A6721F788BD8F41A122CD0E47728DE3CD209C700
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 803c451430e3029bb009500dace81e7bc3217c3b4584f2ef31f91a53a698693d
                                                                                                                                              • Instruction ID: 4519c20df033b0754d584584f46a47e9c3f61284702b1b178af72c485ed47193
                                                                                                                                              • Opcode Fuzzy Hash: 803c451430e3029bb009500dace81e7bc3217c3b4584f2ef31f91a53a698693d
                                                                                                                                              • Instruction Fuzzy Hash: E02160F5714F8482EB45CBB5E8593CA63B1FB897A4F40A506DA4E57A24EE3CD20AC700
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 566796d93a591df3f5db1c38c43d6e1f2c58bb1bf9c844d883f4a478785d6911
                                                                                                                                              • Instruction ID: bc53908923a101081ac78a2ff91d1596a8a62396a49556bd27b6b69a29ae519e
                                                                                                                                              • Opcode Fuzzy Hash: 566796d93a591df3f5db1c38c43d6e1f2c58bb1bf9c844d883f4a478785d6911
                                                                                                                                              • Instruction Fuzzy Hash: 6511E3E262096C82FB59DFA6A869F862332E349BD8F01E123DD5E5B714DD39C10BC300
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 3a56065663d7f32470598edd8e4c56aa3322786b1e37be48fd2162c7dda414fd
                                                                                                                                              • Instruction ID: 8fbfe2caa4e00eb4ae2a73ae29cd16ebba4a4082f14f5113274d96e794981e6d
                                                                                                                                              • Opcode Fuzzy Hash: 3a56065663d7f32470598edd8e4c56aa3322786b1e37be48fd2162c7dda414fd
                                                                                                                                              • Instruction Fuzzy Hash: 0721A4B2709A9882EB55CF64E4687977761FB8C798F41A116DE4E47A14EF3DC109C700
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 4de039b8aeb4dd7a341e305cb49e7d4a566f2f03f9a363aa92138b342856feec
                                                                                                                                              • Instruction ID: 9e59c1c7de84271de07ddad5238888e61d5fae15b8e3d2a62c0818bf1ca1a5d9
                                                                                                                                              • Opcode Fuzzy Hash: 4de039b8aeb4dd7a341e305cb49e7d4a566f2f03f9a363aa92138b342856feec
                                                                                                                                              • Instruction Fuzzy Hash: 2F1151B5714E9882EB54CB74E46839A6361F7887B8F80A316C92E576E4DF39C10AC744
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: b00286fc56aac180519fed44c3472dbbed5625b745e2bf1041001a8241787df3
                                                                                                                                              • Instruction ID: 453c13d840d8ab8480c25eabad8a5a4e6cf22c2320a7064174f112572a8564ab
                                                                                                                                              • Opcode Fuzzy Hash: b00286fc56aac180519fed44c3472dbbed5625b745e2bf1041001a8241787df3
                                                                                                                                              • Instruction Fuzzy Hash: 8E113CE171196846FF89CF65D9697665393EB8C7E4F81E426CE0E8B768ED3CC1098304
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 3e6f47147aee9d0c5d2e3a57a73bf876d140cefaec2fbc1aba1964aca6a06b7c
                                                                                                                                              • Instruction ID: dcb26d1462b17352493136ca1a284502f5bdb4a1f8be4333a819d013a470b478
                                                                                                                                              • Opcode Fuzzy Hash: 3e6f47147aee9d0c5d2e3a57a73bf876d140cefaec2fbc1aba1964aca6a06b7c
                                                                                                                                              • Instruction Fuzzy Hash: 3311C2B6624A9E42E709DFF4B424FCA3771E389750F00B517DE4A53510DE38C21AC300
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 0e8879920a56ce6d951eaa2299e71384d51284fb55c40a98b48f618b07d76cb7
                                                                                                                                              • Instruction ID: 1bcc190078e11d5e3502c0fb8cfdf52a8957de65a2b1b8071e9e04ba3849ecfd
                                                                                                                                              • Opcode Fuzzy Hash: 0e8879920a56ce6d951eaa2299e71384d51284fb55c40a98b48f618b07d76cb7
                                                                                                                                              • Instruction Fuzzy Hash: 9D1100F5721E9841FB49CB75D4683D66362E788794F80A917CA0F57664DD39C2498340
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 62fa84bd9608fd1e2ded7a46ac84a71bf4807f0703b11cbbff9e650931e748d0
                                                                                                                                              • Instruction ID: 81b86e7094c320bcc5e7f926c263843823ab5f04b050e6f3beb40bfc522f2c83
                                                                                                                                              • Opcode Fuzzy Hash: 62fa84bd9608fd1e2ded7a46ac84a71bf4807f0703b11cbbff9e650931e748d0
                                                                                                                                              • Instruction Fuzzy Hash: 4F114FB5614E9882EB54CB78F4687DA6321F78C798F80B113CD0E57625EE39C21AC340
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 169374a88c9bc48999de202173db2c687a39263e6fb74efa0de97639e935559a
                                                                                                                                              • Instruction ID: 58ab01e0f729e006e025e3cd5db47f1a357a7dbbf023e6ea43b04656e7f2b6d0
                                                                                                                                              • Opcode Fuzzy Hash: 169374a88c9bc48999de202173db2c687a39263e6fb74efa0de97639e935559a
                                                                                                                                              • Instruction Fuzzy Hash: 6A113DB1715E6881EB59CF65E9587866362F74C798F82E122CC4E47728EE39C248C700
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 6214b3987fdb11ae9af8bb44ed0752c7393761a47505b246c2a752352195c6b7
                                                                                                                                              • Instruction ID: 246bc5305b8913a4d01db227893256f8bf5d597bde7be6eae501e461eb4fa0bc
                                                                                                                                              • Opcode Fuzzy Hash: 6214b3987fdb11ae9af8bb44ed0752c7393761a47505b246c2a752352195c6b7
                                                                                                                                              • Instruction Fuzzy Hash: A4113CB2711E5C91EB49CF25E868B9A67A1F78CB94F41E526DE0E47768DE3CC209C300
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 7a304966c8f6e6c63f3b4d1dc84eaa042215815f68f4f7ed99f7cad32e1286f1
                                                                                                                                              • Instruction ID: 91f1bf17694832eb7885352137df2ae2a0c82d5e88c9f87b3bad460dc89f63f9
                                                                                                                                              • Opcode Fuzzy Hash: 7a304966c8f6e6c63f3b4d1dc84eaa042215815f68f4f7ed99f7cad32e1286f1
                                                                                                                                              • Instruction Fuzzy Hash: 451169F531286D82EB89CF65E929B865322E7487D8F82F112CC0E4B718ED39D109C700
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 214099cfcd0ee3826ed9ef66e5b675abfeddc10177d1ca11de6341e968b0d06b
                                                                                                                                              • Instruction ID: 39990edd012c80a11a8c246ade81e0b00b1fb03419df7482220b1a2638345046
                                                                                                                                              • Opcode Fuzzy Hash: 214099cfcd0ee3826ed9ef66e5b675abfeddc10177d1ca11de6341e968b0d06b
                                                                                                                                              • Instruction Fuzzy Hash: 7E11A5F1330A8886FB95CBB5E8683DA6361E78D7D4F84B012CE0E47765CE28C20AC304
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: dcce50d7d365edf9bc1dcf0723df82f9ff79db8457ccb87dc38c7b0742b08610
                                                                                                                                              • Instruction ID: 15f0b12e67b83b815c9156cfa897ef3110cdd404d207d48cd89176b21f2d8fa0
                                                                                                                                              • Opcode Fuzzy Hash: dcce50d7d365edf9bc1dcf0723df82f9ff79db8457ccb87dc38c7b0742b08610
                                                                                                                                              • Instruction Fuzzy Hash: 06015EB5751E6D82EB89DF75E4697DA2320EB48B94F82B512CC0E57320ED3CDA0AC300
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 6f73bb3cb6f5cf5abec075b9014cb563e06a4567c89c5d20f7171c5a4b410b69
                                                                                                                                              • Instruction ID: 22dcafcaff4b78d83aaf35a6f31f5da21172cbe544e4bfae6083fdcba81ddec3
                                                                                                                                              • Opcode Fuzzy Hash: 6f73bb3cb6f5cf5abec075b9014cb563e06a4567c89c5d20f7171c5a4b410b69
                                                                                                                                              • Instruction Fuzzy Hash: 080152F5611E9D82EB45CBB9E8A83D76325E78D7E8F40E1128E0E67625DE38C2098300
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 797ab2e302fecb4ee9151d5ec147357b9b6b8374a5a73c2aa17e4c7710b83c27
                                                                                                                                              • Instruction ID: c05fe9916e29f3615726ac8ab40efd06a7f832fe150a5180127c36e0d361f74a
                                                                                                                                              • Opcode Fuzzy Hash: 797ab2e302fecb4ee9151d5ec147357b9b6b8374a5a73c2aa17e4c7710b83c27
                                                                                                                                              • Instruction Fuzzy Hash: 130125F1652E5E82FB59CBA4E569BC66362EB487D8F40F1179D0D07618EE3CD219C304
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: c92cc2c6b8134dcd1d90e81fd4ee0dc0e69cf849aebd7e5d77ccca44f26df776
                                                                                                                                              • Instruction ID: c5723c18dcfd40d5e26eb64c6513ed8ad7c8279d3e69258c72aec0d621b19a73
                                                                                                                                              • Opcode Fuzzy Hash: c92cc2c6b8134dcd1d90e81fd4ee0dc0e69cf849aebd7e5d77ccca44f26df776
                                                                                                                                              • Instruction Fuzzy Hash: 15F06871714A548AEBD5CF2CA44276A77D0F30C3C4FA0C519E68983B04D63D8165CF04
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__security_init_cookie__vcrt_initialize
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1326835672-0
                                                                                                                                              • Opcode ID: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
                                                                                                                                              • Instruction ID: 20208a98ab850ec38ed8325cc0af7ea2ed5af357558f35f83d8d5c5aa49ef683
                                                                                                                                              • Opcode Fuzzy Hash: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
                                                                                                                                              • Instruction Fuzzy Hash: C631923160994C86FBE7BBA5D4523EA2391AB4E3C4F45C425B94A473D7DE28CB4E8350
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: __scrt_fastfail$__scrt_initialize_onexit_tables
                                                                                                                                              • String ID: `eh vector vbase constructor iterator'$`local vftable'$`udt returning'$onstructor closure'
                                                                                                                                              • API String ID: 2273495996-2419032777
                                                                                                                                              • Opcode ID: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
                                                                                                                                              • Instruction ID: 430d6e6a62d8c94c9c04e7e52013dca82c213aedb955d9ad44379b1780147ad5
                                                                                                                                              • Opcode Fuzzy Hash: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
                                                                                                                                              • Instruction Fuzzy Hash: FF416D35206B4C82FBA79B20E9503EA2361AB4EBD0F54D525E90E477A4DF3CC68E8304
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _set_statfp
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1156100317-0
                                                                                                                                              • Opcode ID: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
                                                                                                                                              • Instruction ID: 3b9bd57b40fff3d8961f464b14179896b260d9c17b5d0c480fa0c6cf32fa7499
                                                                                                                                              • Opcode Fuzzy Hash: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
                                                                                                                                              • Instruction Fuzzy Hash: CB117732690A4D01F7E72129D4553F93340AB6D3F4F45C634BA76976D6CE248BC94302
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                              • String ID: *$ko-KR
                                                                                                                                              • API String ID: 3215553584-1095117856
                                                                                                                                              • Opcode ID: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
                                                                                                                                              • Instruction ID: 247b425bc4075f99800c1718c7ffe54540729addd1f222e63731e205efc231c0
                                                                                                                                              • Opcode Fuzzy Hash: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
                                                                                                                                              • Instruction Fuzzy Hash: B0718F72504E58C6E7FA9F2980443BC3BA0F34DBD8F649216EA4646399DF31CA8AC750
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: __swift_1$__swift_2
                                                                                                                                              • API String ID: 0-2914474356
                                                                                                                                              • Opcode ID: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
                                                                                                                                              • Instruction ID: e36f902788c0381efdc077c6dc949100de42eee437ea8b415927d241f746463c
                                                                                                                                              • Opcode Fuzzy Hash: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
                                                                                                                                              • Instruction Fuzzy Hash: CF618E32300A8882EF96DB29E5447E963A1FB4CBD4F488525EF6D4779ADF38D645C340
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                              • String ID: gfff$o-l1-2-1
                                                                                                                                              • API String ID: 3215553584-1082851355
                                                                                                                                              • Opcode ID: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
                                                                                                                                              • Instruction ID: 4e08fe91d50fd43471445e9309ac5ad4362738dffbe45d8770cad9fb3b789804
                                                                                                                                              • Opcode Fuzzy Hash: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
                                                                                                                                              • Instruction Fuzzy Hash: 5951F4737147C886E7A78B35E9413997B91E399BD0F48D221EB944BAD6CE38C698C700
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                              • String ID: api-ms-win-core-sysinfo-l1-2-1$synch-l1-2-0
                                                                                                                                              • API String ID: 3215553584-688204690
                                                                                                                                              • Opcode ID: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
                                                                                                                                              • Instruction ID: 9d4985de47fc3aa1ddc341b920f7898ed377652abc42465d74999370fa1411ca
                                                                                                                                              • Opcode Fuzzy Hash: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
                                                                                                                                              • Instruction Fuzzy Hash: 86418E72705F888AE782CF65E8507CE73A5F7193C8F518126EA9807B99DF38C629C340
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: DestructExceptionObject$__vcrt_getptd_noexit
                                                                                                                                              • String ID: csm
                                                                                                                                              • API String ID: 3780691363-1018135373
                                                                                                                                              • Opcode ID: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
                                                                                                                                              • Instruction ID: 011c5e600e2baba1b5aebe761702f78806dc8dec4a9d5acc90072a234146c346
                                                                                                                                              • Opcode Fuzzy Hash: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
                                                                                                                                              • Instruction Fuzzy Hash: 40212D76204A4887E7B2DF15E05079E7760F39DBE4F008206EEA943795CF39DA8ACB01
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: __std_exception_copy
                                                                                                                                              • String ID: `vector destructor iterator'$nt delete closure'
                                                                                                                                              • API String ID: 592178966-1611991873
                                                                                                                                              • Opcode ID: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
                                                                                                                                              • Instruction ID: c8ada3eb98077b3e77d28a4839308a809c4d6d91d1a7368aad5ed78790c858ba
                                                                                                                                              • Opcode Fuzzy Hash: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
                                                                                                                                              • Instruction Fuzzy Hash: 9EE01AB1200B0490DB068F65E8513E873A4EB4CB90F48C032AA5C47354EF38C6A9C301
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000002.1685826341.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000000.00000002.1685804637.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686712081.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686852595.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000000.00000002.1686963387.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_2_180000000_R2-Signed.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                                                                                                              • String ID: File
                                                                                                                                              • API String ID: 932687459-749574446
                                                                                                                                              • Opcode ID: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
                                                                                                                                              • Instruction ID: 9145d171dbcecb2188c45693134888adfda474ee1ae56853841174419c243042
                                                                                                                                              • Opcode Fuzzy Hash: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
                                                                                                                                              • Instruction Fuzzy Hash: 49C08C3221488D91EB62EB10E8917DA5330B7A8384F818111F19C824B69F1CC30ECB00

                                                                                                                                              Execution Graph

                                                                                                                                              Execution Coverage:1.7%
                                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                                              Signature Coverage:51.2%
                                                                                                                                              Total number of Nodes:379
                                                                                                                                              Total number of Limit Nodes:39
                                                                                                                                              execution_graph 41423 1845c4e2140 41504 1845c4fb990 VirtualAlloc 41423->41504 41425 1845c4e2156 41511 1845c4fd340 GetModuleHandleW 41425->41511 41427 1845c4e215b WSAStartup 41428 1845c4e236b 41427->41428 41429 1845c4e2175 41427->41429 41521 1845c4fd7d0 CoInitializeEx 41429->41521 41431 1845c4e219a GetCommandLineW CommandLineToArgvW 41531 1845c4eafc0 VirtualAlloc 41431->41531 41434 1845c4e21e3 InitializeCriticalSection 41435 1845c4e21f4 VirtualAlloc 41434->41435 41436 1845c4e221a InitializeCriticalSection 41435->41436 41437 1845c4e222b memset GetCurrentProcessId 41435->41437 41436->41437 41542 1845c4fc950 memset CreateToolhelp32Snapshot 41437->41542 41440 1845c4e2273 lstrcmpiW 41442 1845c4e2289 41440->41442 41443 1845c4e2297 lstrcmpiW 41440->41443 41441 1845c4e226e 41441->41440 41673 1845c4e2830 GetModuleHandleW GetModuleHandleW GetModuleHandleW VirtualProtect VirtualProtect 41442->41673 41445 1845c4e22be lstrcmpiW 41443->41445 41446 1845c4e22ad GetCurrentProcess TerminateProcess 41443->41446 41447 1845c4e23e0 41445->41447 41448 1845c4e22d8 41445->41448 41446->41445 41451 1845c4e23ed memset GetModuleFileNameW wcsstr 41447->41451 41452 1845c4e25c7 lstrcmpiW 41447->41452 41549 1845c4fd140 OpenSCManagerW 41448->41549 41449 1845c4e228e ExitThread 41454 1845c4e2473 memset GetModuleFileNameW IsUserAnAdmin 41451->41454 41455 1845c4e242f GetNativeSystemInfo 41451->41455 41456 1845c4e25e0 41452->41456 41457 1845c4e2697 41452->41457 41462 1845c4e24b7 41454->41462 41493 1845c4e24a6 41454->41493 41460 1845c4e2642 41455->41460 41461 1845c4e245b 41455->41461 41456->41428 41463 1845c4e25ed lstrcmpiW 41456->41463 41682 1845c4e2000 103 API calls 41457->41682 41458 1845c4e23a1 CreateThread 41458->41458 41466 1845c4e23c7 WaitForSingleObject CloseHandle 41458->41466 41459 1845c4e22f4 41558 1845c4fca60 CreateToolhelp32Snapshot 41459->41558 41467 1845c4fd140 10 API calls 41460->41467 41461->41460 41469 1845c4e2465 41461->41469 41676 1845c4f0e40 16 API calls 41462->41676 41463->41457 41471 1845c4e2606 GetNativeSystemInfo 41463->41471 41466->41458 41472 1845c4e264e 41467->41472 41675 1845c4e26b0 84 API calls 41469->41675 41471->41460 41476 1845c4e262e 41471->41476 41479 1845c4e267c 41472->41479 41480 1845c4e2654 41472->41480 41473 1845c4e2300 41481 1845c4e2330 41473->41481 41482 1845c4e2304 OpenProcess 41473->41482 41475 1845c4e24c3 41677 1845c4f0fa0 41 API calls 41475->41677 41476->41460 41478 1845c4e2634 41476->41478 41680 1845c4e26b0 84 API calls 41478->41680 41681 1845c4e26b0 84 API calls 41479->41681 41569 1845c4f0680 VirtualAlloc 41480->41569 41495 1845c4e233d WaitForSingleObject GetExitCodeProcess 41481->41495 41496 1845c4e2394 Sleep 41481->41496 41674 1845c4e26b0 84 API calls 41481->41674 41482->41481 41488 1845c4e231c TerminateProcess CloseHandle 41482->41488 41483 1845c4e246a ExitProcess 41484 1845c4e2681 GetCurrentProcess TerminateProcess 41484->41428 41485 1845c4e24d6 41678 1845c4fd2a0 8 API calls 41485->41678 41488->41481 41492 1845c4e2639 ExitProcess 41493->41484 41494 1845c4e24e2 memset wsprintfW 41679 1845c4d1070 41494->41679 41495->41428 41495->41481 41496->41481 41505 1845c4fb9cf memcpy 41504->41505 41506 1845c4fbc0e 41504->41506 41505->41506 41507 1845c4fb9fa VirtualAlloc 41505->41507 41506->41425 41507->41506 41508 1845c4fba1e memcpy memcpy 41507->41508 41509 1845c4fba90 41508->41509 41509->41509 41510 1845c4fbaff memset ExpandEnvironmentStringsW memset 41509->41510 41510->41425 41512 1845c4fd590 41511->41512 41513 1845c4fd371 GetCurrentProcess K32GetModuleInformation memset GetSystemDirectoryW 41511->41513 41512->41427 41514 1845c4fd3c5 lstrcatW CreateFileW 41513->41514 41515 1845c4fd57d 41513->41515 41516 1845c4fd415 CreateFileMappingW 41514->41516 41518 1845c4fd538 41514->41518 41515->41427 41517 1845c4fd43c MapViewOfFile 41516->41517 41516->41518 41517->41518 41519 1845c4fd469 41517->41519 41518->41427 41519->41518 41520 1845c4fd4d5 VirtualProtect memcpy VirtualProtect 41519->41520 41520->41519 41522 1845c4fd8c5 41521->41522 41523 1845c4fd82e CoCreateInstance 41521->41523 41522->41431 41524 1845c4fd86e CoUninitialize 41523->41524 41525 1845c4fd84f 41523->41525 41524->41431 41526 1845c4fd864 41525->41526 41527 1845c4fd87a SysAllocString 41525->41527 41526->41524 41528 1845c4fd89d SysFreeString 41527->41528 41529 1845c4fd8b0 CoUninitialize 41528->41529 41529->41522 41532 1845c4e21c2 VirtualAlloc 41531->41532 41533 1845c4eafe9 CreateEventW VirtualAlloc 41531->41533 41532->41434 41532->41435 41534 1845c4eb094 InitializeCriticalSection 41533->41534 41535 1845c4eb0a5 VirtualAlloc 41533->41535 41534->41535 41536 1845c4eb0dc VirtualAlloc 41535->41536 41537 1845c4eb0cb InitializeCriticalSection 41535->41537 41538 1845c4eb102 InitializeCriticalSection 41536->41538 41539 1845c4eb113 VirtualAlloc 41536->41539 41537->41536 41538->41539 41540 1845c4eb14a 41539->41540 41541 1845c4eb139 InitializeCriticalSection 41539->41541 41540->41532 41541->41540 41543 1845c4fc991 Process32FirstW 41542->41543 41544 1845c4e2256 lstrcmpiW 41542->41544 41545 1845c4fc9af 41543->41545 41548 1845c4fc9c8 41543->41548 41544->41440 41544->41441 41547 1845c4fc9b6 Process32NextW 41545->41547 41545->41548 41546 1845c4fca3e CloseHandle 41546->41544 41547->41545 41547->41548 41548->41544 41548->41546 41550 1845c4fd177 EnumServicesStatusExW malloc 41549->41550 41557 1845c4e22e4 GetCurrentProcessId 41549->41557 41551 1845c4fd1d4 memset EnumServicesStatusExW 41550->41551 41550->41557 41552 1845c4fd228 CloseServiceHandle free 41551->41552 41553 1845c4fd24d CloseServiceHandle 41551->41553 41552->41557 41556 1845c4fd25e 41553->41556 41553->41557 41554 1845c4fd260 lstrcmpiW 41555 1845c4fd286 free 41554->41555 41554->41556 41555->41557 41556->41554 41556->41557 41557->41458 41557->41459 41559 1845c4fca9d GetProcessHeap HeapAlloc 41558->41559 41560 1845c4fca8a 41558->41560 41561 1845c4fcad1 Process32FirstW 41559->41561 41562 1845c4fcac7 CloseHandle 41559->41562 41560->41473 41564 1845c4fcb1c GetProcessHeap HeapFree CloseHandle 41561->41564 41565 1845c4fcae4 41561->41565 41563 1845c4fcb3c 41562->41563 41563->41473 41564->41563 41566 1845c4fcaf0 lstrcmpiW 41565->41566 41567 1845c4fcb01 Process32NextW 41566->41567 41568 1845c4fcb11 41566->41568 41567->41566 41567->41568 41568->41564 41570 1845c4f0d9b 41569->41570 41571 1845c4f06a9 GetCurrentProcess OpenProcessToken 41569->41571 41570->41493 41572 1845c4f06e3 LookupPrivilegeValueW AdjustTokenPrivileges GetLastError 41571->41572 41573 1845c4f0741 VirtualAlloc 41571->41573 41572->41573 41574 1845c4f0731 41572->41574 41575 1845c4f0771 IsBadReadPtr 41573->41575 41576 1845c4f0760 InitializeCriticalSection 41573->41576 41574->41573 41579 1845c4f073b CloseHandle 41574->41579 41577 1845c4f07dc IsBadReadPtr 41575->41577 41578 1845c4f0787 41575->41578 41576->41575 41581 1845c4f07f2 41577->41581 41582 1845c4f0847 IsBadReadPtr 41577->41582 41578->41577 41580 1845c4f078c EnterCriticalSection VirtualAlloc 41578->41580 41579->41573 41583 1845c4f07d2 LeaveCriticalSection 41580->41583 41584 1845c4f07b2 41580->41584 41581->41582 41585 1845c4f07f7 EnterCriticalSection VirtualAlloc 41581->41585 41586 1845c4f08b2 IsBadReadPtr 41582->41586 41587 1845c4f085d 41582->41587 41583->41577 41584->41583 41590 1845c4f083d LeaveCriticalSection 41585->41590 41591 1845c4f081d 41585->41591 41588 1845c4f091d IsBadReadPtr 41586->41588 41589 1845c4f08c8 41586->41589 41587->41586 41592 1845c4f0862 EnterCriticalSection VirtualAlloc 41587->41592 41594 1845c4f0933 41588->41594 41595 1845c4f0988 IsBadReadPtr 41588->41595 41589->41588 41593 1845c4f08cd EnterCriticalSection VirtualAlloc 41589->41593 41590->41582 41591->41590 41596 1845c4f08a8 LeaveCriticalSection 41592->41596 41597 1845c4f0888 41592->41597 41598 1845c4f0913 LeaveCriticalSection 41593->41598 41599 1845c4f08f3 41593->41599 41594->41595 41600 1845c4f0938 EnterCriticalSection VirtualAlloc 41594->41600 41601 1845c4f09f3 IsBadReadPtr 41595->41601 41602 1845c4f099e 41595->41602 41596->41586 41597->41596 41598->41588 41599->41598 41603 1845c4f097e LeaveCriticalSection 41600->41603 41604 1845c4f095e 41600->41604 41606 1845c4f0a5e IsBadReadPtr 41601->41606 41607 1845c4f0a09 41601->41607 41602->41601 41605 1845c4f09a3 EnterCriticalSection VirtualAlloc 41602->41605 41603->41595 41604->41603 41611 1845c4f09e9 LeaveCriticalSection 41605->41611 41612 1845c4f09c9 41605->41612 41609 1845c4f0ac9 IsBadReadPtr 41606->41609 41610 1845c4f0a74 41606->41610 41607->41606 41608 1845c4f0a0e EnterCriticalSection VirtualAlloc 41607->41608 41613 1845c4f0a54 LeaveCriticalSection 41608->41613 41614 1845c4f0a34 41608->41614 41616 1845c4f0adf 41609->41616 41617 1845c4f0b1c 41609->41617 41610->41609 41615 1845c4f0a79 EnterCriticalSection VirtualAlloc 41610->41615 41611->41601 41612->41611 41613->41606 41614->41613 41619 1845c4f0abf LeaveCriticalSection 41615->41619 41620 1845c4f0a9f 41615->41620 41616->41617 41621 1845c4f0ae4 EnterCriticalSection 41616->41621 41618 1845c4f0b1f IsBadReadPtr 41617->41618 41622 1845c4f0b6e 41618->41622 41623 1845c4f0b38 41618->41623 41619->41609 41620->41619 41624 1845c4f0b13 LeaveCriticalSection 41621->41624 41625 1845c4f0af9 41621->41625 41627 1845c4f0b71 IsBadReadPtr 41622->41627 41623->41622 41626 1845c4f0b3d EnterCriticalSection 41623->41626 41624->41617 41625->41624 41632 1845c4f0da1 LeaveCriticalSection 41625->41632 41628 1845c4f0b52 41626->41628 41629 1845c4f0b65 LeaveCriticalSection 41626->41629 41630 1845c4f0bc1 41627->41630 41631 1845c4f0b8b 41627->41631 41628->41629 41633 1845c4f0db3 LeaveCriticalSection 41628->41633 41629->41622 41635 1845c4f0bc4 IsBadReadPtr 41630->41635 41631->41630 41634 1845c4f0b90 EnterCriticalSection 41631->41634 41632->41618 41633->41627 41636 1845c4f0bb8 LeaveCriticalSection 41634->41636 41637 1845c4f0ba5 41634->41637 41638 1845c4f0bde 41635->41638 41639 1845c4f0c1c 41635->41639 41636->41630 41637->41636 41642 1845c4f0dc5 LeaveCriticalSection 41637->41642 41638->41639 41640 1845c4f0be3 EnterCriticalSection 41638->41640 41641 1845c4f0c1f IsBadReadPtr 41639->41641 41643 1845c4f0c13 LeaveCriticalSection 41640->41643 41644 1845c4f0bf8 41640->41644 41645 1845c4f0c6f 41641->41645 41646 1845c4f0c39 41641->41646 41642->41635 41643->41639 41644->41643 41649 1845c4f0dd7 LeaveCriticalSection 41644->41649 41648 1845c4f0c72 IsBadReadPtr 41645->41648 41646->41645 41647 1845c4f0c3e EnterCriticalSection 41646->41647 41650 1845c4f0c53 41647->41650 41651 1845c4f0c66 LeaveCriticalSection 41647->41651 41652 1845c4f0cc2 41648->41652 41653 1845c4f0c8c 41648->41653 41649->41641 41650->41651 41655 1845c4f0de9 LeaveCriticalSection 41650->41655 41651->41645 41654 1845c4f0cc5 IsBadReadPtr 41652->41654 41653->41652 41656 1845c4f0c91 EnterCriticalSection 41653->41656 41659 1845c4f0cdf 41654->41659 41660 1845c4f0d1c 41654->41660 41655->41648 41657 1845c4f0cb9 LeaveCriticalSection 41656->41657 41658 1845c4f0ca6 41656->41658 41657->41652 41658->41657 41661 1845c4f0dfb LeaveCriticalSection 41658->41661 41659->41660 41662 1845c4f0ce4 EnterCriticalSection 41659->41662 41663 1845c4f0d1f IsBadReadPtr 41660->41663 41661->41654 41664 1845c4f0d13 LeaveCriticalSection 41662->41664 41665 1845c4f0cf9 41662->41665 41666 1845c4f0d6f 41663->41666 41667 1845c4f0d39 41663->41667 41664->41660 41665->41664 41669 1845c4f0e0d LeaveCriticalSection 41665->41669 41666->41570 41667->41666 41668 1845c4f0d3e EnterCriticalSection 41667->41668 41670 1845c4f0d53 41668->41670 41671 1845c4f0d66 LeaveCriticalSection 41668->41671 41669->41663 41670->41671 41672 1845c4f0e1f LeaveCriticalSection 41670->41672 41671->41666 41672->41666 41673->41449 41674->41481 41675->41483 41676->41475 41677->41485 41678->41494 41680->41492 41681->41484 41683 1845c4efe20 CreateProcessW 41684 1845c4efef7 SuspendThread 41683->41684 41685 1845c4efec6 GetLastError 41683->41685 41691 1845c4ef9e0 VirtualAllocEx 41684->41691 41686 1845c4efee3 41685->41686 41687 1845c4efed8 CloseHandle 41685->41687 41689 1845c4efef3 41686->41689 41690 1845c4efeed CloseHandle 41686->41690 41687->41686 41690->41689 41692 1845c4efa3f GetLastError 41691->41692 41693 1845c4efa4a VirtualAllocEx 41691->41693 41708 1845c4efcdb 41692->41708 41694 1845c4efa99 GetLastError 41693->41694 41695 1845c4efa79 WriteProcessMemory 41693->41695 41694->41708 41695->41694 41696 1845c4efaa4 VirtualAllocEx 41695->41696 41697 1845c4efcd3 GetLastError 41696->41697 41698 1845c4efad7 WriteProcessMemory 41696->41698 41697->41708 41698->41697 41699 1845c4efafc 41698->41699 41709 1845c4ef560 41699->41709 41701 1845c4efb04 WriteProcessMemory 41701->41697 41703 1845c4efc02 VirtualProtectEx VirtualProtectEx 41701->41703 41704 1845c4efc4d memset GetThreadContext SetThreadContext 41703->41704 41705 1845c4efc88 41703->41705 41706 1845c4efcc6 ResumeThread 41704->41706 41707 1845c4efc8d memset Wow64GetThreadContext Wow64SetThreadContext 41705->41707 41705->41708 41706->41697 41706->41708 41707->41706 41708->41689 41710 1845c4ef6f1 41709->41710 41711 1845c4ef574 41709->41711 41710->41701 41711->41710 41712 1845c4ef584 VirtualAlloc 41711->41712 41713 1845c4ef5b0 memcpy 41712->41713 41714 1845c4ef6ba 41712->41714 41716 1845c4ef5c4 41713->41716 41714->41701 41715 1845c4ef6d9 VirtualFree 41715->41714 41716->41715 41717 1845c4ef69a 41716->41717 41718 1845c4ef6cf VirtualFree 41717->41718 41719 1845c4ef6af VirtualFree 41717->41719 41718->41714 41719->41714 41720 1845c4f6f00 IsBadReadPtr 41721 1845c4f6f91 41720->41721 41722 1845c4f6f18 41720->41722 41722->41721 41723 1845c4f6f1d EnterCriticalSection 41722->41723 41724 1845c4f6f5a LeaveCriticalSection DeleteCriticalSection VirtualFree 41723->41724 41725 1845c4f6f39 41723->41725 41724->41721 41726 1845c4f6f40 VirtualFree 41725->41726 41726->41724 41726->41726 41727 1845b3a0000 41730 1845b3a0a68 41727->41730 41729 1845b3a0019 41731 1845b3a0a84 41730->41731 41733 1845b3a0b0e 41731->41733 41734 1845b3a0768 41731->41734 41733->41729 41737 1845b3a0778 41734->41737 41736 1845b3a0771 41736->41733 41738 1845b3a07a8 41737->41738 41740 1845b3a088a 41738->41740 41741 1845b3a0508 41738->41741 41740->41736 41744 1845b3a052c 41741->41744 41742 1845b3a06fa 41742->41740 41743 1845b3a061d LoadLibraryA 41743->41742 41743->41744 41744->41742 41744->41743 41745 1845b3a06c1 GetProcAddressForCaller 41744->41745 41745->41742 41745->41744 41746 1845b370345 41747 1845b3703ff 41746->41747 41749 1845b370360 41746->41749 41748 1845b370387 VirtualFree 41748->41749 41749->41747 41749->41748 41754 1845b370000 41757 1845b370a68 41754->41757 41756 1845b370019 41758 1845b370a84 41757->41758 41760 1845b370b0e 41758->41760 41761 1845b370768 41758->41761 41760->41756 41764 1845b370778 41761->41764 41763 1845b370771 41763->41760 41765 1845b3707a8 41764->41765 41767 1845b37088a 41765->41767 41768 1845b370508 41765->41768 41767->41763 41769 1845b37052c 41768->41769 41770 1845b3706fa 41769->41770 41771 1845b37061d LoadLibraryA 41769->41771 41770->41767 41771->41769 41771->41770 41776 1800019d0 DeleteFileW 41777 1800019e3 SleepEx DeleteFileW 41776->41777 41778 1800019fb 41776->41778 41777->41777 41777->41778 41779 180001920 memset GetModuleFileNameW wcsstr 41780 1800019a8 41779->41780 41781 18000197a IsUserAnAdmin 41779->41781 41791 180001010 malloc 41780->41791 41782 180001984 41781->41782 41783 180001995 41781->41783 41828 1800015b0 28 API calls 41782->41828 41788 18000199f ExitProcess 41783->41788 41787 18000198c ExitProcess 41796 18000104e 41791->41796 41815 180001568 41791->41815 41792 180112660 8 API calls 41793 18000159f 41792->41793 41829 180112660 41793->41829 41794 1800010c4 malloc 41795 1800010db memcpy memcpy 41794->41795 41794->41815 41797 180001120 41795->41797 41796->41794 41798 180001195 memset wsprintfW CreateFileW 41797->41798 41797->41815 41799 180001212 GetLastError 41798->41799 41800 18000121a WriteFile 41798->41800 41801 18000124c SleepEx memset wsprintfW CreateFileW 41799->41801 41802 180001243 CloseHandle 41800->41802 41803 18000123d GetLastError 41800->41803 41804 1800012c4 GetLastError 41801->41804 41805 1800012cc WriteFile 41801->41805 41802->41801 41803->41802 41806 1800012fe SleepEx memset wsprintfW CreateFileW 41804->41806 41807 1800012f5 CloseHandle 41805->41807 41808 1800012ef GetLastError 41805->41808 41809 180001376 GetLastError 41806->41809 41810 18000137e WriteFile 41806->41810 41807->41806 41808->41807 41811 1800013ac Sleep 41809->41811 41812 1800013a3 CloseHandle 41810->41812 41813 18000139d GetLastError 41810->41813 41814 1800013c1 VirtualAlloc 41811->41814 41811->41815 41812->41811 41813->41812 41814->41815 41816 1800013e6 memcpy CreateThread 41814->41816 41815->41792 41838 180001a10 CoInitializeEx 41816->41838 41819 180001523 memset memcpy CreateThread 41819->41815 41820 180001430 VariantInit 41821 180001498 41820->41821 41822 18000149c SysAllocString 41821->41822 41823 1800014be GetLastError 41821->41823 41826 1800014ba 41822->41826 41824 1800014c4 41823->41824 41824->41819 41825 1800014ca memset wsprintfW 41824->41825 41846 180001d60 41825->41846 41826->41823 41826->41824 41828->41787 41830 180112669 41829->41830 41831 1800019c0 41830->41831 41832 180112a14 IsProcessorFeaturePresent 41830->41832 41833 180112a2c 41832->41833 41859 180112ae8 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 41833->41859 41835 180112a3f 41860 1801129e0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 41835->41860 41839 180001b50 41838->41839 41839->41839 41840 180001cae CLSIDFromString 41839->41840 41841 180001d04 IIDFromString 41840->41841 41842 180001d3b 41840->41842 41841->41842 41843 180001d17 CoCreateInstance 41841->41843 41844 180112660 8 API calls 41842->41844 41843->41842 41845 180001423 41844->41845 41845->41819 41845->41820 41847 180001da5 SysAllocString 41846->41847 41858 18000206a 41846->41858 41848 180001dbb 41847->41848 41851 180001dd9 SysAllocString SysAllocString 41848->41851 41848->41858 41849 180112660 8 API calls 41850 180002086 41849->41850 41850->41819 41852 180001e08 41851->41852 41853 180001f1f IIDFromString 41852->41853 41852->41858 41854 180001f4c 41853->41854 41855 180001f5e SysAllocString SysAllocString 41854->41855 41854->41858 41856 180001f88 41855->41856 41857 180001fd9 VariantInit SysAllocString 41856->41857 41856->41858 41857->41858 41858->41849 41859->41835

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 0 1845c4f0680-1845c4f06a3 VirtualAlloc 1 1845c4f0d9b-1845c4f0da0 0->1 2 1845c4f06a9-1845c4f06e1 GetCurrentProcess OpenProcessToken 0->2 3 1845c4f06e3-1845c4f072f LookupPrivilegeValueW AdjustTokenPrivileges GetLastError 2->3 4 1845c4f0741-1845c4f075e VirtualAlloc 2->4 3->4 5 1845c4f0731-1845c4f0739 3->5 6 1845c4f0771-1845c4f0785 IsBadReadPtr 4->6 7 1845c4f0760-1845c4f076d InitializeCriticalSection 4->7 5->4 10 1845c4f073b CloseHandle 5->10 8 1845c4f07dc-1845c4f07f0 IsBadReadPtr 6->8 9 1845c4f0787-1845c4f078a 6->9 7->6 12 1845c4f07f2-1845c4f07f5 8->12 13 1845c4f0847-1845c4f085b IsBadReadPtr 8->13 9->8 11 1845c4f078c-1845c4f07b0 EnterCriticalSection VirtualAlloc 9->11 10->4 14 1845c4f07d2-1845c4f07d6 LeaveCriticalSection 11->14 15 1845c4f07b2-1845c4f07cf 11->15 12->13 16 1845c4f07f7-1845c4f081b EnterCriticalSection VirtualAlloc 12->16 17 1845c4f08b2-1845c4f08c6 IsBadReadPtr 13->17 18 1845c4f085d-1845c4f0860 13->18 14->8 15->14 21 1845c4f083d-1845c4f0841 LeaveCriticalSection 16->21 22 1845c4f081d-1845c4f083a 16->22 19 1845c4f091d-1845c4f0931 IsBadReadPtr 17->19 20 1845c4f08c8-1845c4f08cb 17->20 18->17 23 1845c4f0862-1845c4f0886 EnterCriticalSection VirtualAlloc 18->23 25 1845c4f0933-1845c4f0936 19->25 26 1845c4f0988-1845c4f099c IsBadReadPtr 19->26 20->19 24 1845c4f08cd-1845c4f08f1 EnterCriticalSection VirtualAlloc 20->24 21->13 22->21 27 1845c4f08a8-1845c4f08ac LeaveCriticalSection 23->27 28 1845c4f0888-1845c4f08a5 23->28 29 1845c4f0913-1845c4f0917 LeaveCriticalSection 24->29 30 1845c4f08f3-1845c4f0910 24->30 25->26 31 1845c4f0938-1845c4f095c EnterCriticalSection VirtualAlloc 25->31 32 1845c4f09f3-1845c4f0a07 IsBadReadPtr 26->32 33 1845c4f099e-1845c4f09a1 26->33 27->17 28->27 29->19 30->29 34 1845c4f097e-1845c4f0982 LeaveCriticalSection 31->34 35 1845c4f095e-1845c4f097b 31->35 37 1845c4f0a5e-1845c4f0a72 IsBadReadPtr 32->37 38 1845c4f0a09-1845c4f0a0c 32->38 33->32 36 1845c4f09a3-1845c4f09c7 EnterCriticalSection VirtualAlloc 33->36 34->26 35->34 42 1845c4f09e9-1845c4f09ed LeaveCriticalSection 36->42 43 1845c4f09c9-1845c4f09e6 36->43 40 1845c4f0ac9-1845c4f0add IsBadReadPtr 37->40 41 1845c4f0a74-1845c4f0a77 37->41 38->37 39 1845c4f0a0e-1845c4f0a32 EnterCriticalSection VirtualAlloc 38->39 44 1845c4f0a54-1845c4f0a58 LeaveCriticalSection 39->44 45 1845c4f0a34-1845c4f0a51 39->45 47 1845c4f0adf-1845c4f0ae2 40->47 48 1845c4f0b1c 40->48 41->40 46 1845c4f0a79-1845c4f0a9d EnterCriticalSection VirtualAlloc 41->46 42->32 43->42 44->37 45->44 50 1845c4f0abf-1845c4f0ac3 LeaveCriticalSection 46->50 51 1845c4f0a9f-1845c4f0abc 46->51 47->48 52 1845c4f0ae4-1845c4f0af7 EnterCriticalSection 47->52 49 1845c4f0b1f-1845c4f0b36 IsBadReadPtr 48->49 53 1845c4f0b6e 49->53 54 1845c4f0b38-1845c4f0b3b 49->54 50->40 51->50 55 1845c4f0b13-1845c4f0b16 LeaveCriticalSection 52->55 56 1845c4f0af9 52->56 58 1845c4f0b71-1845c4f0b89 IsBadReadPtr 53->58 54->53 57 1845c4f0b3d-1845c4f0b50 EnterCriticalSection 54->57 55->48 59 1845c4f0b00-1845c4f0b04 56->59 60 1845c4f0b52-1845c4f0b56 57->60 61 1845c4f0b65-1845c4f0b68 LeaveCriticalSection 57->61 62 1845c4f0bc1 58->62 63 1845c4f0b8b-1845c4f0b8e 58->63 64 1845c4f0da1-1845c4f0dae LeaveCriticalSection 59->64 65 1845c4f0b0a-1845c4f0b11 59->65 66 1845c4f0db3-1845c4f0dc0 LeaveCriticalSection 60->66 67 1845c4f0b5c-1845c4f0b63 60->67 61->53 69 1845c4f0bc4-1845c4f0bdc IsBadReadPtr 62->69 63->62 68 1845c4f0b90-1845c4f0ba3 EnterCriticalSection 63->68 64->49 65->55 65->59 66->58 67->60 67->61 70 1845c4f0bb8-1845c4f0bbb LeaveCriticalSection 68->70 71 1845c4f0ba5-1845c4f0ba9 68->71 72 1845c4f0bde-1845c4f0be1 69->72 73 1845c4f0c1c 69->73 70->62 76 1845c4f0baf-1845c4f0bb6 71->76 77 1845c4f0dc5-1845c4f0dd2 LeaveCriticalSection 71->77 72->73 74 1845c4f0be3-1845c4f0bf6 EnterCriticalSection 72->74 75 1845c4f0c1f-1845c4f0c37 IsBadReadPtr 73->75 78 1845c4f0c13-1845c4f0c16 LeaveCriticalSection 74->78 79 1845c4f0bf8 74->79 80 1845c4f0c6f 75->80 81 1845c4f0c39-1845c4f0c3c 75->81 76->70 76->71 77->69 78->73 82 1845c4f0c00-1845c4f0c04 79->82 84 1845c4f0c72-1845c4f0c8a IsBadReadPtr 80->84 81->80 83 1845c4f0c3e-1845c4f0c51 EnterCriticalSection 81->83 85 1845c4f0c0a-1845c4f0c11 82->85 86 1845c4f0dd7-1845c4f0de4 LeaveCriticalSection 82->86 87 1845c4f0c53-1845c4f0c57 83->87 88 1845c4f0c66-1845c4f0c69 LeaveCriticalSection 83->88 89 1845c4f0cc2 84->89 90 1845c4f0c8c-1845c4f0c8f 84->90 85->78 85->82 86->75 92 1845c4f0c5d-1845c4f0c64 87->92 93 1845c4f0de9-1845c4f0df6 LeaveCriticalSection 87->93 88->80 91 1845c4f0cc5-1845c4f0cdd IsBadReadPtr 89->91 90->89 94 1845c4f0c91-1845c4f0ca4 EnterCriticalSection 90->94 97 1845c4f0cdf-1845c4f0ce2 91->97 98 1845c4f0d1c 91->98 92->87 92->88 93->84 95 1845c4f0cb9-1845c4f0cbc LeaveCriticalSection 94->95 96 1845c4f0ca6-1845c4f0caa 94->96 95->89 99 1845c4f0cb0-1845c4f0cb7 96->99 100 1845c4f0dfb-1845c4f0e08 LeaveCriticalSection 96->100 97->98 101 1845c4f0ce4-1845c4f0cf7 EnterCriticalSection 97->101 102 1845c4f0d1f-1845c4f0d37 IsBadReadPtr 98->102 99->95 99->96 100->91 103 1845c4f0d13-1845c4f0d16 LeaveCriticalSection 101->103 104 1845c4f0cf9 101->104 105 1845c4f0d6f-1845c4f0d96 102->105 106 1845c4f0d39-1845c4f0d3c 102->106 103->98 107 1845c4f0d00-1845c4f0d04 104->107 105->1 106->105 108 1845c4f0d3e-1845c4f0d51 EnterCriticalSection 106->108 109 1845c4f0e0d-1845c4f0e1a LeaveCriticalSection 107->109 110 1845c4f0d0a-1845c4f0d11 107->110 111 1845c4f0d53-1845c4f0d57 108->111 112 1845c4f0d66-1845c4f0d69 LeaveCriticalSection 108->112 109->102 110->103 110->107 113 1845c4f0e1f-1845c4f0e2c LeaveCriticalSection 111->113 114 1845c4f0d5d-1845c4f0d64 111->114 112->105 113->105 114->111 114->112
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CriticalSection$Leave$EnterRead$AllocVirtual$ProcessToken$AdjustCloseCurrentErrorHandleInitializeLastLookupOpenPrivilegePrivilegesValue
                                                                                                                                              • String ID: SeDebugPrivilege
                                                                                                                                              • API String ID: 3221255601-2896544425
                                                                                                                                              • Opcode ID: 79b32153c8a47bce9488e86581e1df08a4a5845b2d426890eb6905a67430a941
                                                                                                                                              • Instruction ID: 38a365d32710e25e2e81d19e58f1f5f30c45be460cad084a44fe52f2bcb49a47
                                                                                                                                              • Opcode Fuzzy Hash: 79b32153c8a47bce9488e86581e1df08a4a5845b2d426890eb6905a67430a941
                                                                                                                                              • Instruction Fuzzy Hash: B2324835300B4687EB598F51EA047ADA3A5FB95FC0F94C226CE5A43B94DF38E664C348

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 115 1845c4e2140-1845c4e216f call 1845c4fb990 call 1845c4fd340 WSAStartup 120 1845c4e238b-1845c4e2393 115->120 121 1845c4e2175-1845c4e21e1 call 1845c4fd7d0 GetCommandLineW CommandLineToArgvW call 1845c4eafc0 VirtualAlloc 115->121 126 1845c4e21e3-1845c4e21f0 InitializeCriticalSection 121->126 127 1845c4e21f4-1845c4e2218 VirtualAlloc 121->127 126->127 128 1845c4e221a-1845c4e2227 InitializeCriticalSection 127->128 129 1845c4e222b-1845c4e226c memset GetCurrentProcessId call 1845c4fc950 lstrcmpiW 127->129 128->129 132 1845c4e2273-1845c4e2287 lstrcmpiW 129->132 133 1845c4e226e 129->133 134 1845c4e2289-1845c4e2290 call 1845c4e2830 ExitThread 132->134 135 1845c4e2297-1845c4e22ab lstrcmpiW 132->135 133->132 137 1845c4e22be-1845c4e22d2 lstrcmpiW 135->137 138 1845c4e22ad-1845c4e22b8 GetCurrentProcess TerminateProcess 135->138 139 1845c4e23e0-1845c4e23e7 137->139 140 1845c4e22d8-1845c4e22ee call 1845c4fd140 GetCurrentProcessId 137->140 138->137 143 1845c4e23ed-1845c4e242d memset GetModuleFileNameW wcsstr 139->143 144 1845c4e25c7-1845c4e25da lstrcmpiW 139->144 150 1845c4e23a1-1845c4e23c5 CreateThread 140->150 151 1845c4e22f4-1845c4e2302 call 1845c4fca60 140->151 146 1845c4e2473-1845c4e24a4 memset GetModuleFileNameW IsUserAnAdmin 143->146 147 1845c4e242f-1845c4e2455 GetNativeSystemInfo 143->147 148 1845c4e25e0-1845c4e25e7 144->148 149 1845c4e2697-1845c4e26a5 call 1845c4e2000 144->149 154 1845c4e24a6-1845c4e24b2 call 1845c4d5a00 146->154 155 1845c4e24b7-1845c4e2554 call 1845c4f0e40 call 1845c4f0fa0 call 1845c4fd2a0 memset wsprintfW call 1845c4d1070 OpenSCManagerW 146->155 152 1845c4e2642-1845c4e2652 call 1845c4fd140 147->152 153 1845c4e245b-1845c4e245f 147->153 156 1845c4e25ed-1845c4e2600 lstrcmpiW 148->156 157 1845c4e236b-1845c4e2383 148->157 150->150 160 1845c4e23c7-1845c4e23de WaitForSingleObject CloseHandle 150->160 177 1845c4e2330-1845c4e233b call 1845c4e26b0 151->177 178 1845c4e2304-1845c4e231a OpenProcess 151->178 175 1845c4e267c call 1845c4e26b0 152->175 176 1845c4e2654-1845c4e265b call 1845c4f0680 152->176 153->152 163 1845c4e2465-1845c4e246c call 1845c4e26b0 ExitProcess 153->163 180 1845c4e2681-1845c4e2692 GetCurrentProcess TerminateProcess 154->180 197 1845c4e2561-1845c4e259f OpenServiceW ChangeServiceConfig2W 155->197 198 1845c4e2556-1845c4e255c GetLastError 155->198 156->149 166 1845c4e2606-1845c4e262c GetNativeSystemInfo 156->166 157->120 160->150 166->152 172 1845c4e262e-1845c4e2632 166->172 172->152 174 1845c4e2634-1845c4e263b call 1845c4e26b0 ExitProcess 172->174 175->180 189 1845c4e2660-1845c4e267a 176->189 192 1845c4e233d-1845c4e2369 WaitForSingleObject GetExitCodeProcess 177->192 193 1845c4e2394-1845c4e239f Sleep 177->193 178->177 184 1845c4e231c-1845c4e232a TerminateProcess CloseHandle 178->184 180->157 184->177 189->180 192->157 192->177 193->177 197->180 199 1845c4e25a5-1845c4e25ae GetLastError 197->199 198->180 200 1845c4e25b0-1845c4e25b3 CloseServiceHandle 199->200 201 1845c4e25b9-1845c4e25c2 CloseServiceHandle 199->201 200->201 201->180
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 000001845C4FB990: VirtualAlloc.KERNEL32 ref: 000001845C4FB9B9
                                                                                                                                                • Part of subcall function 000001845C4FB990: memcpy.NTDLL ref: 000001845C4FB9DD
                                                                                                                                                • Part of subcall function 000001845C4FB990: VirtualAlloc.KERNEL32 ref: 000001845C4FBA08
                                                                                                                                                • Part of subcall function 000001845C4FB990: memcpy.NTDLL ref: 000001845C4FBA3D
                                                                                                                                                • Part of subcall function 000001845C4FB990: memcpy.NTDLL ref: 000001845C4FBA73
                                                                                                                                                • Part of subcall function 000001845C4FB990: memset.NTDLL ref: 000001845C4FBB0C
                                                                                                                                                • Part of subcall function 000001845C4FB990: ExpandEnvironmentStringsW.KERNEL32 ref: 000001845C4FBB23
                                                                                                                                                • Part of subcall function 000001845C4FB990: memset.NTDLL ref: 000001845C4FBB38
                                                                                                                                                • Part of subcall function 000001845C4FD340: GetModuleHandleW.KERNEL32 ref: 000001845C4FD35F
                                                                                                                                                • Part of subcall function 000001845C4FD340: GetCurrentProcess.KERNEL32 ref: 000001845C4FD379
                                                                                                                                                • Part of subcall function 000001845C4FD340: K32GetModuleInformation.KERNEL32 ref: 000001845C4FD390
                                                                                                                                                • Part of subcall function 000001845C4FD340: memset.NTDLL ref: 000001845C4FD3A8
                                                                                                                                                • Part of subcall function 000001845C4FD340: GetSystemDirectoryW.KERNEL32 ref: 000001845C4FD3B7
                                                                                                                                                • Part of subcall function 000001845C4FD340: lstrcatW.KERNEL32 ref: 000001845C4FD3D9
                                                                                                                                                • Part of subcall function 000001845C4FD340: CreateFileW.KERNEL32 ref: 000001845C4FD406
                                                                                                                                                • Part of subcall function 000001845C4FD340: CreateFileMappingW.KERNELBASE ref: 000001845C4FD42D
                                                                                                                                                • Part of subcall function 000001845C4FD340: MapViewOfFile.KERNEL32 ref: 000001845C4FD457
                                                                                                                                                • Part of subcall function 000001845C4FD340: VirtualProtect.KERNEL32 ref: 000001845C4FD4F2
                                                                                                                                                • Part of subcall function 000001845C4FD340: memcpy.NTDLL ref: 000001845C4FD507
                                                                                                                                              • WSAStartup.WS2_32 ref: 000001845C4E2167
                                                                                                                                                • Part of subcall function 000001845C4FD7D0: CoInitializeEx.OLE32 ref: 000001845C4FD820
                                                                                                                                                • Part of subcall function 000001845C4FD7D0: CoCreateInstance.COMBASE ref: 000001845C4FD845
                                                                                                                                                • Part of subcall function 000001845C4FD7D0: CoUninitialize.OLE32 ref: 000001845C4FD86E
                                                                                                                                              • GetCommandLineW.KERNEL32 ref: 000001845C4E21A4
                                                                                                                                              • CommandLineToArgvW.SHELL32 ref: 000001845C4E21B4
                                                                                                                                                • Part of subcall function 000001845C4EAFC0: VirtualAlloc.KERNEL32(?,?,?,000001845C4E1E17), ref: 000001845C4EAFD7
                                                                                                                                                • Part of subcall function 000001845C4EAFC0: CreateEventW.KERNEL32(?,?,?,000001845C4E1E17), ref: 000001845C4EB061
                                                                                                                                                • Part of subcall function 000001845C4EAFC0: VirtualAlloc.KERNEL32(?,?,?,000001845C4E1E17), ref: 000001845C4EB086
                                                                                                                                                • Part of subcall function 000001845C4EAFC0: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E1E17), ref: 000001845C4EB098
                                                                                                                                                • Part of subcall function 000001845C4EAFC0: VirtualAlloc.KERNEL32(?,?,?,000001845C4E1E17), ref: 000001845C4EB0BD
                                                                                                                                                • Part of subcall function 000001845C4EAFC0: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E1E17), ref: 000001845C4EB0CF
                                                                                                                                                • Part of subcall function 000001845C4EAFC0: VirtualAlloc.KERNEL32(?,?,?,000001845C4E1E17), ref: 000001845C4EB0F4
                                                                                                                                                • Part of subcall function 000001845C4EAFC0: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E1E17), ref: 000001845C4EB106
                                                                                                                                                • Part of subcall function 000001845C4EAFC0: VirtualAlloc.KERNEL32(?,?,?,000001845C4E1E17), ref: 000001845C4EB12B
                                                                                                                                                • Part of subcall function 000001845C4EAFC0: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E1E17), ref: 000001845C4EB13D
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C4E21D5
                                                                                                                                              • InitializeCriticalSection.KERNEL32 ref: 000001845C4E21E7
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C4E220C
                                                                                                                                              • InitializeCriticalSection.KERNEL32 ref: 000001845C4E221E
                                                                                                                                              • memset.NTDLL ref: 000001845C4E223F
                                                                                                                                              • GetCurrentProcessId.KERNEL32 ref: 000001845C4E2244
                                                                                                                                              • lstrcmpiW.KERNEL32 ref: 000001845C4E2264
                                                                                                                                              • lstrcmpiW.KERNEL32 ref: 000001845C4E227F
                                                                                                                                              • ExitThread.KERNEL32 ref: 000001845C4E2290
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$Alloc$Initialize$CriticalSection$Creatememcpymemset$File$CommandCurrentLineModuleProcesslstrcmpi$ArgvDirectoryEnvironmentEventExitExpandHandleInformationInstanceMappingProtectStartupStringsSystemThreadUninitializeViewlstrcat
                                                                                                                                              • String ID: %s\%s$/Processid:{F8284233-48F4-4680-ADDD-F8284233}$18.139.89.40$C:\Program Files\Windows Mail$Inject Test$Microsoft Mail Update Task MachineCore$MicrosoftMailUpdateTask$ParphaCrashReport64.exe$Schedule$perfmon.exe$svchost.exe$taskmgr.exe
                                                                                                                                              • API String ID: 3540647475-1260490244
                                                                                                                                              • Opcode ID: e4bfe4048ee3d54e59998916ce248c807bf3acb0d7d6f17c8420b9b790105c66
                                                                                                                                              • Instruction ID: b020d48f581f3a51a80805c9025c464bb803209034d44802e40c84033a74db8e
                                                                                                                                              • Opcode Fuzzy Hash: e4bfe4048ee3d54e59998916ce248c807bf3acb0d7d6f17c8420b9b790105c66
                                                                                                                                              • Instruction Fuzzy Hash: 5EE19031200A57D3EB289FB1ED407DD6361FBA6B44F84C326D90A466A6EF38C745C749

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 202 180001010-180001048 malloc 203 18000104e-18000107d call 180113300 202->203 204 180001590-1800015a9 call 180112660 202->204 209 180001084-18000108c 203->209 210 18000107f-180001082 203->210 212 180001093-1800010a4 209->212 213 18000108e-180001091 209->213 211 1800010c4-1800010d5 malloc 210->211 214 180001578-180001588 211->214 215 1800010db-180001116 memcpy * 2 211->215 216 1800010a6-1800010a9 212->216 217 1800010ab-1800010be call 180113336 212->217 213->211 214->204 218 180001120-18000116c 215->218 216->211 217->211 218->218 220 18000116e-18000117a 218->220 222 180001180-18000118b 220->222 222->222 223 18000118d-18000118f 222->223 223->214 224 180001195-180001210 memset wsprintfW CreateFileW 223->224 225 180001212-180001218 GetLastError 224->225 226 18000121a-18000123b WriteFile 224->226 227 18000124c-1800012c2 SleepEx memset wsprintfW CreateFileW 225->227 228 180001243-180001246 CloseHandle 226->228 229 18000123d GetLastError 226->229 230 1800012c4-1800012ca GetLastError 227->230 231 1800012cc-1800012ed WriteFile 227->231 228->227 229->228 232 1800012fe-180001374 SleepEx memset wsprintfW CreateFileW 230->232 233 1800012f5-1800012f8 CloseHandle 231->233 234 1800012ef GetLastError 231->234 235 180001376-18000137c GetLastError 232->235 236 18000137e-18000139b WriteFile 232->236 233->232 234->233 237 1800013ac-1800013bb Sleep 235->237 238 1800013a3-1800013a6 CloseHandle 236->238 239 18000139d GetLastError 236->239 240 1800013c1-1800013e0 VirtualAlloc 237->240 241 180001568-180001570 237->241 238->237 239->238 240->241 242 1800013e6-18000142a memcpy CreateThread call 180001a10 240->242 241->214 245 180001523-180001562 memset memcpy CreateThread 242->245 246 180001430-18000149a VariantInit 242->246 245->241 248 18000149c-1800014bc SysAllocString 246->248 249 1800014be GetLastError 246->249 248->249 250 1800014c4-1800014c8 248->250 249->250 250->245 251 1800014ca-18000151e memset wsprintfW call 180001d60 250->251 251->245
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2924420756.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924902224.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924991283.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2925086635.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ErrorLast$File$Creatememset$memcpywsprintf$CloseHandleSleepWrite$AllocThreadmalloc$InitStringVariantVirtual
                                                                                                                                              • String ID: %s\%s$\Microsoft\Windows
                                                                                                                                              • API String ID: 1085075972-4137575348
                                                                                                                                              • Opcode ID: 11d6cde565b72d1d43927487ff83bed9824f46b89a23802b2bfd78be970e790e
                                                                                                                                              • Instruction ID: ca852493329d7e8b29278f03f5207e3e8a0b6c409a20f5d7edd43a4be3d27a44
                                                                                                                                              • Opcode Fuzzy Hash: 11d6cde565b72d1d43927487ff83bed9824f46b89a23802b2bfd78be970e790e
                                                                                                                                              • Instruction Fuzzy Hash: 4DF18A32610F8985F7A6CF24E8087DD33A0F78DBA8F449215EE9A17694EF38C249C700

                                                                                                                                              Control-flow Graph

                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AllocErrorLastVirtual$MemoryProcessWrite
                                                                                                                                              • String ID: @$h
                                                                                                                                              • API String ID: 1382438346-1029331998
                                                                                                                                              • Opcode ID: 68fc5231bb649cffb2ef201a26c0452fc735f8ffc7358dd3c59d4300c21df8ec
                                                                                                                                              • Instruction ID: ffa8bb9d5679060274c192edda8875a2e98292844422b8fdaf3ff4d0c8d1a91d
                                                                                                                                              • Opcode Fuzzy Hash: 68fc5231bb649cffb2ef201a26c0452fc735f8ffc7358dd3c59d4300c21df8ec
                                                                                                                                              • Instruction Fuzzy Hash: A781E532218BC587E7648F69B84079EAB50F796BC4F849219EEC643B89DF3CC605CB45

                                                                                                                                              Control-flow Graph

                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2924420756.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924902224.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924991283.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2925086635.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FromString$CreateInitializeInstance
                                                                                                                                              • String ID: :_:$:Y:$:$A::$X:[:$X:^:$Y::$Y:\:$\:[:$\:^:$^:G:
                                                                                                                                              • API String ID: 511945936-2205580742
                                                                                                                                              • Opcode ID: 024cd465da59768dcf6c08cf3900c20a72cd4ffd1450610ea91f3c4b38ce9232
                                                                                                                                              • Instruction ID: 28b9f900473ef5d70d4cda544e42fab565c9dc4f26e78512e927f69b0d8a042f
                                                                                                                                              • Opcode Fuzzy Hash: 024cd465da59768dcf6c08cf3900c20a72cd4ffd1450610ea91f3c4b38ce9232
                                                                                                                                              • Instruction Fuzzy Hash: 0291FD73D18BD4CAE311CF7994016EDBB70F799348F14A249EB946A919EB78E684CF00

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 396 180001d60-180001d9f 397 180001da5-180001dd3 SysAllocString 396->397 398 180002078 396->398 397->398 404 180001dd9-180001e0a SysAllocString * 2 397->404 399 18000207a-180002097 call 180112660 398->399 404->398 406 180001e10-180001e49 404->406 406->398 411 180001e4f-180001e8c 406->411 411->398 416 180001e92-180001efb 411->416 416->398 424 180001f01-180001f55 IIDFromString 416->424 428 180002075 424->428 429 180001f5b-180001fb4 SysAllocString * 2 424->429 428->398 429->398 435 180001fba-180001fd3 429->435 435->398 437 180001fd9-18000205f VariantInit SysAllocString 435->437 438 18000206a-180002070 437->438 439 180002072 438->439 440 180002098-1800020ad 438->440 439->428 440->399
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2924420756.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924902224.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924991283.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2925086635.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: String$Alloc$FromInitVariant
                                                                                                                                              • String ID: SYSTEM${4c3d624d-fd6b-49a3-b9b7-09cb3cd3f047}
                                                                                                                                              • API String ID: 929278495-107290059
                                                                                                                                              • Opcode ID: ce7cb2923214bf6d84e2195aaa923cf65e5dbc7fe3967ba643ece21ae7ad8fe5
                                                                                                                                              • Instruction ID: 371f9a688604c33e3b5ae190077701ce0554801126743d20ac49bde758192535
                                                                                                                                              • Opcode Fuzzy Hash: ce7cb2923214bf6d84e2195aaa923cf65e5dbc7fe3967ba643ece21ae7ad8fe5
                                                                                                                                              • Instruction Fuzzy Hash: E5B1C236B00B558AEB40DF6AD88829D77B1FB88FA9F559016DE0E57B28DF35C189C300

                                                                                                                                              Control-flow Graph

                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CloseEnumHandleServiceServicesStatusfree$ManagerOpenlstrcmpimallocmemset
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2647132813-0
                                                                                                                                              • Opcode ID: c2b9930ff57626eae451ef52e78241fd2a7e99a3c5bb9cb5767dca943c792e03
                                                                                                                                              • Instruction ID: 88a1558a43fc4ea7b045347fb81026a46ee3ca45e6e6e98a1b7e4a01a8cff4e5
                                                                                                                                              • Opcode Fuzzy Hash: c2b9930ff57626eae451ef52e78241fd2a7e99a3c5bb9cb5767dca943c792e03
                                                                                                                                              • Instruction Fuzzy Hash: 7C41A632204B558BD764CF66F84069EB7A4F7C9B44F948225DA8E43B14DF3CD649CB44

                                                                                                                                              Control-flow Graph

                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Heap$AllocCloseCreateHandleProcessSnapshotToolhelp32
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1926892967-0
                                                                                                                                              • Opcode ID: 556f8c45a5b3be51068a5fed4b8b05554424f686ed4d881aa42d630a1535f563
                                                                                                                                              • Instruction ID: a2db3c4f43d9a416bc19abeb2d76d44d3a3296e32b18dfd239547535403be05e
                                                                                                                                              • Opcode Fuzzy Hash: 556f8c45a5b3be51068a5fed4b8b05554424f686ed4d881aa42d630a1535f563
                                                                                                                                              • Instruction Fuzzy Hash: 9221C131310A4283EB689F62E8047ADB7A0F789FE4F888321EE5647795DF3CD6418708
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32memset
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1267121359-0
                                                                                                                                              • Opcode ID: 44c899de9843c07d997477ea65153a2f26deeedfdeec94036e1e1bc8e67b5a7d
                                                                                                                                              • Instruction ID: 72a64ac5ab2b89b045fcb62132ac7ec593ad37646025f2d6bf68d860be30e048
                                                                                                                                              • Opcode Fuzzy Hash: 44c899de9843c07d997477ea65153a2f26deeedfdeec94036e1e1bc8e67b5a7d
                                                                                                                                              • Instruction Fuzzy Hash: 51317C22E18B9583E711CB28D5083AD73A0F3AAB98F49E315DF9902756EF34E284C704

                                                                                                                                              Control-flow Graph

                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: File$CreateModuleProtectVirtual$CurrentDirectoryHandleInformationMappingProcessSystemViewlstrcatmemcpymemset
                                                                                                                                              • String ID: .text$\ntdll.dll$ntdll.dll
                                                                                                                                              • API String ID: 992094507-3745270394
                                                                                                                                              • Opcode ID: 69df7cb737dd3e51747fbe578d65583dad7475f3be71c5b6a57530708f646bad
                                                                                                                                              • Instruction ID: df02ff196e07b9798dbf293d1abc4370a181084f91e3cececcd59cfe634687cd
                                                                                                                                              • Opcode Fuzzy Hash: 69df7cb737dd3e51747fbe578d65583dad7475f3be71c5b6a57530708f646bad
                                                                                                                                              • Instruction Fuzzy Hash: D651AE72714A9687EB65CF21E4487DEB3A0F799B48F848215CA8A03B58DF3CD244CB08

                                                                                                                                              Control-flow Graph

                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2928848258.000001845B3A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001845B3A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845b3a0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AddressCallerLibraryLoadProc
                                                                                                                                              • String ID: RtlA$RtlR$ateH$eAll$eHea$eap$l.dl$l.dl$lloc$ntdl$ntdl$ocat
                                                                                                                                              • API String ID: 4215043672-3994871222
                                                                                                                                              • Opcode ID: 1e80394ff1d37946f5ee3994f364bbb739b556a1a1e79a645345825dff1cf6d4
                                                                                                                                              • Instruction ID: c381af4db78858afda48622ee0d699de6729f89d134ab15c92d4731855fb9dee
                                                                                                                                              • Opcode Fuzzy Hash: 1e80394ff1d37946f5ee3994f364bbb739b556a1a1e79a645345825dff1cf6d4
                                                                                                                                              • Instruction Fuzzy Hash: 4771D130604A0A8BEB58EF58C845BED77E1FF94710F20815AD80AE7296DF35E9428F85

                                                                                                                                              Control-flow Graph

                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2928816017.000001845B370000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001845B370000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845b370000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: LibraryLoad
                                                                                                                                              • String ID: RtlA$RtlR$ateH$eAll$eHea$eap$l.dl$l.dl$lloc$ntdl$ntdl$ocat
                                                                                                                                              • API String ID: 1029625771-3994871222
                                                                                                                                              • Opcode ID: 1e80394ff1d37946f5ee3994f364bbb739b556a1a1e79a645345825dff1cf6d4
                                                                                                                                              • Instruction ID: a74a42356ef8f54fa7955b3c366e675d3a8961867c6609bc0195d9789616b061
                                                                                                                                              • Opcode Fuzzy Hash: 1e80394ff1d37946f5ee3994f364bbb739b556a1a1e79a645345825dff1cf6d4
                                                                                                                                              • Instruction Fuzzy Hash: 8471A031614A0A8BEB58EF58C855BED77E1FF94310F21815AD80AE7286DF34DA42CF85

                                                                                                                                              Control-flow Graph

                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: StringUninitialize$AllocCreateFreeInitializeInstance
                                                                                                                                              • String ID: Block All Outbound
                                                                                                                                              • API String ID: 4211003860-2946277995
                                                                                                                                              • Opcode ID: 295a4f62168f5a6f5119dea70b951de674f26a9291ccd047ab80a2b95cdfc5e8
                                                                                                                                              • Instruction ID: 4c0aa9e46115998dcc924684b757b4575249f13291dda10f3b73d0ed50671016
                                                                                                                                              • Opcode Fuzzy Hash: 295a4f62168f5a6f5119dea70b951de674f26a9291ccd047ab80a2b95cdfc5e8
                                                                                                                                              • Instruction Fuzzy Hash: 50311876B00B15CBEB009F76D84429C7770F794F88B448926DA1D47B28DF38C664CB84

                                                                                                                                              Control-flow Graph

                                                                                                                                              • Executed
                                                                                                                                              • Not Executed
                                                                                                                                              control_flow_graph 480 1845c4ef560-1845c4ef56e 481 1845c4ef6f1-1845c4ef700 480->481 482 1845c4ef574-1845c4ef57e 480->482 482->481 483 1845c4ef584-1845c4ef5aa VirtualAlloc 482->483 484 1845c4ef5b0-1845c4ef5c2 memcpy 483->484 485 1845c4ef6d5-1845c4ef6d7 483->485 486 1845c4ef5ce-1845c4ef5d2 484->486 487 1845c4ef5c4-1845c4ef5c8 484->487 488 1845c4ef6ba-1845c4ef6ce 485->488 489 1845c4ef67d-1845c4ef68e 486->489 490 1845c4ef5d8-1845c4ef5db 486->490 487->486 487->489 491 1845c4ef690-1845c4ef698 489->491 492 1845c4ef6d9-1845c4ef6ef VirtualFree 489->492 493 1845c4ef5e1-1845c4ef5e9 490->493 494 1845c4ef664-1845c4ef66e 490->494 491->492 495 1845c4ef69a-1845c4ef6ad 491->495 492->488 496 1845c4ef5f2-1845c4ef60f 493->496 497 1845c4ef5eb-1845c4ef5f0 493->497 498 1845c4ef670-1845c4ef67b 494->498 499 1845c4ef6cf VirtualFree 495->499 500 1845c4ef6af-1845c4ef6b5 VirtualFree 495->500 501 1845c4ef610-1845c4ef65e 496->501 497->496 498->489 498->498 499->485 500->488 501->501 502 1845c4ef660-1845c4ef662 501->502 502->489 502->494
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$Free$Allocmemcpy
                                                                                                                                              • String ID: M$Z
                                                                                                                                              • API String ID: 2981101286-4250246861
                                                                                                                                              • Opcode ID: ec89bfb9e9449c1fd831b7383df3345bb054ba2f3537415f9bda132d024155c3
                                                                                                                                              • Instruction ID: 98ecbdbaaa5dde0254cb65932f8bcb7f3ff8020b1b5658f4ccc75085e62ecc5e
                                                                                                                                              • Opcode Fuzzy Hash: ec89bfb9e9449c1fd831b7383df3345bb054ba2f3537415f9bda132d024155c3
                                                                                                                                              • Instruction Fuzzy Hash: 9D410236B10BC283FB158F3DD0007AD6790A7E6B94F55C315EA96163E5EF29C602C309

                                                                                                                                              Control-flow Graph

                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CloseHandle$CreateErrorLastProcessSuspendThread
                                                                                                                                              • String ID: h
                                                                                                                                              • API String ID: 2500411409-2439710439
                                                                                                                                              • Opcode ID: 0b268da3d10d4c3e51607ed6fa644b71a4395eb09a036cb45f3a7793d543c8a6
                                                                                                                                              • Instruction ID: a1a21c8a76dd3432da82a2d8d92c1181e469f071f561da0d7d75e3bff373a155
                                                                                                                                              • Opcode Fuzzy Hash: 0b268da3d10d4c3e51607ed6fa644b71a4395eb09a036cb45f3a7793d543c8a6
                                                                                                                                              • Instruction Fuzzy Hash: 8731AE37A18B81C7E7508F91E44479EB3A4F3A8B94F129326EA9803B15DF79C5D0CB04

                                                                                                                                              Control-flow Graph

                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CriticalSection$FreeVirtual$DeleteEnterLeaveRead
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 4123369522-0
                                                                                                                                              • Opcode ID: aa19078ca0c6afd7a821f8a8ac8a84ee5709a37a32491cc2cb8c739b25d204c7
                                                                                                                                              • Instruction ID: 8ae27e31e23b89755b310283ec15db42feeb2ec51d47047bda7a1a9d16e5319e
                                                                                                                                              • Opcode Fuzzy Hash: aa19078ca0c6afd7a821f8a8ac8a84ee5709a37a32491cc2cb8c739b25d204c7
                                                                                                                                              • Instruction Fuzzy Hash: C3019A31324F4283FB488F62E54439DA361FBA9F88F88C122DE5A03B54DF38D2658718
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2924420756.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924902224.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924991283.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2925086635.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: DeleteFile$Sleep
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2100639427-0
                                                                                                                                              • Opcode ID: 819f48160997e5889829df66ddb1cfbaf94046e4fda21bae77f85b2f67c4eaa9
                                                                                                                                              • Instruction ID: ee9c1bd20bde787a3df6403edb75ddca03fdaf3f5216dae4a0b383b50a80e175
                                                                                                                                              • Opcode Fuzzy Hash: 819f48160997e5889829df66ddb1cfbaf94046e4fda21bae77f85b2f67c4eaa9
                                                                                                                                              • Instruction Fuzzy Hash: 5CD05E20301A0986FB9A5BB2E8583E613A85B0DBD2F0860249C1685280DF18C7CE8301
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2928848258.000001845B3A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001845B3A0000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845b3a0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FreeVirtual
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1263568516-0
                                                                                                                                              • Opcode ID: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
                                                                                                                                              • Instruction ID: ef4bb6c71454d22b561e0105ee1553b42766148eaa3c283ca195eff69e386f39
                                                                                                                                              • Opcode Fuzzy Hash: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
                                                                                                                                              • Instruction Fuzzy Hash: 2131C3316586018BDB5CEA1CE8C26A973D0F795304B30529EE9C7D71C7EE39E9438B89
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931401683.000001845C380000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001845C380000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c380000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FreeVirtual
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1263568516-0
                                                                                                                                              • Opcode ID: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
                                                                                                                                              • Instruction ID: 951e66a6b1d21aabd3b8155fc870e722c2ada9e282e41ce921d080dec94f9224
                                                                                                                                              • Opcode Fuzzy Hash: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
                                                                                                                                              • Instruction Fuzzy Hash: 6E31E5316496058BDB5CDA1CE8C26A873D0FB55304B60429DDAC7C7187EE39E803C789
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2928816017.000001845B370000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001845B370000, based on PE: false
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845b370000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FreeVirtual
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1263568516-0
                                                                                                                                              • Opcode ID: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
                                                                                                                                              • Instruction ID: fb5624946f701f58ffc31c8419db3424fa54852be020087c6986d22e8504e12a
                                                                                                                                              • Opcode Fuzzy Hash: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
                                                                                                                                              • Instruction Fuzzy Hash: 7131C3316586018BEB5CDA1CE8C26AD73D0F795304B20519EE9C7D7187EE39E9438B89
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ProcessProcess32TerminateThread$CloseCreateCurrentExitFirstHandleNextSleepSnapshotToolhelp32lstrcmpimemset
                                                                                                                                              • String ID: %s\%s$.sys$18.139.89.40$C:\Program Files\Windows Mail$Inject Test$MicrosoftMailUpdateTask$ParphaCrashReport64.exe$\drivers\$arphaDump64.bin$arphaDump64.dll$install.cfg$sys$temp.key
                                                                                                                                              • API String ID: 946687889-3621241513
                                                                                                                                              • Opcode ID: 8dbe50d77f5718792daa63e7825474cf3ac01c488a0ec9092139019c621d13d3
                                                                                                                                              • Instruction ID: 6ab1ac2c70caad825dfc093b1eae6746e03858c719bffa4d84152d2260ec190f
                                                                                                                                              • Opcode Fuzzy Hash: 8dbe50d77f5718792daa63e7825474cf3ac01c488a0ec9092139019c621d13d3
                                                                                                                                              • Instruction Fuzzy Hash: 45C14E32200AABD7EB25DFA1EC447DDA371F7A5B48F84C212C90A46665EF38C749C749
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Process$Token$CloseHandle$Freememset$LookupOpenVirtuallstrcpy$File$AccountAdjustCreateCurrentErrorGlobalInformationLastPrivilegePrivilegesProcess32Value$AllocClassDeviceDriveEnumFirstImageInfoLogicalMemoryModulesNameNextPriorityQuerySessionSizeSnapshotStringsToolhelp32__chkstklstrcatlstrlenwcsncmp
                                                                                                                                              • String ID: H$SeDebugPrivilege$unknown
                                                                                                                                              • API String ID: 976869081-3969872153
                                                                                                                                              • Opcode ID: 6a6d9660973f71720e87b200dc9c58f4d9867713f3a693197156d62844a92ba2
                                                                                                                                              • Instruction ID: 9f82c31e2c7568b2c87e75ad0a7f684a87b3a53f41341551b6bd8e16aead4708
                                                                                                                                              • Opcode Fuzzy Hash: 6a6d9660973f71720e87b200dc9c58f4d9867713f3a693197156d62844a92ba2
                                                                                                                                              • Instruction Fuzzy Hash: E522A332600B9687EB24CF61E8447DD73A1FB99B98F808316EA5947B98EF38C745C744
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: memset$Free$Virtual$CloseHandle$ErrorHeapLast$CreateCriticalFileProcessSection$Process32wsprintf$AllocDeleteDirectoryEnterFirstLeaveNextPathReadRemoveSnapshotSpecToolhelp32WindowsWrite__chkstklstrcatlstrcmpilstrlen
                                                                                                                                              • String ID: "tdata\key_datas" "tdata\D877F783D5D3EF8Cs" "tdata\D877F783D5D3EF8C\configs" "tdata\D877F783D5D3EF8C\maps" "tdata\A7FDF864FBC10B77$%s\tdata_%d.rar$Telegram.exe$\rar.exe$rar.exe a "tdata_%d.rar" %s -m5
                                                                                                                                              • API String ID: 1825664495-2162963810
                                                                                                                                              • Opcode ID: 08fa0c8610ccb77aff50ece9baa1541d2cea37af8860a12628358939bf64a7d1
                                                                                                                                              • Instruction ID: d94f99b3b8208d82541a41e23b3f2df4e259abba0e6f1c034aa8e22557180a9e
                                                                                                                                              • Opcode Fuzzy Hash: 08fa0c8610ccb77aff50ece9baa1541d2cea37af8860a12628358939bf64a7d1
                                                                                                                                              • Instruction Fuzzy Hash: 38E19D32700B9697EB24DFA2E9447DD63A1FB9AB88F408215CE4A47B98DF38C345C745
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CriticalSection$Virtual$Alloc$EnterLeaveRead$Process$CreateCurrentErrorLastThreadTokenmemset$AdjustCloseDirectoryFreeHandleInitializeLookupOpenPrivilegePrivilegesSystemValuelstrcatwsprintf
                                                                                                                                              • String ID: :G:$:$A:|:$B:_:$I:N:$I:S:$R:U:$U:Y:$V:V:$\\.\Pipe\%d_pipe%d$^:$_:I:$f:^:$j:H:${:~:$~:~:
                                                                                                                                              • API String ID: 1888231936-1994672154
                                                                                                                                              • Opcode ID: d1dc49243b75cc45df72bb56242f6d83b0d0b9c438548c6c26e7b7a07f614e83
                                                                                                                                              • Instruction ID: 20ce504eacf646f25851e58ed7774aef9c0973e047861bcb9b446a15f24958d5
                                                                                                                                              • Opcode Fuzzy Hash: d1dc49243b75cc45df72bb56242f6d83b0d0b9c438548c6c26e7b7a07f614e83
                                                                                                                                              • Instruction Fuzzy Hash: 99E1AB73604B91CBE7148F61E8007EEBBB0F795B98F459216DE9907A59EF38D284CB04
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$Freelstrlen$memset$ProcessToken$AdjustCloseCurrentErrorExtendedHandleLastLookupOpenPrivilegePrivilegesTableValuehtonsinet_ntoalstrcpy$Alloc
                                                                                                                                              • String ID: SeDebugPrivilege$System$TCP
                                                                                                                                              • API String ID: 2139412910-32757284
                                                                                                                                              • Opcode ID: 384d3e7db38810127ba93bf50e6bd7a6e267d232edd2a4c281dac7082b692298
                                                                                                                                              • Instruction ID: 8d6277c870a552f8d83a9848704f5c7af2f372fc1522890840096eaa4a836adc
                                                                                                                                              • Opcode Fuzzy Hash: 384d3e7db38810127ba93bf50e6bd7a6e267d232edd2a4c281dac7082b692298
                                                                                                                                              • Instruction Fuzzy Hash: 9BF18F76310A9587EB24DF66E844BDE77B0F789B98F408216CA5A47B58DF38C248CB44
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$lstrcat$AllocCriticalFreeSection$File$CloseHandle$EnterErrorLastProcessReadmemset$CreateLeaveMovememcpy$CurrentDeleteInitializeTerminateWrite
                                                                                                                                              • String ID: .bak$18.139.89.40$C:\Program Files\Windows Mail$ParphaCrashReport64.exe$arphaDump64.bin$h
                                                                                                                                              • API String ID: 2211108363-2823075684
                                                                                                                                              • Opcode ID: f313ddb08190d7dbab8043538d75833c288af8143399ff6012ff730f18fde2a1
                                                                                                                                              • Instruction ID: 92e861b1de5cff73e44cb5ed11c8745a511073350e7177d4ebdad224838e7f76
                                                                                                                                              • Opcode Fuzzy Hash: f313ddb08190d7dbab8043538d75833c288af8143399ff6012ff730f18fde2a1
                                                                                                                                              • Instruction Fuzzy Hash: B7D1D132710B9687EB24CF71E8447ED6361FB99B88F40D316DA4A17A69EF38C255C348
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$Free$lstrlen$ProcessTokenmemset$CriticalSection$AdjustCloseCurrentErrorExtendedHandleLastLookupOpenPrivilegePrivilegesTableValue$AllocDeleteEnterLeaveReadhtonsinet_ntoalstrcpy
                                                                                                                                              • String ID: 0.0.0.0$SeDebugPrivilege$System$UDP
                                                                                                                                              • API String ID: 3759433425-459619966
                                                                                                                                              • Opcode ID: 2bc8028b07d01d9ba69e09a3802a839e12856a2c9f2d2d692c2ea6f1d234ecb0
                                                                                                                                              • Instruction ID: 6072c5dda7ee4d97fa871a10c0060a0dd374e28672bf7c5220c29cb99e6c07db
                                                                                                                                              • Opcode Fuzzy Hash: 2bc8028b07d01d9ba69e09a3802a839e12856a2c9f2d2d692c2ea6f1d234ecb0
                                                                                                                                              • Instruction Fuzzy Hash: 18F17D76310B9187EB24DF62E8547DE77B1F789B98F809216CA4A47B58DF38C248CB44
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$CriticalSection$Alloc$Freelstrcat$Read$EnterLeave$DirectoryErrorLastmemset$InitializeSystemWindowsmemcpy
                                                                                                                                              • String ID: :$B:_:$HTTP$I:N:$R:U:$TCP$UDP$V:V:$\syswow64$f:^:
                                                                                                                                              • API String ID: 1846020110-2823427824
                                                                                                                                              • Opcode ID: e9a6c1f68d46521105151d4f1ece7a9abb65f008cd8859d4eff4fac00e1c520e
                                                                                                                                              • Instruction ID: 42946c8f20094921fd708f5c627bdb64249f0c9afd15bfcd2357cd910dcb922c
                                                                                                                                              • Opcode Fuzzy Hash: e9a6c1f68d46521105151d4f1ece7a9abb65f008cd8859d4eff4fac00e1c520e
                                                                                                                                              • Instruction Fuzzy Hash: 96E1BF32710A9687EB24CF66D844BEDB7A1FB9AB84F84C211DE4A4BB54DF38D644C704
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$AllocCriticalFreeSection$Heaplstrcat$EnterProcessRead$CloseDirectoryErrorHandleLastLeaveProcess32Sessionmemset$ActiveConsoleCreateFirstInitializeNextSnapshotSystemToolhelp32Windowslstrcmpimemcpy
                                                                                                                                              • String ID: $@$HTTP$TCP$UDP$\dllhost.exe$\syswow64$explorer.exe
                                                                                                                                              • API String ID: 2239626338-2826464075
                                                                                                                                              • Opcode ID: 5757aa08a514de2e174b95a11b239ba89f8451405a39913d70d3799bc8b63680
                                                                                                                                              • Instruction ID: 936c318d8bb76c10f9edc0e9f4b44dd6d277d331021b6920636caa95345f5202
                                                                                                                                              • Opcode Fuzzy Hash: 5757aa08a514de2e174b95a11b239ba89f8451405a39913d70d3799bc8b63680
                                                                                                                                              • Instruction Fuzzy Hash: 06B1B432700B9683FB258F76D9447EDA3A1FB99B84F84C315DA4A47A95EF38C245C348
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$Free$ErrorLast$lstrcatmemset$AllocProcess$CreateMemoryOpenRemoteThreadWritememcpy
                                                                                                                                              • String ID: 18.139.89.40$:$@$Inject Test
                                                                                                                                              • API String ID: 1625309433-3053173843
                                                                                                                                              • Opcode ID: 5566dcc5605b0a6cd22809c0907e2384aa0d6f53cf907175bde78d5295b26e8a
                                                                                                                                              • Instruction ID: 75599436faed15a21e071ca58675c9fd74d6aaaac53634a0fb8bab240016c077
                                                                                                                                              • Opcode Fuzzy Hash: 5566dcc5605b0a6cd22809c0907e2384aa0d6f53cf907175bde78d5295b26e8a
                                                                                                                                              • Instruction Fuzzy Hash: E6F18D32B15BC287E724CF35D810BED73A1FBAAB88F44D315DA4946A59EF389284C744
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Process$Handle$AddressCloseFileFreeOpenProcSleepTokenVirtuallstrcpymemset$AdjustCurrentDeleteDeviceDriveEnumErrorImageLastLogicalLookupModuleModulesNamePrivilegePrivilegesQueryStringsTerminateValuelstrcatlstrlenwcsncmp
                                                                                                                                              • String ID: NtResumeProcess$NtSuspendProcess$SeDebugPrivilege$ntdll.dll
                                                                                                                                              • API String ID: 335747669-263106891
                                                                                                                                              • Opcode ID: 0323485f620a88985792f302705c0bf60f5310987a287480cf63306c896622fa
                                                                                                                                              • Instruction ID: f3197051485fedc0ca87157b2d918fa8f2b333e413703a3c5d74fee0b059c2f3
                                                                                                                                              • Opcode Fuzzy Hash: 0323485f620a88985792f302705c0bf60f5310987a287480cf63306c896622fa
                                                                                                                                              • Instruction Fuzzy Hash: 3FA1E631210A9683EB64DF61E8447DD73A0FB95F48F80C216DA4A477A8EF38C749C798
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$Free$Alloc$CloseErrorFileHandleLast$Createlstrcatlstrlen$DirectoryPathProcessRemoveSpecWindowsWritememsetwsprintf
                                                                                                                                              • String ID: \rar.exe$h$rar.exe a "%s" %s -m5
                                                                                                                                              • API String ID: 460989278-1571478729
                                                                                                                                              • Opcode ID: d6fa1d8524bb85152559a8366e61b1b4fff8d11480b6a2d1cb8cd4eedd6e302b
                                                                                                                                              • Instruction ID: e2fbdecf61e0fb942767ecf5abb77764f15f048ed007a063d6527037c42ffe07
                                                                                                                                              • Opcode Fuzzy Hash: d6fa1d8524bb85152559a8366e61b1b4fff8d11480b6a2d1cb8cd4eedd6e302b
                                                                                                                                              • Instruction Fuzzy Hash: B1D17032310AA287EB648F62E9587DD73A1F799F88F45C225CE4A47B58DF38C644C744
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: lstrcat$memset
                                                                                                                                              • String ID: ::$:U:M:m:S:$:$:$:$H:L:$L:_:$N:[:$T:I:$T:I:$T:^:$T:^:$T:^:$U:M:$U:M:$U:M:$Windows 2003$Windows XP$_:H:$_:H:$_:H:i:_:U:M:m:S:$i:_:$m:S:$m:S:$m:S:
                                                                                                                                              • API String ID: 2788080104-1869930141
                                                                                                                                              • Opcode ID: 89cf57517cdc68ef62da7d3c9f9d36e19b96a16481536b5742197b23cda8ce07
                                                                                                                                              • Instruction ID: 3209f0c0310a924eedcc98963ad7d168b0a569009cdc6da933647491b931516b
                                                                                                                                              • Opcode Fuzzy Hash: 89cf57517cdc68ef62da7d3c9f9d36e19b96a16481536b5742197b23cda8ce07
                                                                                                                                              • Instruction Fuzzy Hash: 444228735186C1CEE331CF64E4406DEBBB0F796748F14920AE7991AA59EB78E284CF05
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$Free$Filelstrcmpi$CreateInfoParametersSystemThreadlstrlen$AllocCloseExecutionHandleObjectReadSingleSizeStateWaithtonsmemsetwsprintf
                                                                                                                                              • String ID: %s\%s$18.139.89.40$C:\Program Files\Windows Mail$HTTP$PTCP$TCP$UDP$install.cfg
                                                                                                                                              • API String ID: 1274318034-1750346968
                                                                                                                                              • Opcode ID: 663568433656cea89e63caccbc2b97e320fd9943314f34955629d2a210d6f6f0
                                                                                                                                              • Instruction ID: 279198e5256eebe434b84e88c2fc52f54e3657562092c87de20093b324365a66
                                                                                                                                              • Opcode Fuzzy Hash: 663568433656cea89e63caccbc2b97e320fd9943314f34955629d2a210d6f6f0
                                                                                                                                              • Instruction Fuzzy Hash: 2EB19A71600B6687EB54CFA2E844BDEB7A1FB99B84F458325CD4A43754EF38C648C748
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$Alloc$CriticalSection$Free$EnterReadServicelstrlenmemcpy$EnumLeaveLocalOpenServicesStatus$CloseConfig2HandleInitializeManagerQuerymemset
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1976463032-0
                                                                                                                                              • Opcode ID: e31869551b353607aec46271203f30b5e22ed9872d805ff8829a815e3cabd60d
                                                                                                                                              • Instruction ID: a2685cfbf0fc5e2b1515055897b777ef9423c0977dfd28e286cfe3fa25aead5a
                                                                                                                                              • Opcode Fuzzy Hash: e31869551b353607aec46271203f30b5e22ed9872d805ff8829a815e3cabd60d
                                                                                                                                              • Instruction Fuzzy Hash: 3C326B66A14BC587E715CF29D9447EC73A0F7AAB88F54E315CF8912A26EF35A2D4C300
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ErrorLast$memcpy$closesocketconnectfreeaddrinfogetsocknamehtonssocketstrncpy
                                                                                                                                              • String ID: GET$POST$RAW$Unable to connect$client_connect3$conn fail: %d$conn fail: change pollfd$conn fail: insert fd$conn fail: skt creation: errno %d$conn fail: skt options: errno %d$conn fail: sock accept$conn fail: socket bind$lws_free$waiting for event loop watcher to close
                                                                                                                                              • API String ID: 3000816023-458479724
                                                                                                                                              • Opcode ID: 45b74619e095686916e0e6cf39154984f1e692daa841b6c70865dabd898a1b92
                                                                                                                                              • Instruction ID: 6006729060838bc4a7cd8bbd2eafa0bd0f939fa7e99a5df2ab3374e1f787e082
                                                                                                                                              • Opcode Fuzzy Hash: 45b74619e095686916e0e6cf39154984f1e692daa841b6c70865dabd898a1b92
                                                                                                                                              • Instruction Fuzzy Hash: 2512C1322107AB83EB65DFA1D4443EDA3A0F7A4B88F449232DE4957699DF38C785C358
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$CriticalSection$AllocRead$EnterFileFreeLeave$lstrcat$CloseCreateErrorHandleLastSizememset
                                                                                                                                              • String ID: @$C:\Program Files\Windows Mail$\cp.cfg
                                                                                                                                              • API String ID: 1502650097-1776503346
                                                                                                                                              • Opcode ID: 03e5816f0febf9f2516ba56efb62d54b0cca26d4fb6bcd281216f8244b78d330
                                                                                                                                              • Instruction ID: 8e3b75837cc7b169952f15b97cae5d8daba851652c660947d9d54fbaeab44093
                                                                                                                                              • Opcode Fuzzy Hash: 03e5816f0febf9f2516ba56efb62d54b0cca26d4fb6bcd281216f8244b78d330
                                                                                                                                              • Instruction Fuzzy Hash: EFC1AD32315B9687EB248F29E5447ADA3A0FB9AF84F44C315DE5A03B94DF38C615C709
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: lstrlen$ByteCharMultiWide$ClipboardVirtual$AllocGlobal$Freememcpy$CloseDataEmptyLockOpenUnlock
                                                                                                                                              • String ID: !
                                                                                                                                              • API String ID: 17242508-2657877971
                                                                                                                                              • Opcode ID: d0d0cce1298095d55bda04961aa882279e2f81b3c830c1949f663db54f22f3fc
                                                                                                                                              • Instruction ID: 5b9c281e286b791352693fe723b8e59261dbe8a990d5c48c14216bf7fb0d0741
                                                                                                                                              • Opcode Fuzzy Hash: d0d0cce1298095d55bda04961aa882279e2f81b3c830c1949f663db54f22f3fc
                                                                                                                                              • Instruction Fuzzy Hash: 3A71D031200B5683EB18DF62E9447DDB7A5FBA9FC1F848225D94B52BA4DF3CC2058389
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: lstrcat$CriticalFileFindSectionmemset$FreeLeaveNextVirtual$CurrentEnterFirstObjectReadSingleSleepThreadWait__chkstklstrlenwcsstr
                                                                                                                                              • String ID: *.*
                                                                                                                                              • API String ID: 491004167-438819550
                                                                                                                                              • Opcode ID: b29965504f393d0c0be59b7089e5a45caf17d60b96d961a43351eaaa3ebd01c0
                                                                                                                                              • Instruction ID: ced4531eee078bbbe823f11d09c565f9c8d1db08c924db771b935d818814606c
                                                                                                                                              • Opcode Fuzzy Hash: b29965504f393d0c0be59b7089e5a45caf17d60b96d961a43351eaaa3ebd01c0
                                                                                                                                              • Instruction Fuzzy Hash: 2991AD32300B56C7EB24CF62E9447EDA3A1F799B84F85C226DE4947A98EF38C605C705
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CriticalSection$Virtual$AllocEnterFileLeaveRead$Freelstrcat$CloseCreateHandlePointerWritememset
                                                                                                                                              • String ID: C:\Program Files\Windows Mail$\cp.cfg
                                                                                                                                              • API String ID: 1370748441-3904790782
                                                                                                                                              • Opcode ID: 6ecfbc1e04c89c64a0ee336d11aee912bcb92c8e0a2a77cad56ae9ff53fce122
                                                                                                                                              • Instruction ID: ac4151d6723362a57e44ce5fad30c030c7318ceefd1bcdbb7c1b4b8f14dbfa1b
                                                                                                                                              • Opcode Fuzzy Hash: 6ecfbc1e04c89c64a0ee336d11aee912bcb92c8e0a2a77cad56ae9ff53fce122
                                                                                                                                              • Instruction Fuzzy Hash: 9EE1BD32710B8683EB258F39E544BADA3A1FB96F84F55D316DA8A03B54EF38C654C704
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$CriticalSection$AllocFree$EnterErrorFileLastRead$CreateLeavehtonslstrcatmemset$CloseDirectoryHandleInitializeWindowsWrite
                                                                                                                                              • String ID: 18.139.89.40$\\.\{F8284233-48F4-4680-ADDD-F8284233}$\system32\drivers\tpdrivers.sys$tpdrivers
                                                                                                                                              • API String ID: 3655753775-2065539051
                                                                                                                                              • Opcode ID: db220a0706c505ffdfe986e89b00e689603627b43e6aef5444c71a3e61a513cc
                                                                                                                                              • Instruction ID: 965c3f4858349bc1e6c5326b625feddbe776735589b2fbc3194db656e353939b
                                                                                                                                              • Opcode Fuzzy Hash: db220a0706c505ffdfe986e89b00e689603627b43e6aef5444c71a3e61a513cc
                                                                                                                                              • Instruction Fuzzy Hash: FE71C232315A6683FB64DF62E8547DEA3A1FB99B84F40C215DA8A43B94DF3CD2548708
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$Free$AllocCriticalSection$EnterRead$Leavememcpy$CreateCurrentErrorInitializeLastMutexProcessSleepfreelstrcatmallocmemsetwsprintf
                                                                                                                                              • String ID: %s%d$:$Inject Test
                                                                                                                                              • API String ID: 3230380526-1060902658
                                                                                                                                              • Opcode ID: 8dbd244c4dc7ff5931541ce9d241f2be0e44287da5020331176b23af610f2178
                                                                                                                                              • Instruction ID: e6adcabd7d0182bcec813dbf64fbb96e906a5a8de0cbbcfd531fe0369516a711
                                                                                                                                              • Opcode Fuzzy Hash: 8dbd244c4dc7ff5931541ce9d241f2be0e44287da5020331176b23af610f2178
                                                                                                                                              • Instruction Fuzzy Hash: CB919032705B5683EB14CF66E4047EDA361FBAAF84F44C325DA8A42B55DF3CC2448745
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: File$lstrlen$memset$ByteCharMultiVirtualWideWindow$AllocAttributesCreatePointerProcessWritelstrcat$CloseCountForegroundFreeHandleLocalSessionTextThreadTickTime__chkstkwsprintf
                                                                                                                                              • String ID: [Keyboard recording content:]$[PROCESS:]%s[USERID:]%d[TITLE:]%s[TIME:]%d-%d-%d %d:%d:%d
                                                                                                                                              • API String ID: 599969897-1868071797
                                                                                                                                              • Opcode ID: f17e409ea88a83495190c95706f18a929b1a90729d272230387f25703c5392a2
                                                                                                                                              • Instruction ID: 13cf37d4eb13a2916675e06d7e140b1f935d3c9c174cbcf0b39b325502ee8666
                                                                                                                                              • Opcode Fuzzy Hash: f17e409ea88a83495190c95706f18a929b1a90729d272230387f25703c5392a2
                                                                                                                                              • Instruction Fuzzy Hash: 2D7181326047A6C7E724DF65E8403DEBBA1F795B84F448216E94E87A64DF38C345CB84
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$Free$memset$CriticalSection$Alloc$Enum$EnterRead$LeaveValue$CloseInitializeOpen__chkstk
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2734444383-0
                                                                                                                                              • Opcode ID: 0595414e30b50002a461e2897ac5610cd8ac295fcac56b89b3caa5011188017e
                                                                                                                                              • Instruction ID: 6a23d256e1bb42cfa1fb084b5c4ea3267bc4720471d036c788e4943138a5079d
                                                                                                                                              • Opcode Fuzzy Hash: 0595414e30b50002a461e2897ac5610cd8ac295fcac56b89b3caa5011188017e
                                                                                                                                              • Instruction Fuzzy Hash: 4BF16A32310A9187EB64CF62D998ADEB3A1FB8AB85F408115CF5A47B58DF38C215CB04
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CriticalSection$AllocVirtual$EnterLeaveRead$Initialize$CreateEvent$memset
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1099351009-0
                                                                                                                                              • Opcode ID: 4c432805fc150b9a5a3aab3c4a807d14a13fc8452305bb2b73dd0958c01303ba
                                                                                                                                              • Instruction ID: aae15803255ae537419887a5efdcd0fe6b9860a4dd9f75eccf2556c079e3fabb
                                                                                                                                              • Opcode Fuzzy Hash: 4c432805fc150b9a5a3aab3c4a807d14a13fc8452305bb2b73dd0958c01303ba
                                                                                                                                              • Instruction Fuzzy Hash: 1EB11D31311F5693EB498F61E9403DDB3A4FB64B80F84C62ADA5993764EF38D664C348
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2924420756.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924902224.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924991283.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2925086635.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: mallocmemset$CloseEnumHandleServiceServicesStatusmemcpy$FileManagerModuleNameOpenfreelstrcmpi
                                                                                                                                              • String ID: Schedule
                                                                                                                                              • API String ID: 3636854120-2739827629
                                                                                                                                              • Opcode ID: 7697f6b2c45ef8c94f65c33818677cfec83935d60c7d49dafd4f2fb68cf7ed65
                                                                                                                                              • Instruction ID: 6ee3f7f16e62e9fbbf62cb728b63543f6f6100922e48a7ada6915e3d38cfd098
                                                                                                                                              • Opcode Fuzzy Hash: 7697f6b2c45ef8c94f65c33818677cfec83935d60c7d49dafd4f2fb68cf7ed65
                                                                                                                                              • Instruction Fuzzy Hash: 84A1AE36705B8886EBA5CB19E4883EDB7A4F78DB94F54D128EE8903755EF38D648C700
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CloseHandle$CreateFreeVirtual$Pipe$InfoProcessStartupThreadlstrcatmemset
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3234776578-3916222277
                                                                                                                                              • Opcode ID: 92ec81b901bfc6f2a5663ab9ca78efc14cc9e06966c3134a046e798205adb50d
                                                                                                                                              • Instruction ID: 195f69f3974edf19b06f0bc45a72e1ee0ede1bc6ee3f15c66d4f30e550075e30
                                                                                                                                              • Opcode Fuzzy Hash: 92ec81b901bfc6f2a5663ab9ca78efc14cc9e06966c3134a046e798205adb50d
                                                                                                                                              • Instruction Fuzzy Hash: 5A914F36601F55D7EB58CFA1E9503AEB3B4FBA8B48F448216DE4953A14DF38C2A4D348
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CloseErrorHandleLastmemset$CreateFileVirtual$AllocDirectoryFreeProcessWindowsWritelstrcatwsprintf
                                                                                                                                              • String ID: \rar.exe$h$rar.exe x "%s" "%s"
                                                                                                                                              • API String ID: 2158214755-1420003661
                                                                                                                                              • Opcode ID: fbf86ac99dbef88f820f1243c357f17008eabb307d09fe21cb03ae58ae84416a
                                                                                                                                              • Instruction ID: 13c4dae0dd69ffa497a5841518b047eb64ecbcdff837de447482d044286cd154
                                                                                                                                              • Opcode Fuzzy Hash: fbf86ac99dbef88f820f1243c357f17008eabb307d09fe21cb03ae58ae84416a
                                                                                                                                              • Instruction Fuzzy Hash: 8781AD36614BA287EB24CF71E8447DD73A2F789B88F409225CE4A47B58DF39C294CB04
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$AllocCriticalSection$FreeProcess$Heap$EnterReadSession$CloseCreateHandleLeaveProcess32lstrcat$ActiveConsoleCurrentFirstInitializeNextSnapshotThreadToolhelp32lstrcmpimemcpymemset
                                                                                                                                              • String ID: explorer.exe
                                                                                                                                              • API String ID: 1072794995-3187896405
                                                                                                                                              • Opcode ID: 3a93d8f6808cd038349fc4e197abe7e334fd4ca4ae3e3deed15c5e30cb85c88f
                                                                                                                                              • Instruction ID: 74feacc48cbaeeab19b68baa34853f68fed8cc1be5774690d8eeb36d5c6b375f
                                                                                                                                              • Opcode Fuzzy Hash: 3a93d8f6808cd038349fc4e197abe7e334fd4ca4ae3e3deed15c5e30cb85c88f
                                                                                                                                              • Instruction Fuzzy Hash: 2071BF31304B96C3EB689F62EA447AEA3B1FB96F90F84C315DA4603B54DF38C2558749
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Process$Token$CloseHandleOpen$AdjustCurrentErrorLastLookupPrivilegePrivilegesValue$EnumFileImageModulesNamelstrcpymemset
                                                                                                                                              • String ID: SeDebugPrivilege$SeTcbPrivilege
                                                                                                                                              • API String ID: 4244359295-3171858176
                                                                                                                                              • Opcode ID: afd95e7b21561ac8f3792b67cd5ce759562a791877db9a9ce67460e1baa5020e
                                                                                                                                              • Instruction ID: ef2a62f2c0dc7dc60306aa5917bed49367f64281d3641bfd3baef2ff23772b63
                                                                                                                                              • Opcode Fuzzy Hash: afd95e7b21561ac8f3792b67cd5ce759562a791877db9a9ce67460e1baa5020e
                                                                                                                                              • Instruction Fuzzy Hash: 5F51C431214A5683E764CF61E8447DDA3A0F785BA4F80D316EA5A42AD4DF3CD249CB44
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: closesocketsetsockopt$ErrorLast$listensocket
                                                                                                                                              • String ID: %s: VH %s: iface %s port %d DOESN'T EXIST$%s: VH %s: iface %s port %d NOT USABLE$ERROR opening socket$Out of mem$_lws_vhost_init_server_af$listen failed with error %d$listen|%s|%s|%d$lws_create_vhost$reuseaddr failed
                                                                                                                                              • API String ID: 3630065070-1684632830
                                                                                                                                              • Opcode ID: 3b880312eee11432debff261864d0151b6d610a403db296dabe4168ddc5b799d
                                                                                                                                              • Instruction ID: 1fe356cfc8e3046628649643bfdc6f4d08a531d808ad1cc9fc9d6c8218aff512
                                                                                                                                              • Opcode Fuzzy Hash: 3b880312eee11432debff261864d0151b6d610a403db296dabe4168ddc5b799d
                                                                                                                                              • Instruction Fuzzy Hash: 0DD18E36200AAA83EB54CFA9D4487DDB3B0F758B98F548322DA99477A0DF38C695C744
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$Free$CriticalSection$Alloc$Find$EnterFileRead$LeaveNextlstrcatmemset$CloseFirstInitialize
                                                                                                                                              • String ID: *.*
                                                                                                                                              • API String ID: 3909642798-438819550
                                                                                                                                              • Opcode ID: 4ce18a9b90196395475cfb8a2b41f3e008fbd196779cbce07c17fbf59d62ab14
                                                                                                                                              • Instruction ID: 3f9a4970ea1f289258b1f4b0c7f2ff341f32a00732b0a7ea641c1a7004b2181e
                                                                                                                                              • Opcode Fuzzy Hash: 4ce18a9b90196395475cfb8a2b41f3e008fbd196779cbce07c17fbf59d62ab14
                                                                                                                                              • Instruction Fuzzy Hash: C1A1B036311B5283EB68DF62E854BAEA3A5FB8AF84F45C115CE4A43758DF38C644C748
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CountCursorTickWindowmalloc$ForegroundInfoTextfreelstrlenmemsetwsprintf
                                                                                                                                              • String ID: %s|%d
                                                                                                                                              • API String ID: 14445030-1229896841
                                                                                                                                              • Opcode ID: 39f0c2668db1b372d72f0baae9c1b4d9b698ffe5f9ed2b9c4655611148b82a9b
                                                                                                                                              • Instruction ID: 68cb262b1037993cb3c3e5fc23ff143911679e90bce62d75625d6e050f55ea89
                                                                                                                                              • Opcode Fuzzy Hash: 39f0c2668db1b372d72f0baae9c1b4d9b698ffe5f9ed2b9c4655611148b82a9b
                                                                                                                                              • Instruction Fuzzy Hash: 1281AC32710A5687EB18CF76E8447AD63A1FB99F84F449225DE0A07B64EF38D684C744
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Service$ErrorLast$CloseHandle$lstrcatmemset$CreateDirectoryManagerOpenStartWindows
                                                                                                                                              • String ID: FSFilter Activity Monitor$FltMgr$\system32\drivers\tpdrivers.sys$tpdrivers
                                                                                                                                              • API String ID: 4233479461-606275738
                                                                                                                                              • Opcode ID: 38649f7966a210fa7a925492f7da8da3f08e55cc04dda45abaec5e3d19128508
                                                                                                                                              • Instruction ID: afc9beccba62291c4794b98bbba8851beb5f12e91fbf24996d92a5c66accc13d
                                                                                                                                              • Opcode Fuzzy Hash: 38649f7966a210fa7a925492f7da8da3f08e55cc04dda45abaec5e3d19128508
                                                                                                                                              • Instruction Fuzzy Hash: C031A875204B9693EB148F94F8443DEB3A1F799B54F848226DA8D42B65DF3CC249CB08
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FreeVirtual$Servicelstrlenmemcpy$CloseHandlelstrcpy$AllocConfigLocalQuery
                                                                                                                                              • String ID: \Pbk-N
                                                                                                                                              • API String ID: 4179252731-2524875733
                                                                                                                                              • Opcode ID: 82f18bbc0a18429955e476fa0a77ada2723f752fa9759dfd5f0dbb3a5da31d8f
                                                                                                                                              • Instruction ID: cbbdcc0ece391bad5756ee4b93f075898759240370806e87fb59125d039adedc
                                                                                                                                              • Opcode Fuzzy Hash: 82f18bbc0a18429955e476fa0a77ada2723f752fa9759dfd5f0dbb3a5da31d8f
                                                                                                                                              • Instruction Fuzzy Hash: 2BC17D22B14B8683F715CF29D5587EC63A0FBA9B88F44E315CF4916A16EF35A2E4C300
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FreeVirtual$Servicelstrlenmemcpy$CloseHandlelstrcpy$AllocConfigLocalQuery
                                                                                                                                              • String ID: \Pbk
                                                                                                                                              • API String ID: 4179252731-1099493443
                                                                                                                                              • Opcode ID: b803a67fb0a92bac57c844e0e1337c611d8afc5b20b177d59cb748982b703d55
                                                                                                                                              • Instruction ID: 605db8ae581a1236a0e08fbb6105d0cf91eea31da357b2ca2894ffba9b5ced2b
                                                                                                                                              • Opcode Fuzzy Hash: b803a67fb0a92bac57c844e0e1337c611d8afc5b20b177d59cb748982b703d55
                                                                                                                                              • Instruction Fuzzy Hash: 96C17D22B14B8683F715CF29D5587EC63A0FBA9B88F44E315CF4912A16EF35A2E4C300
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$AllocCriticalFreeSection$Read$EnterFile$CloseHandleLeavelstrcat$CreateInitializeSizememset
                                                                                                                                              • String ID: C:\Program Files\Windows Mail$\temp.key
                                                                                                                                              • API String ID: 1994389154-229217837
                                                                                                                                              • Opcode ID: 92afef74a29b292eaf857ba6167df423d94299ef4b9599aef15cf14ad88bc85f
                                                                                                                                              • Instruction ID: 7b3e97f455680ae7be2a2fac6f15c66c2f91a79625991a5a31e327933ec5b062
                                                                                                                                              • Opcode Fuzzy Hash: 92afef74a29b292eaf857ba6167df423d94299ef4b9599aef15cf14ad88bc85f
                                                                                                                                              • Instruction Fuzzy Hash: 98917932611B9287EB24CF26E544B9EA7A1FBD9F80F40C315DA8A43B54DF38D654CB08
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: File$AttributesCreatePointerVirtualWritelstrcat$AllocCloseCountFreeHandleTickmemset
                                                                                                                                              • String ID: C:\Program Files\Windows Mail$\temp.key
                                                                                                                                              • API String ID: 573267298-229217837
                                                                                                                                              • Opcode ID: 56780571c3b5b24d83ae8df9fa4e23bd7118c424518018f72ede47bea234dd3e
                                                                                                                                              • Instruction ID: 42a4e0d55f450d341b4b49debcfe6feca0923fda33b38abcb32a41cf19e2a9fc
                                                                                                                                              • Opcode Fuzzy Hash: 56780571c3b5b24d83ae8df9fa4e23bd7118c424518018f72ede47bea234dd3e
                                                                                                                                              • Instruction Fuzzy Hash: D061B032614A9683EB248F25E448BDEBB60FB99B88F51C312DA8517B54EF3CC609C744
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Clipboard$CriticalSectionlstrlen$Global$CloseEnterLeavememcpy$AllocDataEmptyLockOpenUnlockmemcmp
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1993803941-0
                                                                                                                                              • Opcode ID: f9a916733851e6dc62f61d2f66a0daea919dc5e740a42f29a2d1ffc9bea0251b
                                                                                                                                              • Instruction ID: b1dc50c6f5c42930abd9b10db83d941278b09f74bdd57d3420d64db0702b670e
                                                                                                                                              • Opcode Fuzzy Hash: f9a916733851e6dc62f61d2f66a0daea919dc5e740a42f29a2d1ffc9bea0251b
                                                                                                                                              • Instruction Fuzzy Hash: 21517471201B16C3FE589F62DA447EDA3A1FB65F80F49CA218E0A177E5DF38D6408389
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$Alloc$MemoryProcessWrite$Protect$AddressErrorFreeHandleLastModuleProcmemcpy
                                                                                                                                              • String ID: @$ZwCreateThreadEx$h$ntdll.dll
                                                                                                                                              • API String ID: 2541485474-1855171776
                                                                                                                                              • Opcode ID: 396edaa950aea8bb2834e9a8a087e273c859751424a80b509f85d4148d5affe0
                                                                                                                                              • Instruction ID: acaf1f331a665677eabe1d57eb906a87586180af2aa48ca7fab6b57cd37f8563
                                                                                                                                              • Opcode Fuzzy Hash: 396edaa950aea8bb2834e9a8a087e273c859751424a80b509f85d4148d5affe0
                                                                                                                                              • Instruction Fuzzy Hash: FA8103327147818BF724CFAAA9407AD6B60F756B88F444329DE9953B89CF38C305C799
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FromString$CreateInitializeInstance
                                                                                                                                              • String ID: :_:$:Y:$:$:$A::$X:[:$X:^:$Y::$Y:\:$\:[:$\:^:$^:G:
                                                                                                                                              • API String ID: 511945936-736265694
                                                                                                                                              • Opcode ID: f4bb76e33d73f4eed76eb8cf699106e415e7ba4134a3637e02159dfe64d1d0e5
                                                                                                                                              • Instruction ID: 2f57e5c9e55b5071a815b71d82d623a73189434ff97481f36a55aa279e541026
                                                                                                                                              • Opcode Fuzzy Hash: f4bb76e33d73f4eed76eb8cf699106e415e7ba4134a3637e02159dfe64d1d0e5
                                                                                                                                              • Instruction Fuzzy Hash: 5491FC73918BD5CBE3118F79A4016AEBB60F7E5348F14A349EBC566919EB78E580CF00
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CreateTokenUser$CloseErrorHandleLastProcess$BlockConvertDuplicateEnvironmentInformationLengthQueryString
                                                                                                                                              • String ID: S-1-16-12288
                                                                                                                                              • API String ID: 1141289200-1849704789
                                                                                                                                              • Opcode ID: caeb1a379e724c93c67c04a80382c5ed4d88f45cfcb5109627a83da083652068
                                                                                                                                              • Instruction ID: 416140f666058c452021d40870dd9c68003e6d40515f9707e28d2dd3b6a9b11b
                                                                                                                                              • Opcode Fuzzy Hash: caeb1a379e724c93c67c04a80382c5ed4d88f45cfcb5109627a83da083652068
                                                                                                                                              • Instruction Fuzzy Hash: 64614D36604B55C7EB108FA1E88079EB7B4F799B88F504215EE8953F28DF38D295CB44
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Event$ClearCloseOpen
                                                                                                                                              • String ID: Application$Security$Setup$System
                                                                                                                                              • API String ID: 1391105993-476969907
                                                                                                                                              • Opcode ID: 5021a1d87680e35f003e85da53eefad997846ad59c3c35a2b55918231f5bdb21
                                                                                                                                              • Instruction ID: eb4902bacb9716d8a145958cfeb9317bf8f19d3fd096ca1d6c3070a3bf0b52cc
                                                                                                                                              • Opcode Fuzzy Hash: 5021a1d87680e35f003e85da53eefad997846ad59c3c35a2b55918231f5bdb21
                                                                                                                                              • Instruction Fuzzy Hash: 4B11C174601F27C3FE1D9FB6B95839D92916F5DF41F88C725880A86350EE3CC2498348
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FreeVirtual$EventEvents$CreateCriticalEnumMultipleNetworkSectionSelectWait$CurrentEnterLeaveReadThread
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 4074094491-0
                                                                                                                                              • Opcode ID: 0f0ffae681726fcd768551af21c48319e4c13f85f93b30996a74dbc28cd3cd94
                                                                                                                                              • Instruction ID: bf414f5f577f3c91212c2572975033aaa3508c88342c5e267bcccb2187cf9eef
                                                                                                                                              • Opcode Fuzzy Hash: 0f0ffae681726fcd768551af21c48319e4c13f85f93b30996a74dbc28cd3cd94
                                                                                                                                              • Instruction Fuzzy Hash: E4B1BC32301B4687EB64DF56E444BAEB3A4FB8AF90F44C211DE9A47B94DF38C6458748
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$AllocCriticalFreeSection$Read$Enter$CloseHandleInitializeLeave$CreateEventMultipleObjectsWait
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1725847572-0
                                                                                                                                              • Opcode ID: 876fc3b34448328f9269e67c67e9409e61e97c701b227af607bf82faa45f4fcb
                                                                                                                                              • Instruction ID: 8f6bb53bc42ec199e4724ec7b564416bd44402f651e95579e9cb261f1b04432c
                                                                                                                                              • Opcode Fuzzy Hash: 876fc3b34448328f9269e67c67e9409e61e97c701b227af607bf82faa45f4fcb
                                                                                                                                              • Instruction Fuzzy Hash: 49A14536201B4187EB58CF62E494BAD73A4FB99F84F45C225CE4A43B58DF38D664C788
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$AllocCriticalSection$Free$FileRead$EnterErrorLast$Leavefree$CreateInitializePointerSizemallocmemcpy
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1128571104-0
                                                                                                                                              • Opcode ID: af9bb7d1b2c8ca7110cb3b755bcb326d2b0b0e4f4ea9e483cf88b5d16ac75476
                                                                                                                                              • Instruction ID: 56ecf1c5cd5917ef1a6a3e50233193b740224f56fd51ad1ba04a06ec013d7fe3
                                                                                                                                              • Opcode Fuzzy Hash: af9bb7d1b2c8ca7110cb3b755bcb326d2b0b0e4f4ea9e483cf88b5d16ac75476
                                                                                                                                              • Instruction Fuzzy Hash: DD71AB36305B9187EB64CFA2E95479EB3A1FB99F94F408215CE8A43B54DF38C249CB44
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: EventEvents$FreeVirtual$CreateEnumMultipleNetworkSelectWaitmemset$Cancel__chkstkclosesocketrecv
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3006828577-0
                                                                                                                                              • Opcode ID: 755613185204baf14ea6cb944d7e5b8ba692d085ee73819a7632e4f2f8082908
                                                                                                                                              • Instruction ID: 504ac75545cdacc18b651341fdd4bd4d027158b93bafea95c5984a6e3951eabc
                                                                                                                                              • Opcode Fuzzy Hash: 755613185204baf14ea6cb944d7e5b8ba692d085ee73819a7632e4f2f8082908
                                                                                                                                              • Instruction Fuzzy Hash: E0710532300B9283EB648F66E454BDEA7A1F796F90F54C211DE5A837A4DF38D645CB08
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CapsDevice$BlockInput$Virtualkeybd_event
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 4019288356-0
                                                                                                                                              • Opcode ID: 80f6854fd55cfec3db650c4c49a6fd06f20ce82fbc0cb067e63b0ba8c2a67ee0
                                                                                                                                              • Instruction ID: 918ee9a51b7a60b8374d9d6ebde108e903eec850dbd254bbaf804c873493088e
                                                                                                                                              • Opcode Fuzzy Hash: 80f6854fd55cfec3db650c4c49a6fd06f20ce82fbc0cb067e63b0ba8c2a67ee0
                                                                                                                                              • Instruction Fuzzy Hash: 1461353261469583E3698F31E848BEEB3A1FB9AB41F54D712DE4A02764DF39E684C704
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: strchr
                                                                                                                                              • String ID: %s: ended on e %d$%s: malformed ip address$lws_create_vhost$lws_parse_numeric_address
                                                                                                                                              • API String ID: 2830005266-2525933588
                                                                                                                                              • Opcode ID: 70010e423fb3755efd61014bceaeae7baf17920ebf1afdbeec04516e640b8e02
                                                                                                                                              • Instruction ID: eb042f112b405d42970fb4d10b27aaa805432e48b5306107ca279fd786b04090
                                                                                                                                              • Opcode Fuzzy Hash: 70010e423fb3755efd61014bceaeae7baf17920ebf1afdbeec04516e640b8e02
                                                                                                                                              • Instruction Fuzzy Hash: 52A139323045AE87FB258AA994043EEE6D1E7627A4F54C311EAA747AD5CF34C74DC309
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E7423
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34EB
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E34FD
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3510
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3527
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3556
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3568
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E357B
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3592
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E35C1
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E35D3
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E35E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E35FD
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E362C
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E363E
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3654
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E744D
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E749D
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E74C7
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E74EF
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E7519
                                                                                                                                              • DisconnectNamedPipe.KERNEL32 ref: 000001845C4E7546
                                                                                                                                              • CloseHandle.KERNEL32 ref: 000001845C4E7555
                                                                                                                                              • DeleteCriticalSection.KERNEL32 ref: 000001845C4E7563
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E7574
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E7615
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E763F
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E7655
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E767F
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E7695
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3678
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3691
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E36A7
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E36CB
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E36E4
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E36FA
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3726
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E373F
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3755
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3779
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3792
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E37A8
                                                                                                                                                • Part of subcall function 000001845C4E6BC0: IsBadReadPtr.KERNEL32 ref: 000001845C4E6BE3
                                                                                                                                                • Part of subcall function 000001845C4E6BC0: EnterCriticalSection.KERNEL32(?,?,00000038,000001845C4E71A6), ref: 000001845C4E6BFE
                                                                                                                                                • Part of subcall function 000001845C4E6BC0: LeaveCriticalSection.KERNEL32(?,?,00000038,000001845C4E71A6), ref: 000001845C4E6C21
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E76BF
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CriticalSection$Virtual$Free$EnterRead$Leave$Alloc$lstrcat$CloseDeleteDisconnectHandleInitializeNamedPipememcpymemset
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 4255235403-0
                                                                                                                                              • Opcode ID: 487ab0318e1d18530209ff1e23f5e332d75461c33a839119e161c17338c97bb7
                                                                                                                                              • Instruction ID: f12f24a3b97196902c1d0985fc12125309b61ddd7cbe1a596d1e71558d831d69
                                                                                                                                              • Opcode Fuzzy Hash: 487ab0318e1d18530209ff1e23f5e332d75461c33a839119e161c17338c97bb7
                                                                                                                                              • Instruction Fuzzy Hash: E5917A32705F4187EB68CF66E5507AEB3A0FB9AF94F49C214CA8A03B55DF38D2508749
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$CriticalFreeSection$AllocCreateEnterErrorLastLeaveReadThreadbindhtonlhtonsinet_addrlistenmemsetsetsockoptsocket
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1206800484-0
                                                                                                                                              • Opcode ID: 3b4ce19dcc75c1c8cdbd46baa2501b7c779ff89514a24e43775d64ba7dc00e07
                                                                                                                                              • Instruction ID: 146eac22565008005cee9a6c6ad73e16a5ea5b03e05acc432e8544318c3dd6da
                                                                                                                                              • Opcode Fuzzy Hash: 3b4ce19dcc75c1c8cdbd46baa2501b7c779ff89514a24e43775d64ba7dc00e07
                                                                                                                                              • Instruction Fuzzy Hash: 89517E32304B5183E7298F61E8447DDB3B0FB99F85F848226DA4A43B94DF38D655CB48
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: htons$ErrorLast_unlinkbindgetsockname
                                                                                                                                              • String ID: "%s" too long for UNIX domain socket$@$ERROR on binding fd %d to "%s" (%d %d)$ERROR on binding fd %d to port %d (%d %d)$lws_create_vhost$lws_socket_bind
                                                                                                                                              • API String ID: 4073785539-2597659182
                                                                                                                                              • Opcode ID: 24bc8069ff57ac113c3f7b0f3bc0ec0c4e81cfd8a2103457d748139057c3f398
                                                                                                                                              • Instruction ID: 5b109913580056e519705c049536e0366c555592e13b575a3602be014df4b7ab
                                                                                                                                              • Opcode Fuzzy Hash: 24bc8069ff57ac113c3f7b0f3bc0ec0c4e81cfd8a2103457d748139057c3f398
                                                                                                                                              • Instruction Fuzzy Hash: E6819172614B9587EB24DFA1E8403EDB3A0F3A5794F409316EE8957A59DF38C788C704
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FreeVirtual$freemalloc$GroupLocalMembersSleepUser
                                                                                                                                              • String ID: Administrators
                                                                                                                                              • API String ID: 2980277588-3395160503
                                                                                                                                              • Opcode ID: da3a28424a5a67998ed531bb1b5f40b6d27e172e32b39df16f7556483a8c1416
                                                                                                                                              • Instruction ID: 7f0eb42ef3a2b1dc8275282ab70d489c33b33ec921b62a8b32e3714893444961
                                                                                                                                              • Opcode Fuzzy Hash: da3a28424a5a67998ed531bb1b5f40b6d27e172e32b39df16f7556483a8c1416
                                                                                                                                              • Instruction Fuzzy Hash: 18517C32B00B118BEB148F76D8547EC73A5FB9AF88F54C225DE0A06B58DE38D645C748
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$Alloc$CriticalSection$CloseEnterHandleInformationObjectProcessQueryReadSingleSystemTokenWait$AdjustCreateCurrentErrorEventFreeInitializeLastLeaveLookupOpenPrivilegePrivilegesValuelstrcmpimemset
                                                                                                                                              • String ID: taskmgr.exe
                                                                                                                                              • API String ID: 441768363-4156271273
                                                                                                                                              • Opcode ID: 0621dc44498ae919b7e903597f6a72dc258cdebb099c8e8026c95ccd3122d783
                                                                                                                                              • Instruction ID: 1b7a588056662e0521b71279a17d26c24fa119c3df4650cc48e6eba33a4f8c63
                                                                                                                                              • Opcode Fuzzy Hash: 0621dc44498ae919b7e903597f6a72dc258cdebb099c8e8026c95ccd3122d783
                                                                                                                                              • Instruction Fuzzy Hash: A641D13170565A87EB249F52E910BEEFB61BB95FC0F41C219DE0647AA4EF38CA04C749
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Message$RegisterWindow$NotificationSession$ClassCreateDispatchHandleLongModuleShowTranslate
                                                                                                                                              • String ID: Session Logon
                                                                                                                                              • API String ID: 1979525249-2950959013
                                                                                                                                              • Opcode ID: 0d96d5dafa15c8008ce9f0b536f309e21048c116557f430f552321169d452b8d
                                                                                                                                              • Instruction ID: 3b39acc451c527ce0e4eb6d3d9a15779dd2be55a3b5eaaad88078396fc7016a3
                                                                                                                                              • Opcode Fuzzy Hash: 0d96d5dafa15c8008ce9f0b536f309e21048c116557f430f552321169d452b8d
                                                                                                                                              • Instruction Fuzzy Hash: 4041B732608B9683E714CF65F8447AEF3A1F799B40F55C325EA8943A24DF78C184CB44
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$CriticalSection$Alloc$EnterFreeRead$Leave$Initialize$CreateCurrentEventThread
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3016386783-0
                                                                                                                                              • Opcode ID: 1454743fbe7efa11aabd04cc1c8ed9c14f50533e4e827fb8bae3627dc7ceb715
                                                                                                                                              • Instruction ID: af61751120165cb8fc783ca81390772a6040e8cdca490891c873c0b323573639
                                                                                                                                              • Opcode Fuzzy Hash: 1454743fbe7efa11aabd04cc1c8ed9c14f50533e4e827fb8bae3627dc7ceb715
                                                                                                                                              • Instruction Fuzzy Hash: DE717E32301F4187EB24CF62E844A9EB3A4FB59B80F45C225DB8A43B64DF38D654C748
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Message$ClipboardWindow$ChainChangeClassCreateDispatchHandleModuleRegisterShowTranslateViewer
                                                                                                                                              • String ID: CutActive
                                                                                                                                              • API String ID: 3542119435-15800375
                                                                                                                                              • Opcode ID: 0d714c67f3cfe865919fbe5d08e246d9116574fc16b8d6ae8ab858ff4aa2f78f
                                                                                                                                              • Instruction ID: 3663677eddb6b03fe7759d6a36ba088d49a2a577da9a65aefe9821815b669846
                                                                                                                                              • Opcode Fuzzy Hash: 0d714c67f3cfe865919fbe5d08e246d9116574fc16b8d6ae8ab858ff4aa2f78f
                                                                                                                                              • Instruction Fuzzy Hash: 58418532618BD683EB24CF61F85479EB3A1F799B80F558225DA8D42A14EF3DC184C744
                                                                                                                                              APIs
                                                                                                                                              • getaddrinfo.WS2_32 ref: 000001845C4FAAA4
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4FAAC9
                                                                                                                                              • htons.WS2_32 ref: 000001845C4FAADD
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34EB
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E34FD
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3510
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3527
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3556
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3568
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E357B
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3592
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E35C1
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E35D3
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E35E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E35FD
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E362C
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E363E
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3654
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4FAC00
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4FAC30
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4FAC46
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4FAC70
                                                                                                                                              • CreateThread.KERNEL32 ref: 000001845C4FAC9B
                                                                                                                                              • IsBadReadPtr.KERNEL32 ref: 000001845C4FACB0
                                                                                                                                              • EnterCriticalSection.KERNEL32 ref: 000001845C4FACC3
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C4FACDA
                                                                                                                                              • LeaveCriticalSection.KERNEL32 ref: 000001845C4FACFE
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CriticalSection$Virtual$Alloc$EnterRead$Leave$Free$CreateInitializeThreadgetaddrinfohtons
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 900205276-0
                                                                                                                                              • Opcode ID: 8c129793120a5eaf90c5e420acc84c96ddf636ddc2a4fcd7ddec8e6b6a481413
                                                                                                                                              • Instruction ID: 1c931d47df7b336cd53fdfb48b850c2f16fbd119a9977fbbd793ccb245af656c
                                                                                                                                              • Opcode Fuzzy Hash: 8c129793120a5eaf90c5e420acc84c96ddf636ddc2a4fcd7ddec8e6b6a481413
                                                                                                                                              • Instruction Fuzzy Hash: EB918B72710B418BEB14DF62E418BAD73A5FB89F88F45822ADE4A43B58DF38C245C344
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C4E3E86
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C4E3FAD
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E3FC6
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E3FDC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E40E0
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E410A
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E411B
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E4006
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E41CF
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E41F9
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$Free$Alloc$CriticalSection$EnterRead$Leave$Initialize_time64randsrand
                                                                                                                                              • String ID: :
                                                                                                                                              • API String ID: 3336294232-336475711
                                                                                                                                              • Opcode ID: 320fe126eff4e4079a3c9b3cb6761e39752f23555b150b95cbf71f8c5b9ac005
                                                                                                                                              • Instruction ID: 685fc38c0d911349fd87c2835b13a67a1a30148a648e8f90b231413cccf58c4b
                                                                                                                                              • Opcode Fuzzy Hash: 320fe126eff4e4079a3c9b3cb6761e39752f23555b150b95cbf71f8c5b9ac005
                                                                                                                                              • Instruction Fuzzy Hash: 0EB1AC32710B9283EB258F2AE4147ADA7A0FBDAF84F15E325DE8A43745DF38C6458744
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Process$ErrorLastOpenToken$AdjustCloseCurrentHandleLookupPrivilegePrivilegesValue
                                                                                                                                              • String ID: SeDebugPrivilege
                                                                                                                                              • API String ID: 3627867324-2896544425
                                                                                                                                              • Opcode ID: 6f061aaa7941448df92f5fc4232100a70558b149b3d13a2c200e355258010a89
                                                                                                                                              • Instruction ID: b85d37961887c7cb03bc1cb507477426d49222c58eefdbd40bc23f47aed86f2c
                                                                                                                                              • Opcode Fuzzy Hash: 6f061aaa7941448df92f5fc4232100a70558b149b3d13a2c200e355258010a89
                                                                                                                                              • Instruction Fuzzy Hash: 5A21B135214B5283E7548F51F40478EB7A1E785FB4F448316AAAA43BD4CF3CC1448B84
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F624A
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F6274
                                                                                                                                              • OpenClipboard.USER32 ref: 000001845C4F6302
                                                                                                                                              • GlobalAlloc.KERNEL32 ref: 000001845C4F631A
                                                                                                                                              • GlobalLock.KERNEL32 ref: 000001845C4F632B
                                                                                                                                              • GlobalUnlock.KERNEL32 ref: 000001845C4F6349
                                                                                                                                              • SetClipboardData.USER32 ref: 000001845C4F6357
                                                                                                                                              • CloseClipboard.USER32 ref: 000001845C4F635D
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F6373
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F639D
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$AllocCriticalSection$Free$ClipboardEnterGlobalRead$Leave$CloseDataInitializeLockOpenUnlock
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1362927461-0
                                                                                                                                              • Opcode ID: 14aff5e7281eb0515db2efaaa05bc0cffdcae11165ae12660c773d397ca1b196
                                                                                                                                              • Instruction ID: 6a1cd5239c2ca24f3ee405dbb46f653f7c433c00ab210cdc760d75b636c36316
                                                                                                                                              • Opcode Fuzzy Hash: 14aff5e7281eb0515db2efaaa05bc0cffdcae11165ae12660c773d397ca1b196
                                                                                                                                              • Instruction Fuzzy Hash: FD419D32714B5187EB689F62E5447ADA3A1FB99F80F44C215CF8A43F54DF38E1648744
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: OpenService$CloseErrorHandleLastManager
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2659350385-0
                                                                                                                                              • Opcode ID: d1f9e974718dfdc27abd3533510aa15af3a5deb6cf2be6aac275e286971032ce
                                                                                                                                              • Instruction ID: 3dc81cdd53c4f2a7e888584ed1a38093cc0198b60a4a9c54028e2269cf17ae15
                                                                                                                                              • Opcode Fuzzy Hash: d1f9e974718dfdc27abd3533510aa15af3a5deb6cf2be6aac275e286971032ce
                                                                                                                                              • Instruction Fuzzy Hash: 39218735714A6583EB488FA6F98466D93A0FB9CFD4F449121EE0A43B15DF3CD5858B08
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931240789.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931259361.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: :_:$:Y:$:$A::$X:[:$X:^:$Y::$Y:\:$\:[:$\:^:$^:G:
                                                                                                                                              • API String ID: 0-2205580742
                                                                                                                                              • Opcode ID: d90148109c58263767cfb54190a6e54a75e0a48cc10efb8014eb7dc9dcd99103
                                                                                                                                              • Instruction ID: dcab3b9f2db7d9d944fb45beb8de10387a31829edead7d99da5042bcf1608516
                                                                                                                                              • Opcode Fuzzy Hash: d90148109c58263767cfb54190a6e54a75e0a48cc10efb8014eb7dc9dcd99103
                                                                                                                                              • Instruction Fuzzy Hash: 9791EE73D18BD58BE311CF7994016AEBB70F795348F14A349EA846691AEF78E680CF00
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FreeVirtual
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1263568516-0
                                                                                                                                              • Opcode ID: 7fc2db687d2db18f914aee26642cc12e023eef4ef06861d8de73db2aff1532c5
                                                                                                                                              • Instruction ID: f6eb2573d363cded6fe95f836757bdf273038e96beced32d72862337af752f53
                                                                                                                                              • Opcode Fuzzy Hash: 7fc2db687d2db18f914aee26642cc12e023eef4ef06861d8de73db2aff1532c5
                                                                                                                                              • Instruction Fuzzy Hash: D8518D76301B1197EB18DF62E654BAD63A1FB8AF81F048125CF4A43F54DF38D2668718
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • NetUserEnum.NETAPI32 ref: 000001845C4F688C
                                                                                                                                              • lstrlenW.KERNEL32 ref: 000001845C4F68CE
                                                                                                                                              • NetApiBufferFree.NETAPI32 ref: 000001845C4F6929
                                                                                                                                              • malloc.MSVCRT ref: 000001845C4F6945
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F69F7
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F6A21
                                                                                                                                              • free.MSVCRT ref: 000001845C4F6A2A
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F6A54
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F6A7E
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$CriticalSection$AllocFree$EnterRead$Leave$BufferEnumInitializeUserfreelstrlenmalloc
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1638303497-0
                                                                                                                                              • Opcode ID: 65d04138dd441912b688736d00cc8846464790f10e23658900d22c822e7612d9
                                                                                                                                              • Instruction ID: dd10ea7b3c2bba1f027ea9623fac76b984904199cfbfb28225e1ccd5fe8b74d0
                                                                                                                                              • Opcode Fuzzy Hash: 65d04138dd441912b688736d00cc8846464790f10e23658900d22c822e7612d9
                                                                                                                                              • Instruction Fuzzy Hash: C3617C32715B9187EB64CF22E4447AEB3A4FB8AF80F449225DE8A43B58DF38D544CB44
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F5A64
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F5A8E
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C4F5AA5
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F5B6E
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F5B98
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F5BBD
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F5BE7
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F5C0A
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F5C34
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F5C6C
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$Free$AllocCriticalSection$EnterRead$Leave$Initialize
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 529218107-0
                                                                                                                                              • Opcode ID: 9fb0c0ea2ccca51140455bb48a2ce0fc2871494495097355718dc06f0b780af2
                                                                                                                                              • Instruction ID: d77c795bbfeee55b1c1bad1db8ddf330eba1108143439f03d8c12ca37df1a829
                                                                                                                                              • Opcode Fuzzy Hash: 9fb0c0ea2ccca51140455bb48a2ce0fc2871494495097355718dc06f0b780af2
                                                                                                                                              • Instruction Fuzzy Hash: 9C714031311F4187EB68DF62E494A9EB3A4FB99F80F48C225CE8A43B14DF39D6518748
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: socket$bindgetsocknamehtonl
                                                                                                                                              • String ID: %s: failed$lws_plat_pipe_create
                                                                                                                                              • API String ID: 858234250-3012564250
                                                                                                                                              • Opcode ID: 3e06797931bfed255cca20481481bcc32daeca8df7cbd3f6bce5922f777b38ac
                                                                                                                                              • Instruction ID: e56d15a3d0c2a346d4f0be43648e63a54c82e87047881d79e2e76e20361681b2
                                                                                                                                              • Opcode Fuzzy Hash: 3e06797931bfed255cca20481481bcc32daeca8df7cbd3f6bce5922f777b38ac
                                                                                                                                              • Instruction Fuzzy Hash: 25216232710AA583E7448F64E4483CE7364E754FA8F585336EAA9477E8DF38C681C745
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Free$InitializeStringVirtual$AllocCreateInitInstanceSecurityVariant
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1458724981-0
                                                                                                                                              • Opcode ID: a98515b45f30c999fd584888f1fb30ce494dfbb6bf43997bf48997d6c69b94f9
                                                                                                                                              • Instruction ID: 836725aef252814901cf1f9262082927fa5013ba6106a535212241d80c907915
                                                                                                                                              • Opcode Fuzzy Hash: a98515b45f30c999fd584888f1fb30ce494dfbb6bf43997bf48997d6c69b94f9
                                                                                                                                              • Instruction Fuzzy Hash: 3481B032604BA5C7EB14CFA6E84869DB3B5FB98F85F418216EE4947B18DF38C245CB40
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ErrorLast$CloseCreateEventHandleMultipleObjectsOverlappedRecvResultWaitmemset
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3426673637-0
                                                                                                                                              • Opcode ID: b8b262f54c82b47c603efcc098acbee309593ccfe0400ca3453b4a2416fff10a
                                                                                                                                              • Instruction ID: b8f4fa9600df94259bd9694fa8f0a63cf0eb0a838cd8379cb399b7518a8b0793
                                                                                                                                              • Opcode Fuzzy Hash: b8b262f54c82b47c603efcc098acbee309593ccfe0400ca3453b4a2416fff10a
                                                                                                                                              • Instruction Fuzzy Hash: 8E319032204B9687EB20CFA1F440BCEB7A4F798784F509226EB8853A24DF78C655CB44
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ClipboardGlobal$AllocCloseDataErrorLastLockOpenSleepUnlock
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3499886738-0
                                                                                                                                              • Opcode ID: 4b723c17ec104936dfe9111a579a009fbd450c761b1b8f465c76b1695d4f4b3d
                                                                                                                                              • Instruction ID: c7834fdd0390849f527c64f4636d572cb6a35cbe4a999f0225b72d893020673c
                                                                                                                                              • Opcode Fuzzy Hash: 4b723c17ec104936dfe9111a579a009fbd450c761b1b8f465c76b1695d4f4b3d
                                                                                                                                              • Instruction Fuzzy Hash: 3621C43632469183EB58DF61F48465DA3A0F789F80F849225EE4743B58DF3CD995CB44
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Library$AddressAllocFreeLoadProcVirtual
                                                                                                                                              • String ID: SetProcessDPIAware$user32.dll
                                                                                                                                              • API String ID: 3041263384-1137607222
                                                                                                                                              • Opcode ID: 2d5c190feabc2370d29f15f15ffb36fb6660cf0171777757c6844a959bed01c6
                                                                                                                                              • Instruction ID: 79675da56a16de244377e4484ae897b5aca5542dcc9b181d62b1d0baeac49688
                                                                                                                                              • Opcode Fuzzy Hash: 2d5c190feabc2370d29f15f15ffb36fb6660cf0171777757c6844a959bed01c6
                                                                                                                                              • Instruction Fuzzy Hash: 43515435212F8697EB459F60E880BDD33E9FB09B45F989736C94D06364EF389258C368
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: lstrcpy$DeviceDriveLogicalQueryStringslstrcatlstrlenwcsncmp
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1240803607-0
                                                                                                                                              • Opcode ID: f5144d0f8da87860272a3bab1dd78902ada191ba324fd56ce968b0d5fe92846b
                                                                                                                                              • Instruction ID: 685312c43e9ecb441297793f1e00e2db0b6edeae11e4694d384c66e6bdf61e0a
                                                                                                                                              • Opcode Fuzzy Hash: f5144d0f8da87860272a3bab1dd78902ada191ba324fd56ce968b0d5fe92846b
                                                                                                                                              • Instruction Fuzzy Hash: F2319376214A9293EA748F11E8007EE7361FB84FC5F848226DE8947B58EF3CC655CB44
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CloseControlCreateDeviceFileHandlelstrlenmemset
                                                                                                                                              • String ID: \\.\{F8284233-48F4-4680-ADDD-F8284233}
                                                                                                                                              • API String ID: 2589617790-329358119
                                                                                                                                              • Opcode ID: a3b02f37b284e632ff8c0487233c56c7f58dd63dbc29904f1061be0df106d2bb
                                                                                                                                              • Instruction ID: 428480ea852dab226c5e4595e6cff94183beb8e87ffc1a5379930d7a05a665a3
                                                                                                                                              • Opcode Fuzzy Hash: a3b02f37b284e632ff8c0487233c56c7f58dd63dbc29904f1061be0df106d2bb
                                                                                                                                              • Instruction Fuzzy Hash: 0E112636218A9183E7618B90F8447CAB3A0F7D9744F948226EA8943B58DF7DC248CB44
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F5814
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F583E
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C4F5855
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F594C
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F5976
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F599B
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F59C5
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F59EA
                                                                                                                                                • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D3D
                                                                                                                                                • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D50
                                                                                                                                                • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D66
                                                                                                                                                • Part of subcall function 000001845C4E4D20: DeleteCriticalSection.KERNEL32 ref: 000001845C4E4D8D
                                                                                                                                                • Part of subcall function 000001845C4E4D20: VirtualFree.KERNEL32 ref: 000001845C4E4DBA
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 948184506-0
                                                                                                                                              • Opcode ID: 2398d3e56b10dcafaaf99b981a30711067a2213169235feba3d334b158cf1ca3
                                                                                                                                              • Instruction ID: bb393b75247a710a1a8de15f26fa3ebb08409bfb7f5e40095d8d8476c63545f3
                                                                                                                                              • Opcode Fuzzy Hash: 2398d3e56b10dcafaaf99b981a30711067a2213169235feba3d334b158cf1ca3
                                                                                                                                              • Instruction Fuzzy Hash: B9613B36301F5187EB68DF62E494A9EB3A5FB99B80F45C225CE8A43B14DF38D254C748
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F5394
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F53BE
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C4F53D5
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F54C1
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F54EB
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F5510
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F553A
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F555F
                                                                                                                                                • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D3D
                                                                                                                                                • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D50
                                                                                                                                                • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D66
                                                                                                                                                • Part of subcall function 000001845C4E4D20: DeleteCriticalSection.KERNEL32 ref: 000001845C4E4D8D
                                                                                                                                                • Part of subcall function 000001845C4E4D20: VirtualFree.KERNEL32 ref: 000001845C4E4DBA
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 948184506-0
                                                                                                                                              • Opcode ID: a2f3d28db6f5c7a542f089183b464a35e1dffb07d7f729c69724856baa88be71
                                                                                                                                              • Instruction ID: 7c1ca102a37f1e6b7ba3e6a967b8e7008370b7aeb40131eb1da9629f46fb4d08
                                                                                                                                              • Opcode Fuzzy Hash: a2f3d28db6f5c7a542f089183b464a35e1dffb07d7f729c69724856baa88be71
                                                                                                                                              • Instruction Fuzzy Hash: 4A614D36311F4187EB64DF62E494A9EB3A5FB99B80F45C225CE8A43B14DF38E254C748
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F4DE4
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F4E0E
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C4F4E25
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F4EFB
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F4F25
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F4F4A
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F4F74
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F4F99
                                                                                                                                                • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D3D
                                                                                                                                                • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D50
                                                                                                                                                • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D66
                                                                                                                                                • Part of subcall function 000001845C4E4D20: DeleteCriticalSection.KERNEL32 ref: 000001845C4E4D8D
                                                                                                                                                • Part of subcall function 000001845C4E4D20: VirtualFree.KERNEL32 ref: 000001845C4E4DBA
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 948184506-0
                                                                                                                                              • Opcode ID: f7de3ef79a839558e92453357d372ecf487bd6df2e347dd270595c6328062898
                                                                                                                                              • Instruction ID: 4b46c0b862d2478ee9667a801caf52cbfe3f92598fb15ed89ebf88f1d39863b9
                                                                                                                                              • Opcode Fuzzy Hash: f7de3ef79a839558e92453357d372ecf487bd6df2e347dd270595c6328062898
                                                                                                                                              • Instruction Fuzzy Hash: 82513936311F4187EB64CF62E454A9EB3A5FB99B80F45C225DE8A43B14DF39E2508748
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F55E4
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F560E
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C4F5625
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F56FB
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F5725
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F574A
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F5774
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F5799
                                                                                                                                                • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D3D
                                                                                                                                                • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D50
                                                                                                                                                • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D66
                                                                                                                                                • Part of subcall function 000001845C4E4D20: DeleteCriticalSection.KERNEL32 ref: 000001845C4E4D8D
                                                                                                                                                • Part of subcall function 000001845C4E4D20: VirtualFree.KERNEL32 ref: 000001845C4E4DBA
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 948184506-0
                                                                                                                                              • Opcode ID: c4c301c77432ef5703f60f68f188faa43b288a4f8a8c10df986e60a82f244a90
                                                                                                                                              • Instruction ID: 807de75ceb3c72c2e28623555a95dc77b249acc624efcd4a7de5c9c38e7d0a85
                                                                                                                                              • Opcode Fuzzy Hash: c4c301c77432ef5703f60f68f188faa43b288a4f8a8c10df986e60a82f244a90
                                                                                                                                              • Instruction Fuzzy Hash: 66515A32711F4287EB64DF62E494A9EB3A5FB89B80F45C225DE8A43B14DF38D254C748
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F4754
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F477E
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C4F4795
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F486B
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F4895
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F48BA
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F48E4
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F4909
                                                                                                                                                • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D3D
                                                                                                                                                • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D50
                                                                                                                                                • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D66
                                                                                                                                                • Part of subcall function 000001845C4E4D20: DeleteCriticalSection.KERNEL32 ref: 000001845C4E4D8D
                                                                                                                                                • Part of subcall function 000001845C4E4D20: VirtualFree.KERNEL32 ref: 000001845C4E4DBA
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 948184506-0
                                                                                                                                              • Opcode ID: 80f34942a8f8c4bc9a5d5aa5a2718efda92b851cc4559cc26846c331e5552837
                                                                                                                                              • Instruction ID: a345856d8bdf946714216f5c05df4beef8978860a06d23c120fadd271a3137e3
                                                                                                                                              • Opcode Fuzzy Hash: 80f34942a8f8c4bc9a5d5aa5a2718efda92b851cc4559cc26846c331e5552837
                                                                                                                                              • Instruction Fuzzy Hash: 7F514B36311F4187EB64DF62E454A9EB3A5FB99B80F45C225CE8A43B14DF38E254C748
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F4984
                                                                                                                                                • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D3D
                                                                                                                                                • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D50
                                                                                                                                                • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D66
                                                                                                                                                • Part of subcall function 000001845C4E4D20: DeleteCriticalSection.KERNEL32 ref: 000001845C4E4D8D
                                                                                                                                                • Part of subcall function 000001845C4E4D20: VirtualFree.KERNEL32 ref: 000001845C4E4DBA
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F49AE
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C4F49C5
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F4A90
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F4ABA
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F4ADF
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F4B09
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F4B2E
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 948184506-0
                                                                                                                                              • Opcode ID: d577543977fa0da55da5beeaf9c154f68529e181afdaea789ff489f112afd6f9
                                                                                                                                              • Instruction ID: 198f30afb120615c013f4b2ddeceb5fbcc42efe3d3a757dbe664e20affcfaa7f
                                                                                                                                              • Opcode Fuzzy Hash: d577543977fa0da55da5beeaf9c154f68529e181afdaea789ff489f112afd6f9
                                                                                                                                              • Instruction Fuzzy Hash: 04516932701F4187EB68CF62E454A9EB3A4FB89B80F45C225DE8A03B14DF38E2508748
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F4BB4
                                                                                                                                                • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D3D
                                                                                                                                                • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D50
                                                                                                                                                • Part of subcall function 000001845C4E4D20: CloseHandle.KERNEL32 ref: 000001845C4E4D66
                                                                                                                                                • Part of subcall function 000001845C4E4D20: DeleteCriticalSection.KERNEL32 ref: 000001845C4E4D8D
                                                                                                                                                • Part of subcall function 000001845C4E4D20: VirtualFree.KERNEL32 ref: 000001845C4E4DBA
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F4BDE
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C4F4BF5
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F4CC0
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F4CEA
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F4D0F
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F4D39
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F4D5E
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 948184506-0
                                                                                                                                              • Opcode ID: 2bfe56d21f156cdcea5c1fa0c3f246f0bbc4458051a62838ba9f3e51130bed6a
                                                                                                                                              • Instruction ID: d6893d842b8d5dbebf201952d41a42409f80e8b7f9aca544400a0b7bbc53e884
                                                                                                                                              • Opcode Fuzzy Hash: 2bfe56d21f156cdcea5c1fa0c3f246f0bbc4458051a62838ba9f3e51130bed6a
                                                                                                                                              • Instruction Fuzzy Hash: 00515B32311F4187EB64CF62E454A9EB3A4FB99B80F45D225DF8A43B14DF38E2508748
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: HandleModule$ProtectVirtual
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3544755384-0
                                                                                                                                              • Opcode ID: f336a93fce01c34d2cdd8dc85c5afcd615c05bd6414b2de0b853565f956b5444
                                                                                                                                              • Instruction ID: 7bffd8782f61dc45d7f2c37fbeda79c48e64136402236ab625615e33cd4500db
                                                                                                                                              • Opcode Fuzzy Hash: f336a93fce01c34d2cdd8dc85c5afcd615c05bd6414b2de0b853565f956b5444
                                                                                                                                              • Instruction Fuzzy Hash: 2521C03261274AC3EB688F54F94479DB3A0F759B89F458226DA4A03754DF3CD690C784
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$CriticalFreeSection$AllocCreateEnterFileFindFirstLeaveReadThreadfreemallocmemset
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 4255097067-0
                                                                                                                                              • Opcode ID: 93b94569c2330fb7e55a1628781f64fdf0fd3d0c7a61c3191a88b0bb3e2625d6
                                                                                                                                              • Instruction ID: d569cb462e09c56cbb76818401c7c7dc9f4f1452740e2df1616fdfe809ce6b03
                                                                                                                                              • Opcode Fuzzy Hash: 93b94569c2330fb7e55a1628781f64fdf0fd3d0c7a61c3191a88b0bb3e2625d6
                                                                                                                                              • Instruction Fuzzy Hash: FF219F36301A8583EB609F22D94879D63A4F799FC4F558232CE9A47748DF3DCA49CB40
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2924420756.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924902224.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924991283.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2925086635.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                              • String ID: gfffffff
                                                                                                                                              • API String ID: 3215553584-1523873471
                                                                                                                                              • Opcode ID: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
                                                                                                                                              • Instruction ID: 7c5b9028af6473dd728daef05391e74bafcea77e80a4e195b251d3550d854208
                                                                                                                                              • Opcode Fuzzy Hash: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
                                                                                                                                              • Instruction Fuzzy Hash: 869145767057CC86EF97CB2AE4013EDABA5A758BC4F06C022EA5947395DE3DC60AC701
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931240789.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931259361.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                              • String ID: gfffffff
                                                                                                                                              • API String ID: 3215553584-1523873471
                                                                                                                                              • Opcode ID: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
                                                                                                                                              • Instruction ID: bbbae7935abc3b7bee493bde96c9e43f93909778a7fcba09dae96741df72da8d
                                                                                                                                              • Opcode Fuzzy Hash: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
                                                                                                                                              • Instruction Fuzzy Hash: BC912373B057C987EB15CB2EA4103EDBBA5A755B84F05C022CA9A877D5EF39C606CB01
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$AllocFree
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2087232378-0
                                                                                                                                              • Opcode ID: 04065c5e2a1c05127fb750dc6d994f61d80097cc70ac26d1f1ef4872fede59b7
                                                                                                                                              • Instruction ID: 832a3f2e7a29a9836b83f5af69bbcdbb0820ccca9b864b8a6bee79e322215e6f
                                                                                                                                              • Opcode Fuzzy Hash: 04065c5e2a1c05127fb750dc6d994f61d80097cc70ac26d1f1ef4872fede59b7
                                                                                                                                              • Instruction Fuzzy Hash: 13810432710B8183EB15DF36D6446AEA791FBDAB80F01E715DE8A53B41EF38D2868705
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: NamedPipe$ConnectCreateErrorLast
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3851520242-0
                                                                                                                                              • Opcode ID: 5202d77b4504b343c25026c585eb62c568917b05fbb34b8c84aa117687ab1fdd
                                                                                                                                              • Instruction ID: d9c12c89d9cff51a6c4af6bfd7129be2dfa45d5945386ed6c289375d7cf0e034
                                                                                                                                              • Opcode Fuzzy Hash: 5202d77b4504b343c25026c585eb62c568917b05fbb34b8c84aa117687ab1fdd
                                                                                                                                              • Instruction Fuzzy Hash: 2901D432204A4183D710CF56F90029DF2A4EB98BF4F448322EA69437A4DF78C9548B08
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CriticalSection$Leave$EnterRead$AllocVirtual$Initialize
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3051317124-0
                                                                                                                                              • Opcode ID: 6ebc8dea4b0ea736fefb6cc6a4b904e09ee724be14cbd8c2d79b4aff0744f4dc
                                                                                                                                              • Instruction ID: 7fcc51e74507427d558d06e0d646cb2ec922c2a7f3a1789315711da78935eff0
                                                                                                                                              • Opcode Fuzzy Hash: 6ebc8dea4b0ea736fefb6cc6a4b904e09ee724be14cbd8c2d79b4aff0744f4dc
                                                                                                                                              • Instruction Fuzzy Hash: A7F13C31200B41C7EB5A8F22E9107AD73A4FB59F84F89D626DE4A47794DF38C654C349
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: File$memset$wsprintf$AttributesDeleteMovelstrlen$Virtuallstrcpy$AllocByteCharCopyFreeMultiPathRemoveSpecWide
                                                                                                                                              • String ID: %s\%s
                                                                                                                                              • API String ID: 467509054-4073750446
                                                                                                                                              • Opcode ID: 5c9f1cf80f21698ae4ba0fa0fdced245dadeac4cbc76957ae87b01c586a556f9
                                                                                                                                              • Instruction ID: 0557462e2511f5fdd9916bff3470d00ad16a0ddd7caf4ebb016a5b5eb61b28a1
                                                                                                                                              • Opcode Fuzzy Hash: 5c9f1cf80f21698ae4ba0fa0fdced245dadeac4cbc76957ae87b01c586a556f9
                                                                                                                                              • Instruction Fuzzy Hash: B4512A32210AABA7EB24DFA4DC547DD6361F7A5B48FC19213D50D8B969EE38C309C780
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CriticalSection$Leave$EnterRead$FreeVirtual$CloseEventHandle$DeleteDisconnectNamedObjectPipeResetSingleSleepWait
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2612321180-0
                                                                                                                                              • Opcode ID: b7046ff1c3375c6ec0fd28ec1e10e6abf8100b599efa27a31810fd02cf3c44bb
                                                                                                                                              • Instruction ID: f761906ddb1ac6851d552c32c3823211b47dd4ff946f0acfe5dba6f29782422b
                                                                                                                                              • Opcode Fuzzy Hash: b7046ff1c3375c6ec0fd28ec1e10e6abf8100b599efa27a31810fd02cf3c44bb
                                                                                                                                              • Instruction Fuzzy Hash: C4818E31301A16C3EB598F61E9507AE63B4FB66F94F89C622CE0A47754DF38CA46C349
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CloseHandle$FreeVirtual$CriticalDeleteSection$Event
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 10935847-0
                                                                                                                                              • Opcode ID: 27ff84aaf12ebd0a39dbd24038505bf2bb04301d1514b24ab1ddd3ff12eebcae
                                                                                                                                              • Instruction ID: 878d955f54ccf8eb58f1fe1b9ac43e9657c8cbf8da68984dc8bc3e2cc9aeeafa
                                                                                                                                              • Opcode Fuzzy Hash: 27ff84aaf12ebd0a39dbd24038505bf2bb04301d1514b24ab1ddd3ff12eebcae
                                                                                                                                              • Instruction Fuzzy Hash: 3A817C35302A12C7EB68CFA2E550BADB3A0FB95F44F49D615CB4A43A54CF38D650C399
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CriticalSection$AllocVirtual$EnterLeaveRead$CreateEventInitialize
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3948381741-0
                                                                                                                                              • Opcode ID: 0c97ca10ba80cdc1344fd5c304f31d40c1b2c9626c21ca69a6339e3747ea0fdc
                                                                                                                                              • Instruction ID: e710c07821e30283075fa70c01753ab7e82c8e3fa00fb2e101763f28d25c6838
                                                                                                                                              • Opcode Fuzzy Hash: 0c97ca10ba80cdc1344fd5c304f31d40c1b2c9626c21ca69a6339e3747ea0fdc
                                                                                                                                              • Instruction Fuzzy Hash: 5B615A31311F5583EB498F61E9103ADB3A4F768F80F84C626DA5A93B94DF38DA65C348
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Startupmemset
                                                                                                                                              • String ID: Failed to create default vhost$Failed to init cookiejar$NSC$OOM$OOM allocating %d fds$context$fds table$info->ka_interval can't be 0 if ka_time used$lws_create_context$lws_free$mux$prot_init$system$unknown$wsi$wsicli$wsisrv
                                                                                                                                              • API String ID: 1873301828-3289243303
                                                                                                                                              • Opcode ID: 16ff8c9513e61e8d05d3a42471cc09235c13313f4bf578ebfff565fe686a6f90
                                                                                                                                              • Instruction ID: 3f79a68e88060897263dd54d553de9dc202d2e5a0ee8d8bcdd5beb3f16316af1
                                                                                                                                              • Opcode Fuzzy Hash: 16ff8c9513e61e8d05d3a42471cc09235c13313f4bf578ebfff565fe686a6f90
                                                                                                                                              • Instruction Fuzzy Hash: C0325D36201B9A87EB548F65E4403DEB3A4F754B88F448236DE9D9B394EF38D250C758
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: String$AllocFree$CreateInstanceUninitialize$Initialize
                                                                                                                                              • String ID: Block All Outbound$Block all outbound traffic$BlockAllGroup$i33L
                                                                                                                                              • API String ID: 2562062002-1644180588
                                                                                                                                              • Opcode ID: 8deb0ea224b165b1f84c5336fa06fe8aa485b50349956e7146a47af700a7992b
                                                                                                                                              • Instruction ID: 67b64ffcbd2fd57c0f05b0eb1cf820b9490b20c5a33cf506ac8011a674157a0f
                                                                                                                                              • Opcode Fuzzy Hash: 8deb0ea224b165b1f84c5336fa06fe8aa485b50349956e7146a47af700a7992b
                                                                                                                                              • Instruction Fuzzy Hash: F251DF76700B558BEB00DF66E88429C77B0F798F88F508626DA5A47B28DF38C619CB45
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Process$Current$Terminate$memsetwsprintf$ObjectSessionSingleWait
                                                                                                                                              • String ID: \\.\Pipe\%d_Local_%d$\\.\Pipe\%d_pipe%d
                                                                                                                                              • API String ID: 1631145905-82101934
                                                                                                                                              • Opcode ID: ab10d55d452ab6b41233c7c6c5d6ad339ec73cd5f29839cb69e3900e23e60465
                                                                                                                                              • Instruction ID: 855e2c70c8fcbaaf044d8c01572b3bbabff9e8fd249cbb87d63b95a198d7cec9
                                                                                                                                              • Opcode Fuzzy Hash: ab10d55d452ab6b41233c7c6c5d6ad339ec73cd5f29839cb69e3900e23e60465
                                                                                                                                              • Instruction Fuzzy Hash: 4131D372300A9683EB249F62EC447DEA3A1F7A5F88F44C221C94A43769DF3CC649CB54
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CriticalSectionVirtual$Alloc$EnterReadsetsockopt$Leave$accept$CancelCreateFreeInitializeIoctlSleepThreadclosesocket
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 241427152-0
                                                                                                                                              • Opcode ID: 8054d77f63a71bffb60c6de152fa376652fa5a9bac917f7a9e8e23a3707f0d6a
                                                                                                                                              • Instruction ID: 6cd1a3acc32c5b153c1e9818a603772dd601a56ec0a2500606ee99b1b1986fee
                                                                                                                                              • Opcode Fuzzy Hash: 8054d77f63a71bffb60c6de152fa376652fa5a9bac917f7a9e8e23a3707f0d6a
                                                                                                                                              • Instruction Fuzzy Hash: 49619072204B9287E7248F51E404B9EB7B4F789B84F448225DF8A07B54CF3DD659CB48
                                                                                                                                              APIs
                                                                                                                                              • VirtualAlloc.KERNEL32(?,?,00000000,000001845C505130,?,?,00000000,000001845C4E4AAC), ref: 000001845C504DB7
                                                                                                                                              • InitializeCriticalSection.KERNEL32(?,?,00000000,000001845C505130,?,?,00000000,000001845C4E4AAC), ref: 000001845C504DEF
                                                                                                                                              • CreateEventW.KERNEL32(?,?,00000000,000001845C505130,?,?,00000000,000001845C4E4AAC), ref: 000001845C504E01
                                                                                                                                              • VirtualAlloc.KERNEL32(?,?,00000000,000001845C505130,?,?,00000000,000001845C4E4AAC), ref: 000001845C504E1C
                                                                                                                                              • InitializeCriticalSection.KERNEL32(?,?,00000000,000001845C505130,?,?,00000000,000001845C4E4AAC), ref: 000001845C504E2E
                                                                                                                                              • IsBadReadPtr.KERNEL32 ref: 000001845C504E49
                                                                                                                                              • EnterCriticalSection.KERNEL32(?,?,00000000,000001845C505130,?,?,00000000,000001845C4E4AAC), ref: 000001845C504E5C
                                                                                                                                              • VirtualAlloc.KERNEL32(?,?,00000000,000001845C505130,?,?,00000000,000001845C4E4AAC), ref: 000001845C504E73
                                                                                                                                              • LeaveCriticalSection.KERNEL32(?,?,00000000,000001845C505130,?,?,00000000,000001845C4E4AAC), ref: 000001845C504EA2
                                                                                                                                              • IsBadReadPtr.KERNEL32 ref: 000001845C504EB4
                                                                                                                                              • EnterCriticalSection.KERNEL32(?,?,00000000,000001845C505130,?,?,00000000,000001845C4E4AAC), ref: 000001845C504EC7
                                                                                                                                              • VirtualAlloc.KERNEL32(?,?,00000000,000001845C505130,?,?,00000000,000001845C4E4AAC), ref: 000001845C504EDE
                                                                                                                                              • LeaveCriticalSection.KERNEL32(?,?,00000000,000001845C505130,?,?,00000000,000001845C4E4AAC), ref: 000001845C504F0D
                                                                                                                                              • IsBadReadPtr.KERNEL32 ref: 000001845C504F1F
                                                                                                                                              • EnterCriticalSection.KERNEL32(?,?,00000000,000001845C505130,?,?,00000000,000001845C4E4AAC), ref: 000001845C504F32
                                                                                                                                              • VirtualAlloc.KERNEL32(?,?,00000000,000001845C505130,?,?,00000000,000001845C4E4AAC), ref: 000001845C504F49
                                                                                                                                              • LeaveCriticalSection.KERNEL32(?,?,00000000,000001845C505130,?,?,00000000,000001845C4E4AAC), ref: 000001845C504F78
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CriticalSection$AllocVirtual$EnterLeaveRead$Initialize$CreateEvent
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3934889794-0
                                                                                                                                              • Opcode ID: d745ae7875c7a808b0e5a312b163fd60a6495f42bc51f35149f49f448c640802
                                                                                                                                              • Instruction ID: 6696c874fd5983120837ab6dd2d448884f2ea31bdb7d655246a8b214461c05c5
                                                                                                                                              • Opcode Fuzzy Hash: d745ae7875c7a808b0e5a312b163fd60a6495f42bc51f35149f49f448c640802
                                                                                                                                              • Instruction Fuzzy Hash: E3516332310F5583EB498F61E9003ADB3A4F768F84F84C626DA5983B94DF38D664C344
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CloseHandle$DisconnectNamedPipe$Terminate$FreeThreadVirtual$CriticalDeleteProcessSection
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2021643575-0
                                                                                                                                              • Opcode ID: e1219eb5096a696673c920ee8a3caf4302f5afb9c9ade7e8d0e7ee9dfdca1525
                                                                                                                                              • Instruction ID: 7e1a62af1d704765280f64b6cb085d0335ad0aaffd0a6fc60902fa5da5ef2e7a
                                                                                                                                              • Opcode Fuzzy Hash: e1219eb5096a696673c920ee8a3caf4302f5afb9c9ade7e8d0e7ee9dfdca1525
                                                                                                                                              • Instruction Fuzzy Hash: 8F412B35202A6683FF58CFA2D56036DA364FFA4F88F08C616DE4A42A54CF38C551D399
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: memcpy
                                                                                                                                              • String ID: %s|%s|%d$OOM$default$ener)$http_proxy$init server failed$lws_create_vhost$lws_free$lws_protocol_init failed$port %u$same vh list$vh plugin table$|%s$|%u
                                                                                                                                              • API String ID: 3510742995-1324429581
                                                                                                                                              • Opcode ID: 379c9d18fd57c2ae79b8b94559fee726fe2e35d7262676346e3f36fa73a1b13f
                                                                                                                                              • Instruction ID: 5e00151059da1ab7c5e5c270476b7771a355b4ad3b78c73f18ed2614c4a0ab7d
                                                                                                                                              • Opcode Fuzzy Hash: 379c9d18fd57c2ae79b8b94559fee726fe2e35d7262676346e3f36fa73a1b13f
                                                                                                                                              • Instruction Fuzzy Hash: 05025932201B9A97EB54CF65D8843EDB3A0F768B88F948226DE8D47795EF38D651C304
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Object$DeleteFreeVirtual$CloseHandleSelect$BlockEventInputReleaseSingleWait
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3967251967-0
                                                                                                                                              • Opcode ID: 3a07132e1f9d7ba23aabf59264424579120ae970d8e9deebab850e7ccb55037e
                                                                                                                                              • Instruction ID: bee56aa08563063c21f669bd23eb384e6bdae049206e8000b5a48ef468f450fe
                                                                                                                                              • Opcode Fuzzy Hash: 3a07132e1f9d7ba23aabf59264424579120ae970d8e9deebab850e7ccb55037e
                                                                                                                                              • Instruction Fuzzy Hash: 0141063A301F6583FB48CFA2E8547AD63A5FB95F84F448226CE8A43B58CF38C5558359
                                                                                                                                              APIs
                                                                                                                                              • IsBadReadPtr.KERNEL32 ref: 000001845C4E725A
                                                                                                                                                • Part of subcall function 000001845C4F8120: VirtualAlloc.KERNEL32(?,?,00000000,000001845C4F6D58), ref: 000001845C4F8137
                                                                                                                                                • Part of subcall function 000001845C4F8120: InitializeCriticalSection.KERNEL32(?,?,00000000,000001845C4F6D58), ref: 000001845C4F8165
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • memset.NTDLL ref: 000001845C4E7295
                                                                                                                                              • GetCurrentProcessId.KERNEL32 ref: 000001845C4E729A
                                                                                                                                              • wsprintfW.USER32 ref: 000001845C4E72B6
                                                                                                                                              • WaitForSingleObject.KERNEL32 ref: 000001845C4E72D3
                                                                                                                                              • WaitForSingleObject.KERNEL32 ref: 000001845C4E731B
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E733A
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E7364
                                                                                                                                              • DisconnectNamedPipe.KERNEL32 ref: 000001845C4E737B
                                                                                                                                              • CloseHandle.KERNEL32 ref: 000001845C4E738A
                                                                                                                                              • DeleteCriticalSection.KERNEL32 ref: 000001845C4E7398
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E73A9
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$CriticalSection$Alloc$Read$EnterFree$InitializeLeaveObjectSingleWait$CloseCurrentDeleteDisconnectHandleNamedPipeProcessmemsetwsprintf
                                                                                                                                              • String ID: \\.\Pipe\%d_Local_%d
                                                                                                                                              • API String ID: 2297721380-251893267
                                                                                                                                              • Opcode ID: 36990aca3978a3dea961cae16a781325bd347a7ac9c8a3c5f6a009e8abbcbd45
                                                                                                                                              • Instruction ID: c5ac6a36f550d9636fa504cc26cb0c70735a4b6d3f0ac769dc8172948c9a9ddd
                                                                                                                                              • Opcode Fuzzy Hash: 36990aca3978a3dea961cae16a781325bd347a7ac9c8a3c5f6a009e8abbcbd45
                                                                                                                                              • Instruction Fuzzy Hash: A9417F31300A52C3EBA89F62E5547AEA3A1FB95F94F44C221CE4A47A94DF3CC685C349
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ErrorLast$setsockopt$Ioctlgetprotobynameioctlsocket
                                                                                                                                              • String ID: TCP$WSAIoctl SIO_KEEPALIVE_VALS 1 %lu %lu failed with error %d$ioctlsocket FIONBIO 1 failed with error %d$setsockopt SO_KEEPALIVE 1 failed with error %d
                                                                                                                                              • API String ID: 689193069-3784515845
                                                                                                                                              • Opcode ID: 8a574de51de2f7b9e0da6b50ddb537149f76536c045387673f248ec90f46c37e
                                                                                                                                              • Instruction ID: 6d809c91e39f023ebf6ce9a52cce65c7296deccf03c5775e8562dc9700bc4213
                                                                                                                                              • Opcode Fuzzy Hash: 8a574de51de2f7b9e0da6b50ddb537149f76536c045387673f248ec90f46c37e
                                                                                                                                              • Instruction Fuzzy Hash: AA41A33260479A87E710CFA1E4447CDB7A4F398B94F948226DE8843754DF7DDA49CB84
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: lstrlen$ByteCharMultiVirtualWide$CreateDirectoryFreememset$Allocmemcpy
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2091574596-0
                                                                                                                                              • Opcode ID: 1b4b82f0b7e4c8ea5fbd9bd08a66728b17502ecdaec804405791d5810d399e2d
                                                                                                                                              • Instruction ID: ff2a2f3fec7bd8073ca490bb3b5af2cc68b85054965affe223272a6ee54c39d8
                                                                                                                                              • Opcode Fuzzy Hash: 1b4b82f0b7e4c8ea5fbd9bd08a66728b17502ecdaec804405791d5810d399e2d
                                                                                                                                              • Instruction Fuzzy Hash: DB31F231304A9143E764CF66F9403EDA3A1EB9AFC5F448225DB4A83B95DF3CD6458708
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _time64randsrand
                                                                                                                                              • String ID: !"#$$%&'$()*+$,-./$0123$4567$89:;$<=>?
                                                                                                                                              • API String ID: 1363323005-2655883160
                                                                                                                                              • Opcode ID: 495eb2bc3968464ad3b4467f9e3bb0dc08ae24cb2b23406463a58bd7f9b74657
                                                                                                                                              • Instruction ID: e7bb334ec8f8dd59bd997d665c30ff9287afab48d4810f77c595541bf5deefc9
                                                                                                                                              • Opcode Fuzzy Hash: 495eb2bc3968464ad3b4467f9e3bb0dc08ae24cb2b23406463a58bd7f9b74657
                                                                                                                                              • Instruction Fuzzy Hash: 29114FB6B117A48FEB04CFA1A88409D7BB0F349B88B945629DA5A67B08CB34D241CF55
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ErrorLast$Socketgetaddrinfo
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1420131935-0
                                                                                                                                              • Opcode ID: 588b49dada4d53f0dea3a9a8b5e910038bbe1c700624a725d7562d88239a8e1e
                                                                                                                                              • Instruction ID: 34a5965bd840560312aa75ad6a39f3d29034b6f120860fd1fbf506b28fe4d1c5
                                                                                                                                              • Opcode Fuzzy Hash: 588b49dada4d53f0dea3a9a8b5e910038bbe1c700624a725d7562d88239a8e1e
                                                                                                                                              • Instruction Fuzzy Hash: 1851AA72610B958BE720CFA1E4047DD77B4F758B98F408226EE4963B98CF39C659CB48
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ErrorLast$getaddrinfosocket
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2350576183-0
                                                                                                                                              • Opcode ID: 183dd14ccb18c69825c5ef14be7dfcbe68b6ff15fd6c6c6db8b03a0aaa48b992
                                                                                                                                              • Instruction ID: f259361e2cbbdb2bf38f36df0632e4b11c684a811899461e3628724b526ef453
                                                                                                                                              • Opcode Fuzzy Hash: 183dd14ccb18c69825c5ef14be7dfcbe68b6ff15fd6c6c6db8b03a0aaa48b992
                                                                                                                                              • Instruction Fuzzy Hash: 60515873610A959BE720CFA0E4043DD77B1F758B58F008226EF5963A98CF38C658CB49
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CriticalSection$EventLeave$CloseEnterHandleObjectReadSingleSleepWait
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1497552152-0
                                                                                                                                              • Opcode ID: 3e701f299464fa1840a3c59915c173aa47d40fd4326d99a42f10eb8f84c94787
                                                                                                                                              • Instruction ID: 30d4f9ba48e0e04d64343985af919b576cc3f06bed5ca7a08c9fea9a20231a29
                                                                                                                                              • Opcode Fuzzy Hash: 3e701f299464fa1840a3c59915c173aa47d40fd4326d99a42f10eb8f84c94787
                                                                                                                                              • Instruction Fuzzy Hash: 40415D31300A52C7EB588FA1E9407EC73A0FB9AF88F499621DF5A47755CF38C6558349
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Create$CompatibleMetricsObjectSectionSelectSystem$AllocDesktopEventVirtualWindow
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 623393097-0
                                                                                                                                              • Opcode ID: d4d23b9cfb9482bdb896885728d8e23ede41b5937629a3350251762cf16a0030
                                                                                                                                              • Instruction ID: 9ec0aa94372e5666acb642bdd4242b29b18dae0fb38c2b26442917d1c64ca7da
                                                                                                                                              • Opcode Fuzzy Hash: d4d23b9cfb9482bdb896885728d8e23ede41b5937629a3350251762cf16a0030
                                                                                                                                              • Instruction Fuzzy Hash: 3F411336200B65E7D718CF65E64868EB3B0F349B80F40861ADB8943B10DF38E176CB84
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: memcpy$AllocVirtualmemset$EnvironmentExpandStrings
                                                                                                                                              • String ID: 18.139.89.40$C:\Program Files\Windows Mail
                                                                                                                                              • API String ID: 791498746-2261422552
                                                                                                                                              • Opcode ID: 2b26ddc07f84ee4290e8d8fcb28feba32ce194d0abf94b4343b1801c1ea13578
                                                                                                                                              • Instruction ID: 74fc471dae3d6dc65b53cfe62ee9ae27f82a002a617cbe515a34c5a375ad073d
                                                                                                                                              • Opcode Fuzzy Hash: 2b26ddc07f84ee4290e8d8fcb28feba32ce194d0abf94b4343b1801c1ea13578
                                                                                                                                              • Instruction Fuzzy Hash: 6871A572A15B8683E711CB28D5417ED7B60F7AAB88F14D315CE4953722FF28A285C704
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F5FAF
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F5FD9
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F6036
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F6060
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F60A2
                                                                                                                                              • CreateFileW.KERNEL32 ref: 000001845C4F60CE
                                                                                                                                              • DeviceIoControl.KERNEL32 ref: 000001845C4F6115
                                                                                                                                              • CloseHandle.KERNEL32 ref: 000001845C4F6123
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$CriticalSection$AllocFree$EnterRead$Leave$CloseControlCreateDeviceFileHandleInitialize
                                                                                                                                              • String ID: D"$\\.\TrueSight
                                                                                                                                              • API String ID: 655973622-2684836731
                                                                                                                                              • Opcode ID: 27a08fb4fa4a8848856c421baff81ff9c7be46c9889b924c32ca9501aac5b7be
                                                                                                                                              • Instruction ID: db24b36c7235ecd245bc8b8b5bd7a0bf9b011b9328e1d36dfd6faa44b60d45db
                                                                                                                                              • Opcode Fuzzy Hash: 27a08fb4fa4a8848856c421baff81ff9c7be46c9889b924c32ca9501aac5b7be
                                                                                                                                              • Instruction Fuzzy Hash: C1517F32714B9187EB64DF62E55479EB3A1FB99B80F44C215DB8A03B94DF38D2548B04
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Processlstrcmpi$CreateCurrentSessionThreadmemset
                                                                                                                                              • String ID: HTTP$TCP$UDP
                                                                                                                                              • API String ID: 1333632082-3864057669
                                                                                                                                              • Opcode ID: 79ca34c42b3aab9032cd5f6da8ec8d408d609f69abcf2edea33bd93b63b32bf1
                                                                                                                                              • Instruction ID: 50a599c4fc0382cdef9a70babf022e4a1813171d334cbf6fefcfa4f29feb3cfa
                                                                                                                                              • Opcode Fuzzy Hash: 79ca34c42b3aab9032cd5f6da8ec8d408d609f69abcf2edea33bd93b63b32bf1
                                                                                                                                              • Instruction Fuzzy Hash: 4231C472614B9693E724CF61E8507DEB3B1F798B44F80D226D94A83654EF3CC685C744
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F3F23
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F3F4D
                                                                                                                                              • SetEvent.KERNEL32 ref: 000001845C4F3F7D
                                                                                                                                              • WaitForSingleObject.KERNEL32 ref: 000001845C4F3F8F
                                                                                                                                              • TerminateThread.KERNEL32 ref: 000001845C4F3F9A
                                                                                                                                              • CloseHandle.KERNEL32 ref: 000001845C4F3FA8
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F3FE0
                                                                                                                                              • WaitForSingleObject.KERNEL32 ref: 000001845C4F4011
                                                                                                                                              • TerminateThread.KERNEL32 ref: 000001845C4F401C
                                                                                                                                              • CloseHandle.KERNEL32 ref: 000001845C4F402A
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F4057
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$CloseHandleLeaveObjectSingleTerminateThreadWait$EventInitialize
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3987515053-0
                                                                                                                                              • Opcode ID: 28e91978891c492b1cbaac380f24f71bf40da3fb043633dbee495f36113eb4af
                                                                                                                                              • Instruction ID: ca93fae89915665d842f889c69bc192a4c065d4c82c2ad38e9731d2e6606e19b
                                                                                                                                              • Opcode Fuzzy Hash: 28e91978891c492b1cbaac380f24f71bf40da3fb043633dbee495f36113eb4af
                                                                                                                                              • Instruction Fuzzy Hash: 13414931306A0283FB58DF62E5547AEA3A1FB9AFC0F48D215CE4A07B59CF38D6518358
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Service$CloseDatabaseFreeHandleOpenVirtual$ChangeConfigLockManagerQuerySleepStatusUnlock
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3731607402-0
                                                                                                                                              • Opcode ID: a9eb4e77f0189a9487206b475b1535da776a34eb102c6930cb2e8e0098df8897
                                                                                                                                              • Instruction ID: 7ef48e071a7823fc2dd2c2895498d5f754f6f85ea59f69e77aa34da865041dc5
                                                                                                                                              • Opcode Fuzzy Hash: a9eb4e77f0189a9487206b475b1535da776a34eb102c6930cb2e8e0098df8897
                                                                                                                                              • Instruction Fuzzy Hash: B041AE36300B5583EB68DF52A854B9EB3A5FB98F90F94C219CE9A43B14DF38C545C744
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Process32$CloseHandleNextfreelstrcmpi$CreateFirstSnapshotToolhelp32malloc
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2997854644-0
                                                                                                                                              • Opcode ID: fbb00ed28ea78f619fe1ddfcfc2a1448f07964961530676492a00d6974b8df58
                                                                                                                                              • Instruction ID: 9db34ad6e6b4e5e7408b8770385eb6d4f3c5a65b3f4beec7d8d521f84c67f2fe
                                                                                                                                              • Opcode Fuzzy Hash: fbb00ed28ea78f619fe1ddfcfc2a1448f07964961530676492a00d6974b8df58
                                                                                                                                              • Instruction Fuzzy Hash: 8621F131300A4683EB688F66E9543ADA3A1F799FC0F89C325DD468B754DF3CDA408388
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Desktop$Thread$CloseInformationObjectUsermemset$CurrentInputOpenlstrcmpi
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2480204736-0
                                                                                                                                              • Opcode ID: a7e5f87c476b32af149d3a23a836e4c12a9df15ddd786ef6baeaf1639c8a2ace
                                                                                                                                              • Instruction ID: 9c5ee9bb365f09d7e9d1001a9134c019b478b925d5d226d5b96fb8a0a86163eb
                                                                                                                                              • Opcode Fuzzy Hash: a7e5f87c476b32af149d3a23a836e4c12a9df15ddd786ef6baeaf1639c8a2ace
                                                                                                                                              • Instruction Fuzzy Hash: 86213935214B9693EB289F51E8587CEA3A1F799F84F848626DA4A43B54DF3CC309C784
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CriticalFreeSectionVirtual$LeaveRead$Enter
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3895189749-0
                                                                                                                                              • Opcode ID: 5b659170a3c5bc0ddeb54f8c31c300c9ac37a021183c1e4ae1f509fd982aa9e7
                                                                                                                                              • Instruction ID: 85350888a5917fb9c70af8f152ee6b948ec715a433e70898b9c3038d39623a7b
                                                                                                                                              • Opcode Fuzzy Hash: 5b659170a3c5bc0ddeb54f8c31c300c9ac37a021183c1e4ae1f509fd982aa9e7
                                                                                                                                              • Instruction Fuzzy Hash: 67515F31301E4287FB588F62E4507AEA3A5FB9AF84F48C621DE4A4BB54DF3DD6458348
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: malloc$free$Timetime
                                                                                                                                              • String ID: <$d$d
                                                                                                                                              • API String ID: 3424428123-2034941416
                                                                                                                                              • Opcode ID: 67633af4dfc8252cf45609dabaea5b26b53f42197f8e2474752b99a928027a60
                                                                                                                                              • Instruction ID: 21c789ed9db910fc780f7758afc7ed7f4a9892df7f0cd282373aea83643fa2cb
                                                                                                                                              • Opcode Fuzzy Hash: 67633af4dfc8252cf45609dabaea5b26b53f42197f8e2474752b99a928027a60
                                                                                                                                              • Instruction Fuzzy Hash: 83714972202B95C7EB45CF61E58038D77A8F758B88F08C629CB882B764DF78C164DB54
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CloseHandle$CreateDirectoryProcessSystemlstrcatmemset
                                                                                                                                              • String ID: WinSta0\Winlogon$\cmd.exe$h
                                                                                                                                              • API String ID: 3110162951-1128999311
                                                                                                                                              • Opcode ID: 377d92c3c3f7588309b3223c4e866e91415498e2d0b57ba55e9f7e9773e501a6
                                                                                                                                              • Instruction ID: e45182b831c40154c96572bb6793f8743822333237036b797da9d07c219b3ef1
                                                                                                                                              • Opcode Fuzzy Hash: 377d92c3c3f7588309b3223c4e866e91415498e2d0b57ba55e9f7e9773e501a6
                                                                                                                                              • Instruction Fuzzy Hash: 16316033918BC283E7208F50E8447DEB7A0F7A6704F94D326D6C942A65EF78D294CB44
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: EventEventsFreeInfoParametersSystemVirtual$EnumErrorExecutionLastMultipleNetworkSelectStateThreadWait
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 705661956-0
                                                                                                                                              • Opcode ID: b3306e8e6be995fbad07b710c8ebb45c85d78bfb96534e55b13d4da9fa6293f6
                                                                                                                                              • Instruction ID: 4aa50c79c6e2bf43b2cdf44526f9116fe201c4d99986ac0420a298b4b0ed4455
                                                                                                                                              • Opcode Fuzzy Hash: b3306e8e6be995fbad07b710c8ebb45c85d78bfb96534e55b13d4da9fa6293f6
                                                                                                                                              • Instruction Fuzzy Hash: E051F136300A42C3EB658F26DA84FAD73A1FB56F84F159621CE0A43B94CF34CA51C745
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CriticalReadSectionVirtual$AllocEnterErrorExitFreeLastLeaveThreadTimesendtime
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3122330297-0
                                                                                                                                              • Opcode ID: 51404108585b7ff1db373e89b646bf7e8d42d759f0de1be0177d3c4d76274544
                                                                                                                                              • Instruction ID: 218727d5fe54140df3eaf73241a1a5794b388b0d1b5b19f86b01f85af616d780
                                                                                                                                              • Opcode Fuzzy Hash: 51404108585b7ff1db373e89b646bf7e8d42d759f0de1be0177d3c4d76274544
                                                                                                                                              • Instruction Fuzzy Hash: 0141AF32300A5587E7598FA2E44039DB3A0F768F88F54C22ACB4A83794EF39DA55CB44
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2924420756.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924902224.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924991283.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2925086635.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__security_init_cookie__vcrt_initialize
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1326835672-0
                                                                                                                                              • Opcode ID: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
                                                                                                                                              • Instruction ID: 20208a98ab850ec38ed8325cc0af7ea2ed5af357558f35f83d8d5c5aa49ef683
                                                                                                                                              • Opcode Fuzzy Hash: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
                                                                                                                                              • Instruction Fuzzy Hash: C631923160994C86FBE7BBA5D4523EA2391AB4E3C4F45C425B94A473D7DE28CB4E8350
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931240789.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931259361.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__security_init_cookie__vcrt_initialize
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1326835672-0
                                                                                                                                              • Opcode ID: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
                                                                                                                                              • Instruction ID: 649731ae198dc1f129116bc9484d2e52d335e8c361f54c9094adad0cce7e989a
                                                                                                                                              • Opcode Fuzzy Hash: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
                                                                                                                                              • Instruction Fuzzy Hash: 423141337012038BFB64EB68D4563ED2391AB55344F44C429AACACB6D7DF298745CF15
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AllocVirtual$CriticalInitializeSection$CreateEvent
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 469433356-0
                                                                                                                                              • Opcode ID: ea69eefc2d230828b900866a37b3cbd0fa8e3a0e552ff7279e715e0694118ad8
                                                                                                                                              • Instruction ID: bd2f9ccb69790b6cc1e53a166607b61beb278af286b810f6bbaa32b0cf4f2736
                                                                                                                                              • Opcode Fuzzy Hash: ea69eefc2d230828b900866a37b3cbd0fa8e3a0e552ff7279e715e0694118ad8
                                                                                                                                              • Instruction Fuzzy Hash: 2D415E32211F56C3EB158F51F9406CD77B8F719B80F81862ADA4943BA4EF38D668C359
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CreateThread$CloseCriticalHandleSection$AllocEnterInfoLeaveNativeReadSystemVirtual
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3571750651-0
                                                                                                                                              • Opcode ID: 1363fd4b51c054286b4f9f0578cb1f11da93afc1d0dca13003e3c5ae9259af37
                                                                                                                                              • Instruction ID: 009a87c8347c997fb02751a64ac19451764fc84d4b3b58f3e8c039372517d1b8
                                                                                                                                              • Opcode Fuzzy Hash: 1363fd4b51c054286b4f9f0578cb1f11da93afc1d0dca13003e3c5ae9259af37
                                                                                                                                              • Instruction Fuzzy Hash: FE416C32604B92C3DB24CF61E90079DB3A4F799B84F85C62ADE8907755EF38C695C748
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Service$Control$CloseHandleOpen$ManagerQuerySleepStartStatus
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2453229493-0
                                                                                                                                              • Opcode ID: 2273a004fea410f7597165bb23289446dcc16b9a87cf60cf92e4a93607a0279b
                                                                                                                                              • Instruction ID: c7939069333c4b482208236bfe8f4efb37c799630df03980cceba95c4922445e
                                                                                                                                              • Opcode Fuzzy Hash: 2273a004fea410f7597165bb23289446dcc16b9a87cf60cf92e4a93607a0279b
                                                                                                                                              • Instruction Fuzzy Hash: 9331D431600B6A83EA28DF92E51429EF3A1F7D8F81F44C221DA4A53B54DE3DC748CB48
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Process32lstrlen$Next$CloseCreateFirstHandleSnapshotToolhelp32freemalloc
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 4027670598-0
                                                                                                                                              • Opcode ID: 439f8d2e972513238416a548221f462a94073303e1c60fa0b93f47d4e757f503
                                                                                                                                              • Instruction ID: ecd9b2f4e0795a8e77f20034a3d7720f6c78264c0d1dd18c808482fef59634e8
                                                                                                                                              • Opcode Fuzzy Hash: 439f8d2e972513238416a548221f462a94073303e1c60fa0b93f47d4e757f503
                                                                                                                                              • Instruction Fuzzy Hash: 8E318D71204A1683EB649F26E84479DB7B0F789FD0F849221EE4A47B68DF3CC249CB04
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: lstrcmpi
                                                                                                                                              • String ID: HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS
                                                                                                                                              • API String ID: 1586166983-3507829934
                                                                                                                                              • Opcode ID: 92d67e1772ed5d27b35ffe2b6b4ab96e07dede8ed643a73d65189ae7ffbca217
                                                                                                                                              • Instruction ID: 3f42149666f47bb0da145e7a4754c7f3fd0beef24bda6f077dbad3abfd55e07e
                                                                                                                                              • Opcode Fuzzy Hash: 92d67e1772ed5d27b35ffe2b6b4ab96e07dede8ed643a73d65189ae7ffbca217
                                                                                                                                              • Instruction Fuzzy Hash: 7B011220300B1967EA049BB6AD99399B2519F58FF5F849325AD2A837F8DF68C244C348
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2924420756.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924902224.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924991283.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2925086635.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: __scrt_fastfail$__scrt_initialize_onexit_tables
                                                                                                                                              • String ID: `eh vector vbase constructor iterator'$`local vftable'$`udt returning'$onstructor closure'
                                                                                                                                              • API String ID: 2273495996-2419032777
                                                                                                                                              • Opcode ID: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
                                                                                                                                              • Instruction ID: 430d6e6a62d8c94c9c04e7e52013dca82c213aedb955d9ad44379b1780147ad5
                                                                                                                                              • Opcode Fuzzy Hash: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
                                                                                                                                              • Instruction Fuzzy Hash: FF416D35206B4C82FBA79B20E9503EA2361AB4EBD0F54D525E90E477A4DF3CC68E8304
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931240789.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931259361.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: __scrt_fastfail$__scrt_initialize_onexit_tables
                                                                                                                                              • String ID: `eh vector vbase constructor iterator'$`local vftable'$`udt returning'$onstructor closure'
                                                                                                                                              • API String ID: 2273495996-2419032777
                                                                                                                                              • Opcode ID: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
                                                                                                                                              • Instruction ID: 9136cc2e46e2b1c2881ad59cf5e40b820321d34a5dd54a28c1c77466e197d6bf
                                                                                                                                              • Opcode Fuzzy Hash: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
                                                                                                                                              • Instruction Fuzzy Hash: EE415B37302B0287FA14DB64E8117DD2361AB8AB90F44D925C98E877E4DF2DD645CB18
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: lstrcmpi$CreateThreadmemset
                                                                                                                                              • String ID: HTTP$TCP$UDP
                                                                                                                                              • API String ID: 1278753810-3864057669
                                                                                                                                              • Opcode ID: 4f3725c6e9a3c20e9ab6cee16e493342bd08e11a55dedb5a078407a7875efed0
                                                                                                                                              • Instruction ID: c474d4ceb27a87ecdecd1f6193620bcb41dde75bfe1726beba3fd062ff0c023f
                                                                                                                                              • Opcode Fuzzy Hash: 4f3725c6e9a3c20e9ab6cee16e493342bd08e11a55dedb5a078407a7875efed0
                                                                                                                                              • Instruction Fuzzy Hash: A9312571608B5697EB10CF61E8903DEB7B1F799B84F80D226DA4A83665EF3CC284C704
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: InitVariant
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1927566239-0
                                                                                                                                              • Opcode ID: 948343c06ea8565a1ec3a8f72c563dc0c748cdd4bbb0149151ad3a0c17d1f3f7
                                                                                                                                              • Instruction ID: cfef962aad1478f284c253564928919d0486e7ce92c05e60f903897ac17f242a
                                                                                                                                              • Opcode Fuzzy Hash: 948343c06ea8565a1ec3a8f72c563dc0c748cdd4bbb0149151ad3a0c17d1f3f7
                                                                                                                                              • Instruction Fuzzy Hash: B6C11536700A558BEB24CFB9D4846AC63B0F798F88F418616DE0E67B28DF38D649C744
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • GetCurrentProcessId.KERNEL32 ref: 000001845C4E2020
                                                                                                                                              • ProcessIdToSessionId.KERNEL32 ref: 000001845C4E2030
                                                                                                                                                • Part of subcall function 000001845C4F6CA0: VirtualAlloc.KERNEL32 ref: 000001845C4F6CBE
                                                                                                                                                • Part of subcall function 000001845C4F6CA0: GetCurrentProcessId.KERNEL32 ref: 000001845C4F6D39
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C4E2096
                                                                                                                                              • InitializeCriticalSection.KERNEL32 ref: 000001845C4E20A8
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C4E20CD
                                                                                                                                              • InitializeCriticalSection.KERNEL32 ref: 000001845C4E20DF
                                                                                                                                              • CreateThread.KERNEL32 ref: 000001845C4E2117
                                                                                                                                              • WaitForSingleObject.KERNEL32 ref: 000001845C4E212D
                                                                                                                                              • CloseHandle.KERNEL32 ref: 000001845C4E2136
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AllocCriticalSectionVirtual$EnterInitializeProcessRead$CurrentLeave$CloseCreateHandleObjectSessionSingleThreadWait
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1571644542-0
                                                                                                                                              • Opcode ID: dcf58f8bd94f4b4f5eefa7d45e8e40f62b7c11d8478bf447f9b59908b2d98ac2
                                                                                                                                              • Instruction ID: 4df4d8f33240ec1b1b7cb588baf364732cf0a12ffc068a83b303e3cc2f0fcd38
                                                                                                                                              • Opcode Fuzzy Hash: dcf58f8bd94f4b4f5eefa7d45e8e40f62b7c11d8478bf447f9b59908b2d98ac2
                                                                                                                                              • Instruction Fuzzy Hash: 03315D32214B92C3EB24CF61F8006DEB7A4F799F80F55821AEA8647B94DF38D644C794
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ErrorFreeLastOpenServiceVirtual$CloseHandleManager
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3563172158-0
                                                                                                                                              • Opcode ID: ce12c43ad3cf74fd47867ee24130c725be5bd76402bb544879ce041abdb63390
                                                                                                                                              • Instruction ID: 0e2abc5761eda03967a58eb413654bce1e5e600fc441ab25313f7312285530e5
                                                                                                                                              • Opcode Fuzzy Hash: ce12c43ad3cf74fd47867ee24130c725be5bd76402bb544879ce041abdb63390
                                                                                                                                              • Instruction Fuzzy Hash: F4217234700B6B83EB58EFA2A95439D9391AB9DFD0F0481259D0B83B55EE3CC6458748
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C4F8683
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C4F86CF
                                                                                                                                              • IsBadReadPtr.KERNEL32 ref: 000001845C4F8711
                                                                                                                                              • EnterCriticalSection.KERNEL32 ref: 000001845C4F8729
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C4F8740
                                                                                                                                              • LeaveCriticalSection.KERNEL32 ref: 000001845C4F8764
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F8789
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F87B3
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F87C9
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F87F3
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1953590826-0
                                                                                                                                              • Opcode ID: 46fff95910c23406eb469c503979ea30ae88de5af3fad95f670b18fa206ae6df
                                                                                                                                              • Instruction ID: bc956895820e8cdc15aa1e2a88058796b379983124b8132f059bffd5b217af63
                                                                                                                                              • Opcode Fuzzy Hash: 46fff95910c23406eb469c503979ea30ae88de5af3fad95f670b18fa206ae6df
                                                                                                                                              • Instruction Fuzzy Hash: D1518E32311A5183EB18DF62E9547AEA3A0FB8AF80F44C125CF4A47B54DF38E6558748
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: send
                                                                                                                                              • String ID: CONNECT %s:%u HTTP/1.1Host: %s:%uUser-agent: lws$Proxy-authorization: basic %s$RAW$client_connect4$first service failed$proxy write failed
                                                                                                                                              • API String ID: 2809346765-3983456341
                                                                                                                                              • Opcode ID: 11d3f37dd95c02476e6052aa96ec3df33aad2b63795300cda34447b6fc21c926
                                                                                                                                              • Instruction ID: 74518b624b0ec49d1f1b5eaa2f24e0aae8417b7eafb79fc4b3e1a59dcc865aaf
                                                                                                                                              • Opcode Fuzzy Hash: 11d3f37dd95c02476e6052aa96ec3df33aad2b63795300cda34447b6fc21c926
                                                                                                                                              • Instruction Fuzzy Hash: C081B1722106AA83EB548FA2D4547EDB3E4F764B88F84C236DE4957794DF38C641C788
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FreeMemory$EnumerateInformationQuerySessionSessionslstrlen
                                                                                                                                              • String ID: system
                                                                                                                                              • API String ID: 3618899143-3377271179
                                                                                                                                              • Opcode ID: b32c9ff873edc57c0f6f3c7361fb97fa384e6bee228724bcac05ea03c1df1bf5
                                                                                                                                              • Instruction ID: f1451d5a3b79ab1c642746d8d911cbfcf37fd4f889546922965e675a635cbc28
                                                                                                                                              • Opcode Fuzzy Hash: b32c9ff873edc57c0f6f3c7361fb97fa384e6bee228724bcac05ea03c1df1bf5
                                                                                                                                              • Instruction Fuzzy Hash: B04167B6B10A619BEB10CF65E8846DD37B4F348B98F405A16EF0A43B58DF34C694CB44
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: lstrcat$DeleteErrorFileLastmemset
                                                                                                                                              • String ID: C:\Program Files\Windows Mail$\temp.key
                                                                                                                                              • API String ID: 3002015462-229217837
                                                                                                                                              • Opcode ID: 75718442f7fc29e2b7bc083eea7b4b405c17fcc48b4aa1abb5b1d73d3bcafe19
                                                                                                                                              • Instruction ID: bfd22213e7e813b4eb6d1a94106f1a3266467c681bb58b5400363f3a04db7e2d
                                                                                                                                              • Opcode Fuzzy Hash: 75718442f7fc29e2b7bc083eea7b4b405c17fcc48b4aa1abb5b1d73d3bcafe19
                                                                                                                                              • Instruction Fuzzy Hash: 8A119132608B86C3D7208F65F44439EF3A0F7D9B84F508216E68942A68DF7CC248CB44
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2924420756.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924902224.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924991283.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2925086635.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: memset$malloc$ExitFileModuleNameProcessmemcpy$AdminManagerOpenUserwcsstr
                                                                                                                                              • String ID: svchost.exe
                                                                                                                                              • API String ID: 2075570005-3106260013
                                                                                                                                              • Opcode ID: 58df4dc3bab4f7dd2091c0286527b5df24bc2997b8bd963c05bea4cdd90a2c72
                                                                                                                                              • Instruction ID: a7e4a02683164cc51efae999f71ec939c82b81573c8ef5df0e77f5c8c66af7f8
                                                                                                                                              • Opcode Fuzzy Hash: 58df4dc3bab4f7dd2091c0286527b5df24bc2997b8bd963c05bea4cdd90a2c72
                                                                                                                                              • Instruction Fuzzy Hash: 7E015231311A4D81FBAAEB21E8A93DA6360BB8D795F449125A99E46295DF3CC34CC740
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Process$CreateToken$User$BlockCurrentDuplicateEnvironmentErrorInformationLastOpen
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2924300727-0
                                                                                                                                              • Opcode ID: 16c3d07ec9acde65d2acdc43e71b5766c09dd73d369f4e5c742e79ed460f77ea
                                                                                                                                              • Instruction ID: df9b6c6ae7bc7adae67e1b8baa30e10d9bae824d6b4eea8d8d5d19a8ef8addb3
                                                                                                                                              • Opcode Fuzzy Hash: 16c3d07ec9acde65d2acdc43e71b5766c09dd73d369f4e5c742e79ed460f77ea
                                                                                                                                              • Instruction Fuzzy Hash: 88515A32B04B928BE750CFA1E48079D73B5F399788F409215AE8C67B18DF38C659C744
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$AllocErrorFreeLastTimesendsockettime
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 675528727-0
                                                                                                                                              • Opcode ID: ffa402f768c8f16eaddf7cabb92685b8e3fc598e86ccd357d1f3be0cf34130b3
                                                                                                                                              • Instruction ID: 8bd8b166faa03308d004f32ce7480bc75e961102b2c0e3e418abec95e65868a9
                                                                                                                                              • Opcode Fuzzy Hash: ffa402f768c8f16eaddf7cabb92685b8e3fc598e86ccd357d1f3be0cf34130b3
                                                                                                                                              • Instruction Fuzzy Hash: FA419332310A6543EB58CF66E90479EA7A1F7A9FC0F08C125DF4A93B94DF39C6518748
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4EDF24
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4EDF4E
                                                                                                                                              • CreateEventW.KERNEL32 ref: 000001845C4EDF64
                                                                                                                                              • CreateThread.KERNEL32 ref: 000001845C4EDF89
                                                                                                                                              • IsBadReadPtr.KERNEL32 ref: 000001845C4EDF9E
                                                                                                                                              • EnterCriticalSection.KERNEL32 ref: 000001845C4EDFB1
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C4EDFC8
                                                                                                                                              • LeaveCriticalSection.KERNEL32 ref: 000001845C4EDFEC
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CriticalSectionVirtual$Alloc$EnterRead$Leave$CreateFree$EventInitializeThread
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1715669518-0
                                                                                                                                              • Opcode ID: 063af28826c257ba34dd61794c6217d4116b079e187d054435bfcbad311f18e1
                                                                                                                                              • Instruction ID: e012d9e19184dfc97fca072228b6f15f9e3bd5ba62c438d8048b3efc9925037c
                                                                                                                                              • Opcode Fuzzy Hash: 063af28826c257ba34dd61794c6217d4116b079e187d054435bfcbad311f18e1
                                                                                                                                              • Instruction Fuzzy Hash: 4F316732300B5183EB18CF62E944B9EB3A5FB88F84F89C1269E4A43B54DF38C625C744
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CriticalReadSection$EnterErrorExitLastLeaveObjectSingleThreadWaitsend
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 152332814-0
                                                                                                                                              • Opcode ID: 2d099a332ae138d2403c0ed02e9701855ee02b40e3ab162302b3085763c8ad70
                                                                                                                                              • Instruction ID: 215ba962076c0f09c678edfc98659a27f66b38365946d9656aedf69916a4184a
                                                                                                                                              • Opcode Fuzzy Hash: 2d099a332ae138d2403c0ed02e9701855ee02b40e3ab162302b3085763c8ad70
                                                                                                                                              • Instruction Fuzzy Hash: 53118632304A1683E7059FA2E8103AEE3A4FBB9F85F94D126DE0997794DF3DC9458348
                                                                                                                                              APIs
                                                                                                                                              • __chkstk.NTDLL ref: 000001845C4EE01D
                                                                                                                                              • memset.NTDLL ref: 000001845C4EE048
                                                                                                                                              • memset.NTDLL ref: 000001845C4EE05A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4EE09B
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4EE0C5
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4EE197
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4EE1C1
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$Leavememset$Initialize__chkstk
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2598321309-0
                                                                                                                                              • Opcode ID: 19803d78e17f30e281bc56e6a6dc2545e298c1294dfc20e4aef617dcccde76fa
                                                                                                                                              • Instruction ID: ae09837805870a807dcab99305070d58126795035682a10905eaa0bc1a878618
                                                                                                                                              • Opcode Fuzzy Hash: 19803d78e17f30e281bc56e6a6dc2545e298c1294dfc20e4aef617dcccde76fa
                                                                                                                                              • Instruction Fuzzy Hash: EF516E72318A9187EB34DF62E6446ADB361FBCAB80F858214DB8A43F44CF38D155CB09
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FreeVirtual$lstrcat
                                                                                                                                              • String ID: HTTP$TCP$UDP
                                                                                                                                              • API String ID: 1793027038-3864057669
                                                                                                                                              • Opcode ID: fb63e8a4699bb45600396c4e6aee975bb247977ebe0e889c0a84493701b80b76
                                                                                                                                              • Instruction ID: bc33ac4ffd80350598a44109708e29d05622421dac7b34481fd40e6baeff6208
                                                                                                                                              • Opcode Fuzzy Hash: fb63e8a4699bb45600396c4e6aee975bb247977ebe0e889c0a84493701b80b76
                                                                                                                                              • Instruction Fuzzy Hash: D741AF32314B5583EB64CF26E5447AEA3A1FB89F80F409215DA8A83F54DF38D255CB04
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4ED790
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4ED7BA
                                                                                                                                              • CreateThread.KERNEL32 ref: 000001845C4ED7E8
                                                                                                                                              • IsBadReadPtr.KERNEL32 ref: 000001845C4ED80C
                                                                                                                                              • EnterCriticalSection.KERNEL32 ref: 000001845C4ED81F
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C4ED836
                                                                                                                                              • LeaveCriticalSection.KERNEL32 ref: 000001845C4ED85A
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CriticalSectionVirtual$Alloc$EnterRead$Leave$Free$CreateInitializeThread
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1508740679-0
                                                                                                                                              • Opcode ID: 1b3e0e81731cd236f1cdf85c7afb2c4caa27aaabd1b84022f2bb5430b119c807
                                                                                                                                              • Instruction ID: b8aa0e9d4301da51990b98125e6ae0f56a4f644f0a2fc83d26d1dfa4eff6fb5d
                                                                                                                                              • Opcode Fuzzy Hash: 1b3e0e81731cd236f1cdf85c7afb2c4caa27aaabd1b84022f2bb5430b119c807
                                                                                                                                              • Instruction Fuzzy Hash: 97418E32210B81CBEB54CF22E94069EB7A4FB88F94F448125EF5A43B54DF38C565CB44
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$Free$Alloc$InfoUserlstrcmpi
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2840552451-0
                                                                                                                                              • Opcode ID: 60893066e3bbf6b45f4eeb8daf225cdee7bfb0fcc925a5af3644fbef4d97a442
                                                                                                                                              • Instruction ID: 6fc57d462450a6fbbcb10b92037aef265d8ed9d64c8b1151508bca33e0d6f70f
                                                                                                                                              • Opcode Fuzzy Hash: 60893066e3bbf6b45f4eeb8daf225cdee7bfb0fcc925a5af3644fbef4d97a442
                                                                                                                                              • Instruction Fuzzy Hash: F8415E31715A5187EB74CF22E84479EA3A0F79AF84F449219CE8A43B54DF3CE2498B04
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4EDCEA
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4EDD14
                                                                                                                                              • CreateThread.KERNEL32 ref: 000001845C4EDD40
                                                                                                                                              • IsBadReadPtr.KERNEL32 ref: 000001845C4EDD64
                                                                                                                                              • EnterCriticalSection.KERNEL32 ref: 000001845C4EDD77
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C4EDD8E
                                                                                                                                              • LeaveCriticalSection.KERNEL32 ref: 000001845C4EDDB2
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CriticalSectionVirtual$Alloc$EnterRead$Leave$Free$CreateInitializeThread
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1508740679-0
                                                                                                                                              • Opcode ID: 33e1a942eb179548a12bd386c64c40eaa7ac80ee1b1c8749cbcaf6457b593539
                                                                                                                                              • Instruction ID: 85124277117ca72bdca0af5d8c0732814ff8fc30fcf3a6eaf0ae9d0443eb54b4
                                                                                                                                              • Opcode Fuzzy Hash: 33e1a942eb179548a12bd386c64c40eaa7ac80ee1b1c8749cbcaf6457b593539
                                                                                                                                              • Instruction Fuzzy Hash: A7417936711B4187EB58CF22E54469DB7A4FB88F84F88822ADF4943B14DF38D665CB44
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$ByteCharFreeMultiWide$AllocFileWritelstrlen
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2835453980-0
                                                                                                                                              • Opcode ID: 2ccbba1d97933468815318aad32eba688173e7f35fa5392403b466c644259abf
                                                                                                                                              • Instruction ID: 85663dcb2571f80e464df6aa7a1c5b93c21b1fdf1be8aa61e03d12da3617c74a
                                                                                                                                              • Opcode Fuzzy Hash: 2ccbba1d97933468815318aad32eba688173e7f35fa5392403b466c644259abf
                                                                                                                                              • Instruction Fuzzy Hash: A0316F31308B5583EB58DF67A99465EB3A1FB99FC0F448125DE8A53F24DF38D1228748
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FreeVirtualmemcpymemset$FileOperation
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 467530429-0
                                                                                                                                              • Opcode ID: 14cb9642c533215b7a2e2bfcfdb6d7d7cadd70b785f3dc976475013d93c55a53
                                                                                                                                              • Instruction ID: b9604e9747e6906363e870a84f82c7ccec0fd1850b2c5af743268e4633527b03
                                                                                                                                              • Opcode Fuzzy Hash: 14cb9642c533215b7a2e2bfcfdb6d7d7cadd70b785f3dc976475013d93c55a53
                                                                                                                                              • Instruction Fuzzy Hash: E4317E32214B9587DB24CF12F48068EF3A4FB85B84F548615DB9D03B28DF38D216CB44
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ErrorLast$CloseCreateEventHandleMultipleObjectsSendWait
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 248740593-0
                                                                                                                                              • Opcode ID: 3d6319584adb544b58c2476fc8f8a49f60c538f7d4a53f43cd1c7f5bcbecd3ed
                                                                                                                                              • Instruction ID: c1c01372e2f8ecbf838a257cb68b6781e1a5b43bb6c7580a4f1f8788adb76725
                                                                                                                                              • Opcode Fuzzy Hash: 3d6319584adb544b58c2476fc8f8a49f60c538f7d4a53f43cd1c7f5bcbecd3ed
                                                                                                                                              • Instruction Fuzzy Hash: 5C315232608B9997E7608FA4F8407DEF760F794B54F508226EB8883B54DF78D698CB44
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ErrorFileLastVirtual$AllocBuffersFlushFreeNamedPeekPipeRead
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1637252459-0
                                                                                                                                              • Opcode ID: 7caf67ba2c754cc6c7e94bd91c5a8169c82a3c47d0c13808e784c8b6e6b47a5f
                                                                                                                                              • Instruction ID: e1c0d42a47bb69554df49266af5f241abd5def3180e5487f8351703e3561ef67
                                                                                                                                              • Opcode Fuzzy Hash: 7caf67ba2c754cc6c7e94bd91c5a8169c82a3c47d0c13808e784c8b6e6b47a5f
                                                                                                                                              • Instruction Fuzzy Hash: 36215136304A5587E7208FA2F40069EF3A0F789BE5F488225DE4D47B54DF78D5958B18
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FreeMemoryProcessSession$CreateCurrentDirectoryEnumerateErrorInformationLastQuerySessionsSystemThreadlstrcatmemset
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3188162108-0
                                                                                                                                              • Opcode ID: a0f1e4af9b35d422d03ebaa43e648843dcc74811eb2673a9a5bc5e68af15dc2a
                                                                                                                                              • Instruction ID: 0f5d1f2f89b9f584f77750c9495a8e917ae2141c8517d25c65ce40fcda1e3b5c
                                                                                                                                              • Opcode Fuzzy Hash: a0f1e4af9b35d422d03ebaa43e648843dcc74811eb2673a9a5bc5e68af15dc2a
                                                                                                                                              • Instruction Fuzzy Hash: 12315C32218B55D7D7508F61F88068FB7B1F388B94F94821AEB8A43B28DF38D655CB44
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CloseHandle$CreateErrorLastProcessSuspendThreadTokenWith
                                                                                                                                              • String ID: h
                                                                                                                                              • API String ID: 1678065097-2439710439
                                                                                                                                              • Opcode ID: 34fa300228c636eaa0f0248c957d63175a617a8d2a4f03bc85cdcff5c74062eb
                                                                                                                                              • Instruction ID: cac6ec860a7db5146aa0228ea8147076769b5d805b2b14c0f58591c977d2ad08
                                                                                                                                              • Opcode Fuzzy Hash: 34fa300228c636eaa0f0248c957d63175a617a8d2a4f03bc85cdcff5c74062eb
                                                                                                                                              • Instruction Fuzzy Hash: DD314E33A18B9183E710CF91E4846AEB3A4F7D8B94F119226EA9803B15DFB9C5D4CB40
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: OpenService$CloseErrorHandleLastManager
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2659350385-0
                                                                                                                                              • Opcode ID: be0d97674b5d01ddbad740662ad065086e858ccad381bdd0b1a3b9729ee50c89
                                                                                                                                              • Instruction ID: d01c5cb676d90ac7528ae45bfc1e62a0ac84dcf60144b00d2a340e9cb5c63b2a
                                                                                                                                              • Opcode Fuzzy Hash: be0d97674b5d01ddbad740662ad065086e858ccad381bdd0b1a3b9729ee50c89
                                                                                                                                              • Instruction Fuzzy Hash: 8A019E35714A0A83EF098FA6F9846AC92A1BB5CFD4F488135CE0A06711EE7CC6848B48
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Read$CriticalEnterErrorExitLastSectionThreadsend
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 4016372045-0
                                                                                                                                              • Opcode ID: d7c53ff00559cd01b286f1a6d6dd771ff59319f2d2823e378d410a2d7a4538d3
                                                                                                                                              • Instruction ID: c6a9d02a06c2d00e11b695d4eb797dd42b818c6ea7b72646f7cafb442fe3d628
                                                                                                                                              • Opcode Fuzzy Hash: d7c53ff00559cd01b286f1a6d6dd771ff59319f2d2823e378d410a2d7a4538d3
                                                                                                                                              • Instruction Fuzzy Hash: DD015E32324A6587D7449F61F84029DA360FB98F84F889126EF4A83B55CF39C955C784
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: DirectoryErrorFreeLastSystemVirtuallstrcatmemset
                                                                                                                                              • String ID: \svchost.exe -k netsvcs
                                                                                                                                              • API String ID: 1196864501-2993138014
                                                                                                                                              • Opcode ID: 4899bdc5faaa1a50a6070bd62f2c10f6be7ce4c39736347503a2d79e50c34c7c
                                                                                                                                              • Instruction ID: 5a1661f5af0cd8f08ce4847ce64d4970d24f4051e674d702db7a77b7d312e281
                                                                                                                                              • Opcode Fuzzy Hash: 4899bdc5faaa1a50a6070bd62f2c10f6be7ce4c39736347503a2d79e50c34c7c
                                                                                                                                              • Instruction Fuzzy Hash: 6001803121095A83EB20DF61E8547DEA361F795B54F408311DAAD436E9DF3CC349C748
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$Alloc$CriticalFreeInitializeSection
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2852478515-0
                                                                                                                                              • Opcode ID: 2ca86a1fc827d6d4b782268000abc3b1b2f9c80ad164c5e90495c9a43af317c5
                                                                                                                                              • Instruction ID: 4eb4edefc3cf701e8b4a8ca3e68f12cdb2ca65f78887cba2590c3f249fd1e1ff
                                                                                                                                              • Opcode Fuzzy Hash: 2ca86a1fc827d6d4b782268000abc3b1b2f9c80ad164c5e90495c9a43af317c5
                                                                                                                                              • Instruction Fuzzy Hash: 4C61E536201F41D7EB158F21E5807DD33A8FB09B44F95862ACA9D07768EF38C668C399
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: memset
                                                                                                                                              • String ID: default$lws_free$lws_protocol_init_vhost$protocol %s failed init$raw
                                                                                                                                              • API String ID: 2221118986-224536676
                                                                                                                                              • Opcode ID: 3ca2b0dda705691ad3dfa99d16c899407311fd09951ce103c95fd508c95c4fdf
                                                                                                                                              • Instruction ID: c38578978c1842cea012f18f5b14a9c98bc2c95fc647e69e46e26f3d1a34e16d
                                                                                                                                              • Opcode Fuzzy Hash: 3ca2b0dda705691ad3dfa99d16c899407311fd09951ce103c95fd508c95c4fdf
                                                                                                                                              • Instruction Fuzzy Hash: A9919D76600BEA83EB698F92D0187EDB7A0F7A6B88F549216CF9943744DF35D611C308
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: lstrcmpi
                                                                                                                                              • String ID: U:I:$V:R:$V:_:$^:V:$_:B:
                                                                                                                                              • API String ID: 1586166983-194391922
                                                                                                                                              • Opcode ID: c37ba9e02582e707534a94e5af5016ab63ae1cbaf134c547084023abedeaea09
                                                                                                                                              • Instruction ID: 712c738359a5a1c45be75745e36351c2ab1b3242ec0b4494c5a6f49898cc714e
                                                                                                                                              • Opcode Fuzzy Hash: c37ba9e02582e707534a94e5af5016ab63ae1cbaf134c547084023abedeaea09
                                                                                                                                              • Instruction Fuzzy Hash: 05617933B04781CFF321CFB5C400AED3BB1E79A788F169619DE8466A49EE789655C344
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$AllocFree$InfoUserlstrcmpi
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 4244901044-0
                                                                                                                                              • Opcode ID: 4bb39a4d54623631dae1162540759efd2fad283e37046eba1ed0997ae9d8ff27
                                                                                                                                              • Instruction ID: b1698ab126fe25a96d45fba1dba61ae8ad5e561dc90fbbf69a80cc2858243933
                                                                                                                                              • Opcode Fuzzy Hash: 4bb39a4d54623631dae1162540759efd2fad283e37046eba1ed0997ae9d8ff27
                                                                                                                                              • Instruction Fuzzy Hash: ED31D375314B5543FB148F62E84479EA7A1EB49FC1F448128DD4A83B98DFBCD649CB04
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AllocBitmapBitsCompatibleCreateDeleteObjectReleaseVirtual
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1942853633-0
                                                                                                                                              • Opcode ID: d610f2210541b487ea599f3beb68992543fe9b84b09e2f87d6652d28e22b4989
                                                                                                                                              • Instruction ID: 98c59d93091d9eed0e4a93d3a7b08bdcd17b313ef8cad185dfe52055d2f46f95
                                                                                                                                              • Opcode Fuzzy Hash: d610f2210541b487ea599f3beb68992543fe9b84b09e2f87d6652d28e22b4989
                                                                                                                                              • Instruction Fuzzy Hash: 2C21DE72210B9587EB089F26B81425DBAA0FB89FD0F45862EDE4653B60CF38C1018B08
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CountCreateFileTick$ErrorLastSleep
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2478964991-0
                                                                                                                                              • Opcode ID: 44fd06d3c223e048c4d0489ead7cd8fe85b8e69849f9c6ee32731d4873113aa6
                                                                                                                                              • Instruction ID: dedbafb659897397ebc30922c3f665251df8f99f8427e5809956ecec19ba128d
                                                                                                                                              • Opcode Fuzzy Hash: 44fd06d3c223e048c4d0489ead7cd8fe85b8e69849f9c6ee32731d4873113aa6
                                                                                                                                              • Instruction Fuzzy Hash: 0C216A31204B5187F3608F60E84475EB6A0F388BB8F544721EAA943BD8CF3CCA45CB48
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: free
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1294909896-0
                                                                                                                                              • Opcode ID: 086ef2399a2b39805725e1e66e9ffec4bc1c65bc9c079221ec383ecf087ce0d7
                                                                                                                                              • Instruction ID: 25daf245f3fa1e2d5d7b4d4a5885b0c66eb2161192c14660b557197cccba95b1
                                                                                                                                              • Opcode Fuzzy Hash: 086ef2399a2b39805725e1e66e9ffec4bc1c65bc9c079221ec383ecf087ce0d7
                                                                                                                                              • Instruction Fuzzy Hash: AE513736202B59C3EB408F99E6807AC73A5F788F84F59C622CA5D03364DF74C6A2C315
                                                                                                                                              APIs
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C4ED9B9
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4EDA86
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4EDAB0
                                                                                                                                              • CloseHandle.KERNEL32 ref: 000001845C4EDAC5
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4EDAF8
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4EDB22
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4EDB37
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                                • Part of subcall function 000001845C4E4410: VirtualAlloc.KERNEL32 ref: 000001845C4E442D
                                                                                                                                                • Part of subcall function 000001845C4E4410: VirtualAlloc.KERNEL32 ref: 000001845C4E445F
                                                                                                                                                • Part of subcall function 000001845C4E4410: InitializeCriticalSection.KERNEL32 ref: 000001845C4E4474
                                                                                                                                                • Part of subcall function 000001845C4E4410: IsBadReadPtr.KERNEL32 ref: 000001845C4E4490
                                                                                                                                                • Part of subcall function 000001845C4E4410: EnterCriticalSection.KERNEL32 ref: 000001845C4E44A3
                                                                                                                                                • Part of subcall function 000001845C4E4410: VirtualAlloc.KERNEL32 ref: 000001845C4E44BA
                                                                                                                                                • Part of subcall function 000001845C4E4410: LeaveCriticalSection.KERNEL32 ref: 000001845C4E44E9
                                                                                                                                                • Part of subcall function 000001845C4E4410: IsBadReadPtr.KERNEL32 ref: 000001845C4E44FE
                                                                                                                                                • Part of subcall function 000001845C4E4410: EnterCriticalSection.KERNEL32 ref: 000001845C4E4511
                                                                                                                                                • Part of subcall function 000001845C4E4410: VirtualAlloc.KERNEL32 ref: 000001845C4E4528
                                                                                                                                                • Part of subcall function 000001845C4E4410: LeaveCriticalSection.KERNEL32 ref: 000001845C4E4557
                                                                                                                                                • Part of subcall function 000001845C4E4410: IsBadReadPtr.KERNEL32 ref: 000001845C4E456C
                                                                                                                                                • Part of subcall function 000001845C4E4410: EnterCriticalSection.KERNEL32 ref: 000001845C4E457F
                                                                                                                                                • Part of subcall function 000001845C4E4410: VirtualAlloc.KERNEL32 ref: 000001845C4E4596
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$CriticalSection$Alloc$EnterRead$Free$Leave$Initialize$CloseHandle
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1803526796-0
                                                                                                                                              • Opcode ID: 2389004f1622c871db37be869d3889ec8ed68640e4297f82caa4ce24a07498eb
                                                                                                                                              • Instruction ID: 42ef902c05b430c41ac76b11e393b06e52416f0e7058e47bc29f390ca43620bc
                                                                                                                                              • Opcode Fuzzy Hash: 2389004f1622c871db37be869d3889ec8ed68640e4297f82caa4ce24a07498eb
                                                                                                                                              • Instruction Fuzzy Hash: C8513931301F5287EB64CF52F49469EB3A8FB59B80F048225CB9A43BA4DF38C250C349
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CriticalSection$Leave$Enter
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2978645861-0
                                                                                                                                              • Opcode ID: f64cf19514c4a9b2708fe76cc4375897a169406fda7ea7ef4dfe89a5c2b49c5b
                                                                                                                                              • Instruction ID: 8a7ff6c76f249587da4f663bc0d76ec93547d6fc01d7cc797f87542622aefdb5
                                                                                                                                              • Opcode Fuzzy Hash: f64cf19514c4a9b2708fe76cc4375897a169406fda7ea7ef4dfe89a5c2b49c5b
                                                                                                                                              • Instruction Fuzzy Hash: FD417E36310A66C3E7108F61E80039EB3A5FB94F94F888226DE5A97754DF78CA05C788
                                                                                                                                              APIs
                                                                                                                                              • GetCurrentProcessId.KERNEL32 ref: 000001845C4E5973
                                                                                                                                                • Part of subcall function 000001845C4FCC60: CreateToolhelp32Snapshot.KERNEL32 ref: 000001845C4FCC76
                                                                                                                                                • Part of subcall function 000001845C4FCC60: malloc.MSVCRT ref: 000001845C4FCC84
                                                                                                                                                • Part of subcall function 000001845C4FCC60: Process32FirstW.KERNEL32 ref: 000001845C4FCCA2
                                                                                                                                                • Part of subcall function 000001845C4FCC60: free.MSVCRT ref: 000001845C4FCCB7
                                                                                                                                                • Part of subcall function 000001845C4FCC60: CloseHandle.KERNEL32(?,?,00000000,000001845C4F6D46), ref: 000001845C4FCCC5
                                                                                                                                                • Part of subcall function 000001845C4FD140: OpenSCManagerW.ADVAPI32(?,?,?,?,?,00000000,00001000,00000000,?,000001845C4E264E), ref: 000001845C4FD165
                                                                                                                                                • Part of subcall function 000001845C4FD140: EnumServicesStatusExW.ADVAPI32 ref: 000001845C4FD1B1
                                                                                                                                                • Part of subcall function 000001845C4FD140: malloc.MSVCRT ref: 000001845C4FD1C6
                                                                                                                                                • Part of subcall function 000001845C4FD140: memset.NTDLL ref: 000001845C4FD1DC
                                                                                                                                                • Part of subcall function 000001845C4FD140: EnumServicesStatusExW.ADVAPI32 ref: 000001845C4FD21B
                                                                                                                                                • Part of subcall function 000001845C4FD140: CloseServiceHandle.ADVAPI32(?,?,?,?,?,00000000,00001000,00000000,?,000001845C4E264E), ref: 000001845C4FD228
                                                                                                                                                • Part of subcall function 000001845C4FD140: free.MSVCRT ref: 000001845C4FD231
                                                                                                                                              • ExitProcess.KERNEL32 ref: 000001845C4E5998
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E5BA8
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E5BD2
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CloseEnumFreeHandleProcessServicesStatusVirtualfreemalloc$CreateCurrentExitFirstManagerOpenProcess32ServiceSnapshotToolhelp32memset
                                                                                                                                              • String ID: Schedule
                                                                                                                                              • API String ID: 2593299425-2739827629
                                                                                                                                              • Opcode ID: d2ede1c26b53fc35dc056e9d6b3441cc13192b8f0a26bde5ec17dc0c8f87d235
                                                                                                                                              • Instruction ID: 0ff8d722de702730b161c23f923254f9ebac40ddd2a296ef60eb3ee39c2f398e
                                                                                                                                              • Opcode Fuzzy Hash: d2ede1c26b53fc35dc056e9d6b3441cc13192b8f0a26bde5ec17dc0c8f87d235
                                                                                                                                              • Instruction Fuzzy Hash: FA01D631300B5283FB78AFB1E9907EDA260AB91B80F40C216CA8A027D1DE3CC285430D
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: memcpy
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3510742995-0
                                                                                                                                              • Opcode ID: b36940c9134db9debb5434aae0f74bffe43cbb9a5314d30aa24a6dee75e394a3
                                                                                                                                              • Instruction ID: dd593b2d9bfcac789202ae1b7e77c19b74a92308c3d2d29a30747c8b6bc5dc69
                                                                                                                                              • Opcode Fuzzy Hash: b36940c9134db9debb5434aae0f74bffe43cbb9a5314d30aa24a6dee75e394a3
                                                                                                                                              • Instruction Fuzzy Hash: 7561CD32200B81CBEB20CF26E544BAC77A4FB89B94F5A8625CE6D47B94EF34C640D745
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F42F3
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F431D
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C4F4334
                                                                                                                                              • InitializeCriticalSection.KERNEL32 ref: 000001845C4F43BE
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F4443
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F446D
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$InitializeLeave
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2124124174-0
                                                                                                                                              • Opcode ID: ce30a7c37a809ab6b36126a6c5df061884de53dfa42c463ff1a9a8109802fa83
                                                                                                                                              • Instruction ID: a8e427942c35cec85f2793ef9c5189df9fe1f9dee50e364628768ae85526dbf1
                                                                                                                                              • Opcode Fuzzy Hash: ce30a7c37a809ab6b36126a6c5df061884de53dfa42c463ff1a9a8109802fa83
                                                                                                                                              • Instruction Fuzzy Hash: 7C513B32311F5187EB64DF52E448A9DB3A8FB99B84F458225DE8E43B14EF38D254C744
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                                • Part of subcall function 000001845C4FC760: WTSEnumerateSessionsW.WTSAPI32 ref: 000001845C4FC79F
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34EB
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E34FD
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3510
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3527
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3556
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3568
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E357B
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3592
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E35C1
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E35D3
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E35E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E35FD
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E362C
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E363E
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3654
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4FEFC4
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4FEFEE
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4FF026
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4FF050
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CriticalSection$Virtual$Alloc$EnterRead$Leave$Free$EnumerateInitializeSessions
                                                                                                                                              • String ID: @
                                                                                                                                              • API String ID: 3635408051-3454712805
                                                                                                                                              • Opcode ID: e5ffd8acee62a3162d13eb417bf543901fc6efb17b9c23c1632ba5cdd8a3b5f2
                                                                                                                                              • Instruction ID: fe2a1b11a244d2460e220219cc061c55bcb0dccc338f4f97a8c8c9840a149f08
                                                                                                                                              • Opcode Fuzzy Hash: e5ffd8acee62a3162d13eb417bf543901fc6efb17b9c23c1632ba5cdd8a3b5f2
                                                                                                                                              • Instruction Fuzzy Hash: 98316A32715B4187EB64DF23E594A6EB3A5FB89F80B048125DF8A43F24CF39D1668B44
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: strchr
                                                                                                                                              • String ID: http://$http_proxy needs to be ads:port$lws_set_proxy$proxy auth too long
                                                                                                                                              • API String ID: 2830005266-175238664
                                                                                                                                              • Opcode ID: d1ab9b85537000d759f710dae04c861439685c4e7ab67b200bb48c131c9f798f
                                                                                                                                              • Instruction ID: 9f2d23f7384d2047ac6b813f2f486d51783b7fad88cd278b84496e990a2613f4
                                                                                                                                              • Opcode Fuzzy Hash: d1ab9b85537000d759f710dae04c861439685c4e7ab67b200bb48c131c9f798f
                                                                                                                                              • Instruction Fuzzy Hash: 3C31A5313047A687EA54DBA1E5503DEE390A765B84F848321DE8D0778AEF28C71AC348
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E57CB
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E57F5
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E5BA8
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E5BD2
                                                                                                                                                • Part of subcall function 000001845C4FBC20: memcpy.NTDLL ref: 000001845C4FBC45
                                                                                                                                                • Part of subcall function 000001845C4FBC20: memset.NTDLL ref: 000001845C4FBCDA
                                                                                                                                                • Part of subcall function 000001845C4FBC20: wsprintfW.USER32 ref: 000001845C4FBCF9
                                                                                                                                                • Part of subcall function 000001845C4FBC20: SetFileAttributesW.KERNEL32 ref: 000001845C4FBD09
                                                                                                                                                • Part of subcall function 000001845C4FBC20: DeleteFileW.KERNEL32 ref: 000001845C4FBD14
                                                                                                                                                • Part of subcall function 000001845C4FBC20: CreateFileW.KERNEL32 ref: 000001845C4FBD44
                                                                                                                                                • Part of subcall function 000001845C4FBC20: GetLastError.KERNEL32 ref: 000001845C4FBD53
                                                                                                                                                • Part of subcall function 000001845C4FBC20: SetFileAttributesW.KERNEL32 ref: 000001845C4FBDA0
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$CriticalSection$Alloc$FileFree$EnterRead$AttributesLeave$CreateDeleteErrorInitializeLastmemcpymemsetwsprintf
                                                                                                                                              • String ID: 18.139.89.40
                                                                                                                                              • API String ID: 3047218378-3059993899
                                                                                                                                              • Opcode ID: 4748c9799fc4aab539902931fc7cd806f5684b6e31aa09dd6eb953e43b6e7f72
                                                                                                                                              • Instruction ID: a391221028da52a931ab5245a941d8779cb48e5165278a6034237c40aa5b18d1
                                                                                                                                              • Opcode Fuzzy Hash: 4748c9799fc4aab539902931fc7cd806f5684b6e31aa09dd6eb953e43b6e7f72
                                                                                                                                              • Instruction Fuzzy Hash: A3318432715A5183EB64DF63E454BAEA3A5FB9AF80F42C215DE8A03B54DE38C2858704
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: memcpy$AllocVirtualceil
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 311976409-0
                                                                                                                                              • Opcode ID: ed14ec51c383a9a13ba0ce0240a1051b4facac114c8e2550c0a0b869aba092f1
                                                                                                                                              • Instruction ID: e910bb324fda9891ad99681a985b866267f775c39579cf1d786137f05ab0db0b
                                                                                                                                              • Opcode Fuzzy Hash: ed14ec51c383a9a13ba0ce0240a1051b4facac114c8e2550c0a0b869aba092f1
                                                                                                                                              • Instruction Fuzzy Hash: 2831D631705A51C7EB498F56E64066CB3A0F795FC0F10C629EB59A3B44DF34E5718709
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E5706
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E5730
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E5BA8
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4E5BD2
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$Leave$Initialize
                                                                                                                                              • String ID: 18.139.89.40
                                                                                                                                              • API String ID: 696443088-3059993899
                                                                                                                                              • Opcode ID: 7078d51f2a842d056aef008d8b9e0584b22a38109fb0f17c7c38043e1d6e8ae5
                                                                                                                                              • Instruction ID: 95cc61d044d32f3f46f1d9e5549131e888fe6ea168b391ad97ffcfcc51993111
                                                                                                                                              • Opcode Fuzzy Hash: 7078d51f2a842d056aef008d8b9e0584b22a38109fb0f17c7c38043e1d6e8ae5
                                                                                                                                              • Instruction Fuzzy Hash: 1E317C36701B4183EB64DF52E558BAEA3A5FB96B80F41C205DE8603B54CF39C2848B44
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • CreateThread.KERNEL32 ref: 000001845C4ED907
                                                                                                                                              • IsBadReadPtr.KERNEL32 ref: 000001845C4ED928
                                                                                                                                              • EnterCriticalSection.KERNEL32 ref: 000001845C4ED93B
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C4ED952
                                                                                                                                              • LeaveCriticalSection.KERNEL32 ref: 000001845C4ED976
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CriticalSection$AllocVirtual$EnterRead$Leave$CreateInitializeThread
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 986707815-0
                                                                                                                                              • Opcode ID: 13fe9d48963e991135e2c963f540b907288d56d1b03b0de4579185a6b58a6942
                                                                                                                                              • Instruction ID: 1e259b2579f232f141b4b700cbbbef7d9d55310bfd01888a2678eaa85867c06a
                                                                                                                                              • Opcode Fuzzy Hash: 13fe9d48963e991135e2c963f540b907288d56d1b03b0de4579185a6b58a6942
                                                                                                                                              • Instruction Fuzzy Hash: DB317F72310B5187EB189F62E80429DB7A4FB89FD4F888125DE4A47B64DF3CC655C744
                                                                                                                                              APIs
                                                                                                                                              • malloc.MSVCRT ref: 000001845C4EDB85
                                                                                                                                              • lstrcatW.KERNEL32 ref: 000001845C4EDBAC
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                                • Part of subcall function 000001845C4EC850: memset.NTDLL ref: 000001845C4EC895
                                                                                                                                                • Part of subcall function 000001845C4EC850: lstrcatW.KERNEL32 ref: 000001845C4EC8A4
                                                                                                                                                • Part of subcall function 000001845C4EC850: lstrcatW.KERNEL32 ref: 000001845C4EC8B8
                                                                                                                                                • Part of subcall function 000001845C4EC850: memset.NTDLL ref: 000001845C4EC8CB
                                                                                                                                                • Part of subcall function 000001845C4EC850: FindFirstFileW.KERNEL32 ref: 000001845C4EC8DC
                                                                                                                                                • Part of subcall function 000001845C4EC850: FindNextFileW.KERNEL32 ref: 000001845C4EC935
                                                                                                                                                • Part of subcall function 000001845C4EC850: FindNextFileW.KERNEL32 ref: 000001845C4EC999
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4EDBF3
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4EDC1D
                                                                                                                                              • free.MSVCRT ref: 000001845C4EDC26
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$CriticalSection$Alloc$EnterFileFindReadlstrcat$FreeLeaveNextmemset$FirstInitializefreemalloc
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2817660952-0
                                                                                                                                              • Opcode ID: e62f3b6bb31d4131cbf3e8879ad1a17dd29e8ffe2323acf7510d4be1f2a2089e
                                                                                                                                              • Instruction ID: b48555a1e507ca90de4ff69cd7640c4b4d7d15249ca8b55e30fdcf33e6bd1bbb
                                                                                                                                              • Opcode Fuzzy Hash: e62f3b6bb31d4131cbf3e8879ad1a17dd29e8ffe2323acf7510d4be1f2a2089e
                                                                                                                                              • Instruction Fuzzy Hash: 4721C031311A9187EB58DF53E85469EA364F789FC0F89C125DE8A47B18CE3CC2458784
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2924420756.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924902224.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924991283.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2925086635.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _set_statfp
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1156100317-0
                                                                                                                                              • Opcode ID: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
                                                                                                                                              • Instruction ID: 3b9bd57b40fff3d8961f464b14179896b260d9c17b5d0c480fa0c6cf32fa7499
                                                                                                                                              • Opcode Fuzzy Hash: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
                                                                                                                                              • Instruction Fuzzy Hash: CB117732690A4D01F7E72129D4553F93340AB6D3F4F45C634BA76976D6CE248BC94302
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931240789.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931259361.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _set_statfp
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1156100317-0
                                                                                                                                              • Opcode ID: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
                                                                                                                                              • Instruction ID: 7b68062c370480586a6b508ff13b72486563f8fde28c0239a908538b01f45b2f
                                                                                                                                              • Opcode Fuzzy Hash: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
                                                                                                                                              • Instruction Fuzzy Hash: 8B11A333A54E0313F7641125E8513ED10C06B59374F18C62DAAF6866DACF388AE24F28
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Process$CloseCreateCurrentHandleObjectSingleTerminateThreadWait
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 603326088-0
                                                                                                                                              • Opcode ID: 7c3f9b570a8332205efd3d9421a3c14b2d654208f283a85a9c5ac44cbca20012
                                                                                                                                              • Instruction ID: e8a733c98860d828c4e881522a557ab8aec600fba57fa482a208463610fd1cd6
                                                                                                                                              • Opcode Fuzzy Hash: 7c3f9b570a8332205efd3d9421a3c14b2d654208f283a85a9c5ac44cbca20012
                                                                                                                                              • Instruction Fuzzy Hash: 40F0827271160683EB18CFB2AC043AE63E1BB9DF58F48C6258C1987350EF3CC2418368
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: memset$_unlink
                                                                                                                                              • String ID: lws_free
                                                                                                                                              • API String ID: 1884818752-2419506585
                                                                                                                                              • Opcode ID: f671c1c9dc5f9f1ecd93fd6c90e8a55de8e0b5723c060ba0bceb813fd88c5dd0
                                                                                                                                              • Instruction ID: 961f78dc67d522834d6e4e051e95b36232c01d273b4c17b1e012325992ba1541
                                                                                                                                              • Opcode Fuzzy Hash: f671c1c9dc5f9f1ecd93fd6c90e8a55de8e0b5723c060ba0bceb813fd88c5dd0
                                                                                                                                              • Instruction Fuzzy Hash: 0F815F32201B9A97EB558F65D8583EDA3A0F794F88F988636DE8D17394DF38C641C318
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2924420756.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924902224.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924991283.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2925086635.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                              • String ID: *$ko-KR
                                                                                                                                              • API String ID: 3215553584-1095117856
                                                                                                                                              • Opcode ID: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
                                                                                                                                              • Instruction ID: 247b425bc4075f99800c1718c7ffe54540729addd1f222e63731e205efc231c0
                                                                                                                                              • Opcode Fuzzy Hash: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
                                                                                                                                              • Instruction Fuzzy Hash: B0718F72504E58C6E7FA9F2980443BC3BA0F34DBD8F649216EA4646399DF31CA8AC750
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931240789.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931259361.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                              • String ID: *$ko-KR
                                                                                                                                              • API String ID: 3215553584-1095117856
                                                                                                                                              • Opcode ID: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
                                                                                                                                              • Instruction ID: f16193010dff068c7ed84621fe4ca362c5b18af2dab87b3d1b5dacbfb3e3261e
                                                                                                                                              • Opcode Fuzzy Hash: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
                                                                                                                                              • Instruction Fuzzy Hash: 47718E7350465287E76CDF288144ABE3BA0F309B58F249226DBC6C2299DF71CA82DF55
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _time64memset
                                                                                                                                              • String ID: %s: calling service$__lws_header_table_reset
                                                                                                                                              • API String ID: 899224009-1639372703
                                                                                                                                              • Opcode ID: a9f15bdc1dc03cd649ae2c0efe04c1451751ae562199952308a362106ea05dd7
                                                                                                                                              • Instruction ID: 93a65627a9c360136896e09135f0ea258f8ed4bf1bb53ee7a0b0ea1bd9c3b330
                                                                                                                                              • Opcode Fuzzy Hash: a9f15bdc1dc03cd649ae2c0efe04c1451751ae562199952308a362106ea05dd7
                                                                                                                                              • Instruction Fuzzy Hash: 8931CD32A00BC583E745CF21D5803ECA764F7A9F48F589236AF980B29ADF34D2A1C314
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: AllocErrorInitLastStringVariant
                                                                                                                                              • String ID: \Microsoft\Windows
                                                                                                                                              • API String ID: 3210815728-1732172413
                                                                                                                                              • Opcode ID: 599da941f33650f59f8f3f7e0017e75b387ef8ec1697d5cd213f2b80ee50dc4f
                                                                                                                                              • Instruction ID: af6746e59624137da2ee34cee92c03131493390368ff673fb739a5d9955add89
                                                                                                                                              • Opcode Fuzzy Hash: 599da941f33650f59f8f3f7e0017e75b387ef8ec1697d5cd213f2b80ee50dc4f
                                                                                                                                              • Instruction Fuzzy Hash: 70212C22A18FC983D7218F65F4043EEA371FBE9B94F449312EA8952619EF39C185CB00
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: FreeVirtual$Message
                                                                                                                                              • String ID: boom...
                                                                                                                                              • API String ID: 3815264287-1338744694
                                                                                                                                              • Opcode ID: 38ffc653ece4430fce8646697b0d6fa537691b56c7ca04926ed4d985620e0bfa
                                                                                                                                              • Instruction ID: 2d1b95ced4d00adeb8fb56d451ecaee6b362fc4598eabfc0c3ae258d53673476
                                                                                                                                              • Opcode Fuzzy Hash: 38ffc653ece4430fce8646697b0d6fa537691b56c7ca04926ed4d985620e0bfa
                                                                                                                                              • Instruction Fuzzy Hash: 0211AD32714B4083FB649F62E8543AEA3A1FBADF48F44D215DA8A06658EF3DC2C4C744
                                                                                                                                              APIs
                                                                                                                                              • memcpy.NTDLL(?,?,00000000,000001845C509458,?,00000000,?,000001845C506506), ref: 000001845C50808C
                                                                                                                                              • memcpy.NTDLL ref: 000001845C508111
                                                                                                                                              • memcpy.NTDLL(?,?,00000000,000001845C509458,?,00000000,?,000001845C506506), ref: 000001845C50814D
                                                                                                                                              • memcpy.NTDLL(?,?,00000000,000001845C509458,?,00000000,?,000001845C506506), ref: 000001845C508189
                                                                                                                                              • memcpy.NTDLL(?,?,00000000,000001845C509458,?,00000000,?,000001845C506506), ref: 000001845C50823D
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: memcpy
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3510742995-0
                                                                                                                                              • Opcode ID: f3cc9281a8ca6978993dbb056fb31bd63bef0cb429795cc02bd43722efd32982
                                                                                                                                              • Instruction ID: 6e2f8722be242c9693fde34e80ae3bcb337e74a725c9c68e32019f628c3beee6
                                                                                                                                              • Opcode Fuzzy Hash: f3cc9281a8ca6978993dbb056fb31bd63bef0cb429795cc02bd43722efd32982
                                                                                                                                              • Instruction Fuzzy Hash: CAD16C32704A699BDB18DF69C680BEDB7A1F798B84F108219CB1A93751DF30E971CB44
                                                                                                                                              APIs
                                                                                                                                              • memset.NTDLL ref: 000001845C4ECBFA
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4ECC35
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4ECC5F
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4ECC89
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4ECCB3
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$Leave$Initializememset
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3460648485-0
                                                                                                                                              • Opcode ID: 2e3307218b09c89e9c461952443fd9212c3d484f2fdb84382dce19c2a9132c91
                                                                                                                                              • Instruction ID: 4b4f2f0c69269e69e380a2e8796ecb7daf7cbb273a8b84d6c7038131b7cc48a1
                                                                                                                                              • Opcode Fuzzy Hash: 2e3307218b09c89e9c461952443fd9212c3d484f2fdb84382dce19c2a9132c91
                                                                                                                                              • Instruction Fuzzy Hash: EA317632315B1183EB68DFA7E5546AEA3A1FB89F80F48C125CF8A43B54CF38D2258745
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: ctx destroy$free$lws_free
                                                                                                                                              • API String ID: 0-48050916
                                                                                                                                              • Opcode ID: c79e9a5b3c5bd1239040c7372c3514e6a6eb692877582e33914cb575e8c015d2
                                                                                                                                              • Instruction ID: 6c38439df13aa206ad39362956e5cd5a9ab1febe43f32c77d95b2d5721cd5529
                                                                                                                                              • Opcode Fuzzy Hash: c79e9a5b3c5bd1239040c7372c3514e6a6eb692877582e33914cb575e8c015d2
                                                                                                                                              • Instruction Fuzzy Hash: 27D1223A3007AA83EA5C9FA185543EDE7A0F765B88F44C225CF5993386DF38D652C748
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2924420756.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924902224.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924991283.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2925086635.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: __swift_1$__swift_2
                                                                                                                                              • API String ID: 0-2914474356
                                                                                                                                              • Opcode ID: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
                                                                                                                                              • Instruction ID: e36f902788c0381efdc077c6dc949100de42eee437ea8b415927d241f746463c
                                                                                                                                              • Opcode Fuzzy Hash: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
                                                                                                                                              • Instruction Fuzzy Hash: CF618E32300A8882EF96DB29E5447E963A1FB4CBD4F488525EF6D4779ADF38D645C340
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931240789.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931259361.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: __swift_1$__swift_2
                                                                                                                                              • API String ID: 0-2914474356
                                                                                                                                              • Opcode ID: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
                                                                                                                                              • Instruction ID: eedcba72b94e8455cf12a778523fd45130f16c321118e2a38ffc4f48c2386725
                                                                                                                                              • Opcode Fuzzy Hash: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
                                                                                                                                              • Instruction Fuzzy Hash: 0C617833300B4283EE14DF29E94479DB3A1FB85B94F4885259FA987B99DF38D681CB40
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • WaitForMultipleObjects.KERNEL32 ref: 000001845C4FDEC1
                                                                                                                                              • WaitForMultipleObjects.KERNEL32 ref: 000001845C4FDF8D
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4FDFCC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4FDFF6
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$CriticalSection$Alloc$EnterRead$FreeLeaveMultipleObjectsWait$Initialize
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1197094596-0
                                                                                                                                              • Opcode ID: a128fd323118e7b58d08c31b868d147948c3dda6663b584a6b7ab4b22ceeec38
                                                                                                                                              • Instruction ID: 46d03c28b81d713b62dc0ee3c19c2ea336c73226b8fd242c926eefdebbd266bb
                                                                                                                                              • Opcode Fuzzy Hash: a128fd323118e7b58d08c31b868d147948c3dda6663b584a6b7ab4b22ceeec38
                                                                                                                                              • Instruction Fuzzy Hash: 3A419372714B8183E764CF22E444B9EB3A1FB8AF84F449225DE4A43B58DF39D585CB44
                                                                                                                                              APIs
                                                                                                                                              • GetCurrentProcessId.KERNEL32 ref: 000001845C4FF0A4
                                                                                                                                              • ProcessIdToSessionId.KERNEL32 ref: 000001845C4FF0B1
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4FF164
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4FF18E
                                                                                                                                                • Part of subcall function 000001845C4E6F60: GetCurrentProcessId.KERNEL32 ref: 000001845C4E6FDB
                                                                                                                                                • Part of subcall function 000001845C4E6F60: ProcessIdToSessionId.KERNEL32 ref: 000001845C4E6FEB
                                                                                                                                                • Part of subcall function 000001845C4E6F60: CreateToolhelp32Snapshot.KERNEL32 ref: 000001845C4E7014
                                                                                                                                                • Part of subcall function 000001845C4E6F60: GetProcessHeap.KERNEL32 ref: 000001845C4E7023
                                                                                                                                                • Part of subcall function 000001845C4E6F60: HeapAlloc.KERNEL32 ref: 000001845C4E7036
                                                                                                                                                • Part of subcall function 000001845C4E6F60: CloseHandle.KERNEL32 ref: 000001845C4E7047
                                                                                                                                                • Part of subcall function 000001845C4E6F60: WTSGetActiveConsoleSessionId.KERNEL32 ref: 000001845C4E7056
                                                                                                                                                • Part of subcall function 000001845C4E6F60: VirtualFree.KERNEL32 ref: 000001845C4E71B6
                                                                                                                                                • Part of subcall function 000001845C4E6F60: VirtualFree.KERNEL32 ref: 000001845C4E71E0
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$AllocCriticalSection$Process$Free$EnterReadSession$CurrentHeapLeave$ActiveCloseConsoleCreateHandleInitializeSnapshotToolhelp32
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1320018004-0
                                                                                                                                              • Opcode ID: 219dca6d74f5f01e876d51951d5a85646c7e832a6bf75ab04d447e85a6392336
                                                                                                                                              • Instruction ID: 7420d9b516cc9deb25acfb55635c1f6d44fa2edc544d09a0e64d928ddb7144fa
                                                                                                                                              • Opcode Fuzzy Hash: 219dca6d74f5f01e876d51951d5a85646c7e832a6bf75ab04d447e85a6392336
                                                                                                                                              • Instruction Fuzzy Hash: 81318076320B9183FB64DF22E95069D73A0FB89F84F449225EE4A43B58DF38D944CB44
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • SetEvent.KERNEL32 ref: 000001845C4FDB49
                                                                                                                                              • CloseHandle.KERNEL32 ref: 000001845C4FDB58
                                                                                                                                              • ResetEvent.KERNEL32 ref: 000001845C4FDB66
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4FDB85
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CriticalSectionVirtual$Alloc$EnterRead$EventLeave$CloseFreeHandleInitializeReset
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 4208512464-0
                                                                                                                                              • Opcode ID: ca07846258ba37867d244566e482efccc0d3ec0fcc94a16ac108a6f4784184ef
                                                                                                                                              • Instruction ID: 6705fd6d2a8541dd6c27418da88626eb42734a23867f9b9124a49dacb94b8bd2
                                                                                                                                              • Opcode Fuzzy Hash: ca07846258ba37867d244566e482efccc0d3ec0fcc94a16ac108a6f4784184ef
                                                                                                                                              • Instruction Fuzzy Hash: 78318F36314B4183EB58CF62E89466DA7A1FB89F80F098225DF4A43B59CF38D151C708
                                                                                                                                              APIs
                                                                                                                                              • GetCurrentProcessId.KERNEL32 ref: 000001845C4F35DD
                                                                                                                                              • ProcessIdToSessionId.KERNEL32 ref: 000001845C4F35EA
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F367E
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F36A8
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$CriticalSection$Alloc$EnterRead$FreeLeaveProcess$CurrentInitializeSession
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3327369976-0
                                                                                                                                              • Opcode ID: f98e4ae98b7e11fca3d4a9eee25e402cb3ff29b46a0d4ad6d7052e7fc59a9eec
                                                                                                                                              • Instruction ID: 7196dadce2c0905dc7dad1aea6b02bc194bb81c3b001215d31666647237d63d3
                                                                                                                                              • Opcode Fuzzy Hash: f98e4ae98b7e11fca3d4a9eee25e402cb3ff29b46a0d4ad6d7052e7fc59a9eec
                                                                                                                                              • Instruction Fuzzy Hash: CC316932714B5587EB24DF66E44465EB3A0FB88F80F54822AEB8A43B18DF3DD645CB44
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$AllocFreeceilmemcpy
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 941304502-0
                                                                                                                                              • Opcode ID: b42a51ca5293a3dee87d5691d064886e3cec9dc4675c393a7935541609b8591d
                                                                                                                                              • Instruction ID: 03d8d04eefa4f88c2af919b14a714cbbbcc34e481a278beb3efaa3deaa601ccb
                                                                                                                                              • Opcode Fuzzy Hash: b42a51ca5293a3dee87d5691d064886e3cec9dc4675c393a7935541609b8591d
                                                                                                                                              • Instruction Fuzzy Hash: 1D212832714A50CBDB55DF3AF45069DA361EBC9F84F19D221EA0A9374DCE38C9818B48
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • CreateThread.KERNEL32 ref: 000001845C4FA782
                                                                                                                                              • CloseHandle.KERNEL32 ref: 000001845C4FA790
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4FA7AC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4FA7D6
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$CriticalSection$Alloc$EnterRead$FreeLeave$CloseCreateHandleInitializeThread
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 4031785131-0
                                                                                                                                              • Opcode ID: 46f8680c48a87c550885bc35dd8c9f8526c11e3e393dc63d790dd5bf2b061a43
                                                                                                                                              • Instruction ID: d141c33c1d52ef5d229e11d6843b61b1bf05e92c2042a35a69b650b747ac969b
                                                                                                                                              • Opcode Fuzzy Hash: 46f8680c48a87c550885bc35dd8c9f8526c11e3e393dc63d790dd5bf2b061a43
                                                                                                                                              • Instruction Fuzzy Hash: 90213A76704A5183EB28DF63E45465EA3A1FB8EFD0F448129DF8A43B18DF38D2558744
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F6188
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F61B2
                                                                                                                                              • CreateThread.KERNEL32 ref: 000001845C4F61CF
                                                                                                                                              • CloseHandle.KERNEL32 ref: 000001845C4F61DD
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$CriticalSection$Alloc$EnterRead$FreeLeave$CloseCreateHandleInitializeThread
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 4031785131-0
                                                                                                                                              • Opcode ID: 9906d6a9ce0f7f254b3389b28713ac5881b4f0dc512eb4610b511277353699d5
                                                                                                                                              • Instruction ID: 510e9499f5cc28d9af2dbd49f79e28911d199451cf4eadb52fad4193c3bd6a31
                                                                                                                                              • Opcode Fuzzy Hash: 9906d6a9ce0f7f254b3389b28713ac5881b4f0dc512eb4610b511277353699d5
                                                                                                                                              • Instruction Fuzzy Hash: 30118F32715B5283EB18CFA3E64469EA3A1FB89FC0F48C225CB4A43B54DF38D2618744
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Event$ObjectSingleWait
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2127046782-0
                                                                                                                                              • Opcode ID: de6cca13531ef7be6a56a105a458a4c89b63c3fe75a489721cd85d5858837fa3
                                                                                                                                              • Instruction ID: d171baca4dfdd28b7a0fb397c1e9a91fbc1745542710ced2c475a9aeb32a851d
                                                                                                                                              • Opcode Fuzzy Hash: de6cca13531ef7be6a56a105a458a4c89b63c3fe75a489721cd85d5858837fa3
                                                                                                                                              • Instruction Fuzzy Hash: 7E01887171455DC3DBA58F66F98469DA3E0F7E8FD0F888215CA0987758DD34C9888708
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Cursor$CountInfoOpenProcessTick
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1051838312-0
                                                                                                                                              • Opcode ID: 367ce5d8dd7bc755535d42e0695e3db5e97519ce22b5c81c9f6c4a96f8940a8e
                                                                                                                                              • Instruction ID: c08fd90f93898ae8ac595b90b36deeb78f2546420467600c66ceae41a3f07c27
                                                                                                                                              • Opcode Fuzzy Hash: 367ce5d8dd7bc755535d42e0695e3db5e97519ce22b5c81c9f6c4a96f8940a8e
                                                                                                                                              • Instruction Fuzzy Hash: D4F0A472610A4A83E7049F71E8042ADB3A1FBA5B4DF448326C64A06755EF38C6D4CB88
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931240789.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931259361.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$h-l1-2-0.dll
                                                                                                                                              • API String ID: 0-1747795296
                                                                                                                                              • Opcode ID: 0f20d8eddffe02f4355215346de876ec0be27590aef8c60f560b2699b0830f65
                                                                                                                                              • Instruction ID: a2a64c9656dbf3ac80e007cf1625033fad391ae153a40853377359a67ab715bb
                                                                                                                                              • Opcode Fuzzy Hash: 0f20d8eddffe02f4355215346de876ec0be27590aef8c60f560b2699b0830f65
                                                                                                                                              • Instruction Fuzzy Hash: 0DE15B73301B4693EF14EB2DD54029C27A0F745FA0F848129DA9D977A2DF38CAA5CB80
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2924420756.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924902224.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924991283.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2925086635.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                              • String ID: gfff$o-l1-2-1
                                                                                                                                              • API String ID: 3215553584-1082851355
                                                                                                                                              • Opcode ID: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
                                                                                                                                              • Instruction ID: 4e08fe91d50fd43471445e9309ac5ad4362738dffbe45d8770cad9fb3b789804
                                                                                                                                              • Opcode Fuzzy Hash: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
                                                                                                                                              • Instruction Fuzzy Hash: 5951F4737147C886E7A78B35E9413997B91E399BD0F48D221EB944BAD6CE38C698C700
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931240789.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931259361.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                              • String ID: gfff$o-l1-2-1
                                                                                                                                              • API String ID: 3215553584-1082851355
                                                                                                                                              • Opcode ID: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
                                                                                                                                              • Instruction ID: 35f44d6248e26576cf52ff3a087703af49e5567ca7485271ac6f2982216cf897
                                                                                                                                              • Opcode Fuzzy Hash: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
                                                                                                                                              • Instruction Fuzzy Hash: CC5115737147C687E7258F29A94139DAB91E381B90F48E225D7D987AD6CF38D644CB00
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2924420756.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924902224.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924991283.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2925086635.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                              • String ID: api-ms-win-core-sysinfo-l1-2-1$synch-l1-2-0
                                                                                                                                              • API String ID: 3215553584-688204690
                                                                                                                                              • Opcode ID: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
                                                                                                                                              • Instruction ID: 9d4985de47fc3aa1ddc341b920f7898ed377652abc42465d74999370fa1411ca
                                                                                                                                              • Opcode Fuzzy Hash: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
                                                                                                                                              • Instruction Fuzzy Hash: 86418E72705F888AE782CF65E8507CE73A5F7193C8F518126EA9807B99DF38C629C340
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931240789.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931259361.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: _invalid_parameter_noinfo
                                                                                                                                              • String ID: api-ms-win-core-sysinfo-l1-2-1$synch-l1-2-0
                                                                                                                                              • API String ID: 3215553584-688204690
                                                                                                                                              • Opcode ID: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
                                                                                                                                              • Instruction ID: fcc4e98753c76f204dac5035a5fdf26dc6fcf29de7bff09a069ead2da3181eff
                                                                                                                                              • Opcode Fuzzy Hash: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
                                                                                                                                              • Instruction Fuzzy Hash: CD416873A01B459BE700CF25E8417DD33E5E719388F40C626AA9987B98DF39C625CB84
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2924420756.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924902224.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924991283.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2925086635.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: DestructExceptionObject$__vcrt_getptd_noexit
                                                                                                                                              • String ID: csm
                                                                                                                                              • API String ID: 3780691363-1018135373
                                                                                                                                              • Opcode ID: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
                                                                                                                                              • Instruction ID: 011c5e600e2baba1b5aebe761702f78806dc8dec4a9d5acc90072a234146c346
                                                                                                                                              • Opcode Fuzzy Hash: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
                                                                                                                                              • Instruction Fuzzy Hash: 40212D76204A4887E7B2DF15E05079E7760F39DBE4F008206EEA943795CF39DA8ACB01
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931240789.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931259361.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: DestructExceptionObject$__vcrt_getptd_noexit
                                                                                                                                              • String ID: csm
                                                                                                                                              • API String ID: 3780691363-1018135373
                                                                                                                                              • Opcode ID: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
                                                                                                                                              • Instruction ID: 68cf5074ba69b881289d54ed96a6c5298438dc51312a792323b2b4b7cd58f0c1
                                                                                                                                              • Opcode Fuzzy Hash: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
                                                                                                                                              • Instruction Fuzzy Hash: BB21283760464287E631DF16E05039EB760F388BA9F408211DED983BA5DF39DA86CF11
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Windowlstrlen$memset$Process$ByteCharDataForegroundInputLocalMultiProcSessionTextThreadTimeWide__chkstkwsprintf
                                                                                                                                              • String ID: 0
                                                                                                                                              • API String ID: 780575994-4108050209
                                                                                                                                              • Opcode ID: 8004b3049ace1bb0400474f1a69768e4362440f1312b9a8d3f505a6f2555652d
                                                                                                                                              • Instruction ID: 9f6b42212236260f1e306e0f24ef2dbb705a372d8fadfbebe11887c0835667bb
                                                                                                                                              • Opcode Fuzzy Hash: 8004b3049ace1bb0400474f1a69768e4362440f1312b9a8d3f505a6f2555652d
                                                                                                                                              • Instruction Fuzzy Hash: BB01AD316142A6C3F6108F61E6087EEAAA0F7A1B94F548321EE8003AD9CF38C640CB85
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2924420756.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924902224.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924991283.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2925086635.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: __std_exception_copy
                                                                                                                                              • String ID: `vector destructor iterator'$nt delete closure'
                                                                                                                                              • API String ID: 592178966-1611991873
                                                                                                                                              • Opcode ID: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
                                                                                                                                              • Instruction ID: c8ada3eb98077b3e77d28a4839308a809c4d6d91d1a7368aad5ed78790c858ba
                                                                                                                                              • Opcode Fuzzy Hash: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
                                                                                                                                              • Instruction Fuzzy Hash: 9EE01AB1200B0490DB068F65E8513E873A4EB4CB90F48C032AA5C47354EF38C6A9C301
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931240789.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931259361.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: __std_exception_copy
                                                                                                                                              • String ID: `vector destructor iterator'$nt delete closure'
                                                                                                                                              • API String ID: 592178966-1611991873
                                                                                                                                              • Opcode ID: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
                                                                                                                                              • Instruction ID: 3043ecb2c8399d8b9c14b74e94f74efd8f5ba6a037f6f9b56c79e4a541fbf60e
                                                                                                                                              • Opcode Fuzzy Hash: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
                                                                                                                                              • Instruction Fuzzy Hash: 59E04F73200B0092DF158F55F8501EC73A4EB4CB50B48D0229A9C87355EF38C6E9C704
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2924508884.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2924420756.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924902224.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2924991283.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2925086635.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_180000000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                                                                                                              • String ID: File
                                                                                                                                              • API String ID: 932687459-749574446
                                                                                                                                              • Opcode ID: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
                                                                                                                                              • Instruction ID: 9145d171dbcecb2188c45693134888adfda474ee1ae56853841174419c243042
                                                                                                                                              • Opcode Fuzzy Hash: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
                                                                                                                                              • Instruction Fuzzy Hash: 49C08C3221488D91EB62EB10E8917DA5330B7A8384F818111F19C824B69F1CC30ECB00
                                                                                                                                              APIs
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931240789.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931259361.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                                                                                                              • String ID: File
                                                                                                                                              • API String ID: 932687459-749574446
                                                                                                                                              • Opcode ID: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
                                                                                                                                              • Instruction ID: 4ee1287ad15bde44113e449cd526210951ad5c3771337bd71063dc856ee1dd59
                                                                                                                                              • Opcode Fuzzy Hash: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
                                                                                                                                              • Instruction Fuzzy Hash: 8EC04C7321458797DA20EB15D8921DD6331B7A8344F908551A2DD829B7DF19C719CF00
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34EB
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E34FD
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3510
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3527
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3556
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3568
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E357B
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3592
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E35C1
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E35D3
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E35E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E35FD
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E362C
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E363E
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3654
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4EC7B5
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4EC7DF
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4EC7F5
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4EC81F
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CriticalSection$Virtual$Alloc$EnterRead$Leave$Free$Initialize
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3420869360-0
                                                                                                                                              • Opcode ID: 617031c2d221066431aaff11be6c94ed0690b72a67014eff584da1fe74eb40db
                                                                                                                                              • Instruction ID: 1949ad6ce855557eb9f2fdda37de7fbcb8374af68fccec7940809157b0e3c1ee
                                                                                                                                              • Opcode Fuzzy Hash: 617031c2d221066431aaff11be6c94ed0690b72a67014eff584da1fe74eb40db
                                                                                                                                              • Instruction Fuzzy Hash: F7416632715B4187EB68CF63E458A5EB7A5FB89F80F058629DF8A03B18DF39C5458B04
                                                                                                                                              APIs
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C503B10
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C503B3A
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C503B50
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C503B7A
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$Leave$Initialize
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 696443088-0
                                                                                                                                              • Opcode ID: c9680d75c501e4054c7710036f39944100f54ecf03344763eed7e87a999867f9
                                                                                                                                              • Instruction ID: 8e57e9c47c0c91b85c74fdf310b37a671cc85f468b9c1bb62407fc9c17c0e00a
                                                                                                                                              • Opcode Fuzzy Hash: c9680d75c501e4054c7710036f39944100f54ecf03344763eed7e87a999867f9
                                                                                                                                              • Instruction Fuzzy Hash: EA416D32315B5183EB58CF52E458A6EB3A5FB89F80F46C125DE9A43B08DF39C145CB04
                                                                                                                                              APIs
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C4F8213
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F8258
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F828E
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F829F
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1953590826-0
                                                                                                                                              • Opcode ID: 1d1b306bf3c46ccf6e7229351797aac4dc12f87dd746d871babab7f5bc255a71
                                                                                                                                              • Instruction ID: b021d3e20db22dc384ed840fdd73e1c0644c1e2c31e5f928e516ccf68f1c1b8a
                                                                                                                                              • Opcode Fuzzy Hash: 1d1b306bf3c46ccf6e7229351797aac4dc12f87dd746d871babab7f5bc255a71
                                                                                                                                              • Instruction Fuzzy Hash: 89319171311E4183FB988FA2E9547AD63A0FB9AFD0F09C225CE1A4BB85DF38D5918744
                                                                                                                                              APIs
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C4F1274
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F12B9
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F12EF
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F1300
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1953590826-0
                                                                                                                                              • Opcode ID: 5944f9928c617558d6447f66ff93bef18e990b1e2edeae30f48a59bf0b4b3e49
                                                                                                                                              • Instruction ID: 503629a583d82f2db71ad6f6d26cd3434a3095504a4ab20d434b4ab9767f3ece
                                                                                                                                              • Opcode Fuzzy Hash: 5944f9928c617558d6447f66ff93bef18e990b1e2edeae30f48a59bf0b4b3e49
                                                                                                                                              • Instruction Fuzzy Hash: 5D31C131300A4283FB588F67E554BAD63A0FB8AFC4F08C220CE0A47B48DF38C6418B48
                                                                                                                                              APIs
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C501F04
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C501F49
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C501F7F
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C501F90
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1953590826-0
                                                                                                                                              • Opcode ID: f4df4a3ac5e6fb09ea1b5c184ea8ce42575441d447ce80640701a34ba3f7fd77
                                                                                                                                              • Instruction ID: 49f9329188b9d6abe498b2bca3c8d2890d877e615598e4e10f98194f18bdf9cd
                                                                                                                                              • Opcode Fuzzy Hash: f4df4a3ac5e6fb09ea1b5c184ea8ce42575441d447ce80640701a34ba3f7fd77
                                                                                                                                              • Instruction Fuzzy Hash: 6231D231310A5683EB588FA3E5543AEA3A1FB98FC0F08C220DE0A87B48DF38C6408345
                                                                                                                                              APIs
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C4F7004
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F7049
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F707F
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4F7090
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1953590826-0
                                                                                                                                              • Opcode ID: 68638a45072214ee0e893a58682f264645d2bfca7efd773f1cf6502fd29ef5f2
                                                                                                                                              • Instruction ID: b75bfda7276ca02bfb281d32dc2c110b5e880e542f52a4f3397260d3f8504fba
                                                                                                                                              • Opcode Fuzzy Hash: 68638a45072214ee0e893a58682f264645d2bfca7efd773f1cf6502fd29ef5f2
                                                                                                                                              • Instruction Fuzzy Hash: AB318931310A4287EB588F62E554BAE63B1AF89FD4F088225DE0A47B88DF29D6518744
                                                                                                                                              APIs
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C503094
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C5030D9
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C50310F
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C503120
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1953590826-0
                                                                                                                                              • Opcode ID: b8f4db6db1d0367102d5a07de2158188bc80ba2991919440e33211faedfcd802
                                                                                                                                              • Instruction ID: 6fb94a90e37f9765f0c36bf6e74c400f00e152602e08781c553fa173a7744c00
                                                                                                                                              • Opcode Fuzzy Hash: b8f4db6db1d0367102d5a07de2158188bc80ba2991919440e33211faedfcd802
                                                                                                                                              • Instruction Fuzzy Hash: 03318F71310A5683EB58CFA3E55479DA3A1FB99FC4F08D225CF0A87B88DF28C6558744
                                                                                                                                              APIs
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C4FD93A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4FD97F
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4FD9B5
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4FD9C6
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1953590826-0
                                                                                                                                              • Opcode ID: ec5b1167f005ac1d8a69da9b77871cfdf6301f2a7abf43893b2e18070580acd4
                                                                                                                                              • Instruction ID: 68cb259764e527b6eb98e7c7e5c3ed4dd9c869c01c1d1295c362145bb3e2d0a8
                                                                                                                                              • Opcode Fuzzy Hash: ec5b1167f005ac1d8a69da9b77871cfdf6301f2a7abf43893b2e18070580acd4
                                                                                                                                              • Instruction Fuzzy Hash: 41319131310A4283EB58CFA3E554BAD63A0FB49FD4F08C225CE0A47B88DF28D6558744
                                                                                                                                              APIs
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C4EC1B4
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4EC1F9
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4EC22F
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4EC240
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1953590826-0
                                                                                                                                              • Opcode ID: 62c558665775160bff6bd4cbced2f3b4a28216fdecb6bb590b6097234b34c5f5
                                                                                                                                              • Instruction ID: 899d251949dcb9c1b32abb36f5aa85d0ed3e3affb51f980d8e97e13321565c8b
                                                                                                                                              • Opcode Fuzzy Hash: 62c558665775160bff6bd4cbced2f3b4a28216fdecb6bb590b6097234b34c5f5
                                                                                                                                              • Instruction Fuzzy Hash: 9D31A231710A4283EB588FA7E6547AE63A0FB89FC4F08C225CE1A47B88DF38C6418745
                                                                                                                                              APIs
                                                                                                                                              • VirtualAlloc.KERNEL32 ref: 000001845C4EB1D4
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3347
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E338F
                                                                                                                                                • Part of subcall function 000001845C4E3330: InitializeCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33A3
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E33BC
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33CF
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E33E6
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3415
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3427
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E343A
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3451
                                                                                                                                                • Part of subcall function 000001845C4E3330: LeaveCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E3480
                                                                                                                                                • Part of subcall function 000001845C4E3330: IsBadReadPtr.KERNEL32 ref: 000001845C4E3492
                                                                                                                                                • Part of subcall function 000001845C4E3330: EnterCriticalSection.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34A5
                                                                                                                                                • Part of subcall function 000001845C4E3330: VirtualAlloc.KERNEL32(?,?,?,000001845C4E2014), ref: 000001845C4E34BC
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4EB219
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4EB24F
                                                                                                                                              • VirtualFree.KERNEL32 ref: 000001845C4EB260
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 1953590826-0
                                                                                                                                              • Opcode ID: 6a0dbe3a0a406c02cb2e4d729dffdfe30f5f50d64f32219fd7338cec30936ee1
                                                                                                                                              • Instruction ID: 5fec0cda7ae777088ad95f40a280965e1a684259b3dd82eeb8ee7aa317baa579
                                                                                                                                              • Opcode Fuzzy Hash: 6a0dbe3a0a406c02cb2e4d729dffdfe30f5f50d64f32219fd7338cec30936ee1
                                                                                                                                              • Instruction Fuzzy Hash: EE31D231310A0283EB549F67E658BAD63A1FF89FC0F08C220CE0A47B58DF38C6448309
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931240789.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931259361.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: `vector constructor iterator'$ctor closure'$deleting destructor'$deleting destructor'
                                                                                                                                              • API String ID: 0-4293706295
                                                                                                                                              • Opcode ID: e616ce5f37f1b4e4ce6758aa9da7daa550d8ae5af315314d3572aa898a2e0930
                                                                                                                                              • Instruction ID: 2112eeed5991ed57b2554ea9d727f45c05c098cfdd79fe416daec37c3b6cbcc5
                                                                                                                                              • Opcode Fuzzy Hash: e616ce5f37f1b4e4ce6758aa9da7daa550d8ae5af315314d3572aa898a2e0930
                                                                                                                                              • Instruction Fuzzy Hash: 9421C537612A0397FE54DF55F859BAC23A0AB58F40F48C52888CA833A4EF78D248CB05
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931240789.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931259361.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: `vector constructor iterator'$ctor closure'$deleting destructor'$deleting destructor'
                                                                                                                                              • API String ID: 0-4293706295
                                                                                                                                              • Opcode ID: f8712fd5a3c25522077a4ff2ee864bf8c10fba992a64d8f947a4c16263d71c49
                                                                                                                                              • Instruction ID: ffb873e33f24ff64d72577ffc472100e7d24292a4ee4940022bad741f5a5994a
                                                                                                                                              • Opcode Fuzzy Hash: f8712fd5a3c25522077a4ff2ee864bf8c10fba992a64d8f947a4c16263d71c49
                                                                                                                                              • Instruction Fuzzy Hash: E621D637612A0387FE54DF55F859BAC23A0AB59F51F48C428C8CA833A0EF38D248CB05
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931240789.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931259361.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: `vector constructor iterator'$ctor closure'$deleting destructor'$deleting destructor'
                                                                                                                                              • API String ID: 0-4293706295
                                                                                                                                              • Opcode ID: 318f5717511456cabe01ac0f45910221d27ad42c297a2242a16efb7a4ad3622b
                                                                                                                                              • Instruction ID: 2b3f0a30c1259a21c04e86109ef383670515a3d33997fa5eeeaeab5e64445a9a
                                                                                                                                              • Opcode Fuzzy Hash: 318f5717511456cabe01ac0f45910221d27ad42c297a2242a16efb7a4ad3622b
                                                                                                                                              • Instruction Fuzzy Hash: A521E737612B0387FE54DF55F859BAC23A0AB58B50F48C428C88A833A0EF3CD248CB05
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931170899.000001845BF30000.00000004.00000001.00020000.00000000.sdmp, Offset: 000001845BF30000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931240789.000001845C050000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931259361.000001845C051000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845bf30000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: `vector constructor iterator'$ctor closure'$deleting destructor'$deleting destructor'
                                                                                                                                              • API String ID: 0-4293706295
                                                                                                                                              • Opcode ID: 8c09dbcfe2dae1ad0642468bfe82c4cc15e963c79359e8f814b649e352f9735f
                                                                                                                                              • Instruction ID: cde2585cf13153271a4d7d089664989d999627a01a63d61e9ea037d58361e748
                                                                                                                                              • Opcode Fuzzy Hash: 8c09dbcfe2dae1ad0642468bfe82c4cc15e963c79359e8f814b649e352f9735f
                                                                                                                                              • Instruction Fuzzy Hash: E221D837612B0387FE54DF55F859BAC23A0A758B90F48C428C88E833A0EF38D248CB15
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CriticalSection$Leave$EnterRead
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 2917996470-0
                                                                                                                                              • Opcode ID: 6195ae99069b8bbc5e0251264d858f2dafa8f2920a2e3fbeb294cc83daa5f249
                                                                                                                                              • Instruction ID: d9bfd439dff9fa79519ca88b2dbdd50b297465e9d56f1929ae0f24ce4bae92ba
                                                                                                                                              • Opcode Fuzzy Hash: 6195ae99069b8bbc5e0251264d858f2dafa8f2920a2e3fbeb294cc83daa5f249
                                                                                                                                              • Instruction Fuzzy Hash: 2B118C32305A45C7EB589F22F5402EDA7A0FB99F84F4E9621EF4A47749CF38C9918709
                                                                                                                                              APIs
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000002.00000002.2931527423.000001845C4D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001845C4D0000, based on PE: true
                                                                                                                                              • Associated: 00000002.00000002.2931507591.000001845C4D0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931562398.000001845C538000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931583634.000001845C54C000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              • Associated: 00000002.00000002.2931602590.000001845C552000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_2_2_1845c4d0000_svchost.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID: CriticalSection$EnterLeave
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID: 3168844106-0
                                                                                                                                              • Opcode ID: 7d424a39128fc79d423e685d07f3b0557c8311698411645ac54d4061eb6ffd6c
                                                                                                                                              • Instruction ID: a58cf18c0dbcabda73001a2cea1a3739616d347a3a1cb37d0de3244666e895dd
                                                                                                                                              • Opcode Fuzzy Hash: 7d424a39128fc79d423e685d07f3b0557c8311698411645ac54d4061eb6ffd6c
                                                                                                                                              • Instruction Fuzzy Hash: 1A11E531700F95C7D7149F62A94829DA321FF58FC4F888221EF5667B55CF38C5558348